hi mike, see comments below...
> Each subnet in the corporate lan have a different default gateway, but none > of them is the router I'm tinkering with. above statement is indeed now the problem... in routing... there must be a path from one end to the other end and vice versa... routing is pretty simple to troubleshoot... for example.. you want to troubleshoot from subnet 1 (192.168.100.0/24) going to subnet 2 (10.10.10.0/21) ... assuming your host ip in subnet 1 is 192.168.100.123 and host ip in subnet 2 is 10.10.10.123.. all you have to do is go to host 192.168.100.123 first and look at its routing table and see what is the next hop for host 10.10.10.123.. once you got the next hop... go to that next hop and look at its routing table and look for what is the next hop for 10.10.10.123...and so on and so forth until your reach the hop where its routing table has a *direct connected* interface for 10.10.10.123/21... direct connected interface means if one interface has an ip of 10.10.10.234/21 for example... 10.10.10.123 is now reachable with that direct route.... after you trace that it is reachable from 192.168.100.123 going to 10.10.10.123... now do the reverse trace by starting from 10.10.10.123 going to 192.168.100.123 if it is reachable or not... you can easily spot where is the problem by doing a route trace... there are two kinds of routing - symmetric and asymmetric... symmetric routing is the same path from and to and to and from.. while asymmetric is not... you can use either symmetric or asymmetric as long as both ends are reachable.. one big disadvantage of asymmetric is that if you have session tracking firewall along the path - it will break and drop the connection because the firewall will see a lots of unknown session due to asymmetric path... > I tested both with the built-in firewall on and off. Same behavior on both > counts. ok this simply means you have a routing problem... > I'm thinking this is a NAT/masquerade-related issue in the dd-wrt firmware. in your situation.. you only use NAT and apply at the public IP address interface facing the internet... don't use any NAT to those any 4 subnets as the correct routing table in place will take care of the routing to reach every each subnet.. if you want those 4 subnets able to reach the internet.. make sure there is a path going to the Internet as well as the return path to the source... since you mentioned subnet 1 has no problem with internet connection.. therefore.. this is not a NAT issue.. you will only use NAT inside your network if another network segment join with your existing network with the same network segment address space... for example... you have two networks 1.0.0.0/24 and 2.0.0.0/24 that are connected with each other... your company bought another company and their network is 1.0.0.0/24 which is conflict with your existing network... to solve this problem without touching the network of a newly bought company... create another network segment let say 3.0.0.0/24 and join to your existing network.. then have a one-to-one NAT mapping of between 3.0.0.0/24 and 1.0.0.0/24 of that newly bought company network... if you still have difficulty... just let me know and I will require you to submit the full details of your network by sending to me in private.... fooler. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
