On Thu, 7 Feb 2002, Ray Olszewski wrote:
> At 09:12 AM 2/7/02 -0800, Greg R wrote:
> >Thank you Matt & David for you replies.
> >
> >Let me see if I can provide some more information for you.
> >
> >I do not have any firewall enabled, nor is ipchains installed - the router
> >is wide open. eth0 is the outside interface - I am sure. From the router I
> >can ping anything anywhere, by IP and by FQDN.
>
> Oh. If you literally "do not have any firewall enabled" or "ipchains
> installed", then you do not have NAT (IP Masq) enabled, since it is the
> forward chain of the ipchains ruleset that handles NAT. As a result, the
> packets from the LAN (probably) go out just fine, but return packets from
> off-LAN don't arrive because outside devices (the DSL router itself and the
> Internet in general) don't know that your router is their route to
> 192.168.1.0/24 (they don't know this quite properly; "private address"
> *means* unroutable, requiring NAT to work).
I disagree with the explanation, though not the advice. "Private address"
means that no public routers will enter it into their routing tables...
those IP numbers are just as routable as any other numbers within your
organization. This point is confusing to many newbies... it certainly was
for me.
The place it makes a difference is in the "modem", which was providing NAT
services to 192.168.68.0. If you could modify its routing table to route
through 192.168.68.1 to arrive at 192.168.1.0/24, and NAT 192.168.1.0/24
as well as 192.168.68.0/24, you would be fine. The problem is that boxes
like that are not usually so configurable, so Ray's advice below is indeed
a straightforward approach... the "modem" would only think there was one
address to deal with.
A different approach might be to use a bridging or proxy-arp
configuration, and omit the 192.168.1.0/24 network entirely. Without a
firewall, there isn't much reason to bother having the LEAF box here, so I
would assume that is part of the eventual goal. Unlike Ray's solution, I
don't know of a firewall script that does this out-of-the-box... I set one
up manuallly last year.
> To make this setup work, you must install ipchains and, at a bare minimum,
> add a rule that MASQs the internal network.
>
> I've deleted the rest of your message because as you describe your setup,
> this omission is almost certainly your problem. The easiest solution is to
> add one of the drop-in firewall packages that David suggested in the e-mail
> he sent last night.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
