Charles Steinkuehler wrote: > > > > > 17: wan1: <POINTOPOINT,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen > 100 > > > > link/ppp > > > > inet 64.4.222.157 peer 64.4.222.158/32 scope global wan1 > > > > inet 64.4.197.99/32 scope global wan1 > > > > inet 64.4.197.100/32 scope global wan1 > > > > inet 64.4.197.101/32 scope global wan1 > > > > > > Please *REMOVE* the extra IP's assigned to your wan interface and > see > > > what happens (ie wan1 should have *ONLY* the 64.4.222.157 IP). The > fact > > > that you have IP's assigned to the firewall that actually belong on > your > > > DMZ network could be the source of all your confusion. Remember, > the > > > wan interface is an arpless point-to-point interface, and even if > wan1 > > > was an ethernet NIC, your IP configuration would not work in either > a > > > routed *OR* a proxy-arp DMZ. > > > > Yes, looks pretty dumb; but, we have these mapped to systems on NAT'ed > > internal network. > > > > Besides, I have done same testing *without* these and results are > > identical . . . > > I almost missed this... > > What do you mean when you say you have those IP's mapped to NAT'ed > sysetms on the internal network? If you mean NAT as in Static-NAT and > advanced routing rules, I need to see *ALL* your routing info, not just > the output of "ip route". In this situation, it would still be > incorrect to assign the IP to the WAN interface.
Nomenclature ;> > If you really mean you're port-forwarding those IP's to systems on your > internal network, your configuration probably makes more sense. # ipmasqadm portfw -ln | sort -nk 4 prot localaddr rediraddr lport rport pcnt pref TCP 64.4.222.157 192.168.1.40 21 21 6 10 TCP 64.4.197.100 192.168.1.105 22 22 9 10 TCP 64.4.197.99 192.168.1.40 22 22 8 10 TCP 64.4.197.99 192.168.1.40 143 143 9 10 UDP 64.4.197.99 192.168.1.40 143 143 10 10 UDP 64.4.197.99 192.168.1.40 514 514 6 10 TCP 64.4.222.157 192.168.1.20 3828 3828 10 10 TCP 64.4.222.157 192.168.1.40 6543 80 10 10 TCP 64.4.222.157 192.168.1.20 55631 5631 10 10 UDP 64.4.222.157 192.168.1.20 55632 5632 10 10 Lazy man's way to avoid ssh using other than 22, snmp other than 161/2, &c. ;> > Regardless, I doubt this is the cause of your current problems, > especially since you indicated you tested with and without the IP's > assigned. Agreed . . . -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
