Bob Pocius wrote: >>Sometimes LEAF distros are configured to block traffic destined for >>the private address space from going out eth0. It's designed that >>way because private addresses are in general for internal use only. >>Rarely, an ISP uses these, and adjustments are made to ipfilter.conf >>or wherever your rules are defined. >> > That makes good sense, but I stripped Whorewall out to try to simplify > things for myself.
It's funny how the keys slip sometimes, huh :-) There's definitely no "unsend" button :-) Ok. Be aware that you're going to want to check your syslog a lot during this phase to see what's really going on. Hopefully, all denied or rejected packets will be logged and we can get somewhere. >>I'm deciding not to comment on the routes at all until >>you post the output of ifconfig -a on all four sites. >> > I've included the useful data with each of the routing tables (I hope I > didn't leave out anything that you were looking for). Yes, it looks complete, and it seems to make sense. I don't see any lo, localhost routes. Why not? Did you just omit them? There's also an occasion or two where I'd think the gateway would simply be 0.0.0.0, but I'm not convinced that's an issue. The routes look logical. I point that out inllne. Most likely, we're at the point of traceroute and ping to bang our heads against any rules that are getting in the way. >>I will mention that I don't get the concept of having both >>10.10.1.254 and 10.10.1.40 assigned to the same eth0, for >>instance. >> > I did this because that router is connected via 100Mb fibre to another > building where the rest of the routing happens. eth0 on Site 1 connects to a > switch, and 10.10.1.254 (my main gateway router) connects to a different > port on that same switch. Ok. I get that now. As long as you're not using some really expensive 3COM switch or router that has traffic filtering/routing rules, we should be in good shape. Didn't you mention this exact setup worked with a full blown RH distro? If that's the case, I'm leaning more toward "Shorewall," heh heh. > Site 1: 10.10.1.0 > eth0 10.10.1.40/24 > eth1 192.168.1.254/24 > > Destination Mask Gateway Dev > 0.0.0.0 0.0.0.0 10.10.1.254 eth0 (to internet) > 10.10.1.0 255.255.255.0 10.10.1.40 eth0 (wired interface) > 10.10.12.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) > 10.10.13.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) > 192.168.1.0 255.255.255.0 192.168.1.254 eth1 (wireless interface) > 192.168.2.0 255.255.255.0 192.168.1.253 eth1 (wireless to site 2) > Above is a line that I thought would have 0.0.0.0 for the gateway, like this 192.168.1.0 255.255.255.0 0.0.0.0 eth1 (wireless interface) Because you're not saying to the kernel that 192.168.1.254 is *another router*, *another gateway* or "a thing that does routing", but rather you're just trying to say, "put all that traffic out eth1." Although I know netstat and routing in general, I've never set something up this complicated and can't be sure. I just know how a routing table usually looks, and it does not specify the external nic ip address for routes like this one. Here's mine, for example: Destination Gateway Genmask Flags Iface 10.1.1.0 0.0.0.0 255.255.255.0 U eth1 63.194.213.0 0.0.0.0 255.255.255.0 U eth0 127.0.0.0 0.0.0.0 255.0.0.0 U lo 0.0.0.0 63.194.213.254 0.0.0.0 UG eth0 Now it's done on Oxygen. So it looks a bit different, but still. To be honest, I think ip route show does a better job of detailing the low level workings, but it's hard to read. Ok then. I'll leave it at this point until we find out about the localhost route (127.0.0.0/8) sort of thing and the 0.0.0.0 gateway issue. If that's not it, then try a ping from one end to the other. Try to decipher if NAT is occuring and getting in the way. Try to get all packets logged into your syslog. You can write the rules yourself for that. 1) Set default policies to ACCEPT 2) Flush all routes 3) Add a rule that logs all traffic in one direction for one nic, and watch the log to see if the traffic gets through that nic. Let me know if you need examples of that. Btw, how do you pronounce Pocius? Poe'-shuss? Poe'-she-us? Regards, Matthew > Site 2a: 10.10.12.0 > eth0 10.10.12.254/24 > eth1 192.168.1.253/24 > > Destination Mask Gateway Dev > 0.0.0.0 0.0.0.0 192.168.1.254 eth1 (wireless to site 1) > 10.10.12.0 255.255.255.0 10.10.12.254 eth0 (wired interface) > 10.10.13.0 255.255.255.0 10.10.12.253 eth0 (to other local router) > 192.168.1.0 255.255.255.0 192.168.1.253 eth1 (wireless interface) > 192.168.2.0 255.255.255.0 10.10.12.253 eth0 (to other local router) > > > (Site 2a and 2b are connected to the same switch) > > > Site 2b: 10.10.12.0 > eth0 10.10.12.253/24 > eth1 192.168.2.254/24 > > Destination Mask Gateway Dev > 0.0.0.0 0.0.0.0 10.10.12.254 eth0 (to other local router) > 10.10.12.0 255.255.255.0 10.10.12.253 eth0 (wired interface) > 10.10.13.0 255.255.255.0 192.168.2.253 eth1 (wireless to site 3) > 192.168.2.0 255.255.255.0 192.168.2.254 eth1 (wireless interface) > > > > > Site 3: 10.10.13.0 > eth0 10.10.13.254/24 > eth1 192.168.2.253/24 > > Destination Mask Gateway Dev > 0.0.0.0 0.0.0.0 192.168.2.254 eth1 (wireless to site 2) > 10.10.13.0 255.255.255.0 10.10.13.254 eth0 (wired interface) > 192.168.2.0 255.255.255.0 192.168.2.253 eth1 (wireless interface) > > > Bob Pocius _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user