> > DCD: Special Second External Interface ??? > > > > [1] Summary diagram: > > > > +-------------------+ > > | | > > | Remote Vendor | > > | Private Network | > > | | > > +-------------------+ > > Florida ^ > > | > > Chicago v > > +-----------------------+ > > | | > > | ISDN Router | > > | Auto Dial, NAT, &c. | > > | | > > +-----------------------+ > > ^ 192.168.14.252 > > | > > | 192.168.14.0/24 > > | > > v 192.168.14.254 > > +-------------------+ > > | eth1 | +------------+ > > | | T-1 | | > > | DCD wan1 |<----->| Internet | > > | | | | > > | eth0 | +------------+ > > +-------------------+ > > ^ 192.168.11.254 > > | > > v > > +------------+ > > | |<- 192.168.10.0/24 > > | Internal | > > | Network | > > | |<- 192.168.11.0/24 > > +------------+ > > ^ ^ > > | | > > | +- 192.168.12.0/24 > > | > > +- 192.168.13.0/24 > > [ snip ] > > I continue in my confusion: > > Why do these *not* allow the internal network to see the ISDN subnet?
Looks like you have interface confusion...try the following: > $IPCH -I forward -j ACCEPT -s 192.168.11.0/24 -d 192.168.14.0/24 -i eth1 OK > $IPCH -I forward -j ACCEPT -s 192.168.14.0/24 -d 192.168.11.0/24 -i eth1 Should be "-i eth0" > $IPCH -I input -j ACCEPT -d 192.168.14.0/24 OK, but a bit broad...you probably want at least "-i ! wan1" to prevent accessability from the internet, probably this rule should go away altogether...see note below. > $IPCH -I input -j ACCEPT -s 192.168.14.0/24 -d 192.168.11.0/24 -i eth1 OK...see note below > $IPCH -I input -j ACCEPT -s 192.168.11.0/24 -d 192.168.14.0/24 -i eth1 Should be "-i eth0"...see note below > $IPCH -I output -j ACCEPT -i eth1 OK...see note below. > $IPCH -I output -j ACCEPT -s 192.168.11.0/24 -d 192.168.14.0/24 -i eth1 OK...see note below. > $IPCH -I output -j ACCEPT -s 192.168.14.0/24 -d 192.168.11.0/24 -i eth1 Should be "-i eth0"...see note below. NOTE: You shouldn't have to add any input/output rules if you're using the default Dachstein firewall setup (or something quite similar). You're only prevented from spewing private IP's out the main external interface (ie wan1 in your case)...otherwise, there's no output filtering. Also, on the input side, all packets are accepted from everything but the external interface. To make your ISDN work, you should only have to create forwarding rules, along with getting the proper routing setup. If you still have problems, a dump of the existing firewall rules would help more than the liminted portion provided above. Also, your routing and IP setup would be helpful (output of ip addr & ip route). In your previous e-mails, it's unclear how the far end of the ISDN link is configured (both IP addressing and routing). Remember, you need to make sure that *BOTH* ends agree on how to communicate (ie you might be sending packets down the ISDN link, but the far end is sending replies back via the internet). Sorry about not responding earlier...I've been traveling & out of the office since Friday. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
