subject:"\[leaf\-user\] Routing Question"

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

2005-06-08 Thread William (Andy) Smith

I was given direction from Charles Steinkuehler on my question, but I am
still not clear on how to implement the routing rules in
/etc/network/interfaces, or what specific rules to set since my case is
slightly different from what is recommended at the documentation site.

I am looking at the following URL from what was suggested:

http://lartc.org/howto/lartc.rpdb.multiple-links.html

Going from their model, I have something more like this that I not only need
to set up, but test and verify it works on the wire before we down
production equipment and move it to a new location:

___
  +-+  /
  |Provider 1   | |
 ++ 66.114.33.64/30 +
 || gw 66.114.34.65 |   /
   +-+ ++ +-+  |
   |  DMZ via Prov.1 +-|eth2 eth0   | /
   | 66.114.34.92/30 | || |
   +-+ | Linux Router   | |Internet
   || |
   +-+ || \
   | Lcl NAT via Prv2| ||  |
   | 192.168.2.0/24  +-+eth1 eth3   |   \
   +-+ +-+--+ +-+\
 ||Provider 2   | |
 ++ 192.168.1.0/24  +--\
  | gw 192.168.1.254|   \___
  +-+

I note /etc/iproute2/rt_tables which on my machine has the following as a
default on my existing router:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
1  inr.ruhep

The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.

I suspect I need to add tables to rt_tables, for which the following names
would be useful to match my shorewall names:

Eth0net
Eth1lcl
Eth2dmz
Eth3cbl

So am I correct to comment out 'inr.ruhep' and append the following to
rt_tables?

1  net
2  lcl
3  dmz
4  cbl

It then looks like I need to do the 'ip route add default via '
commands, and they should be in ifup. I have /etc/network/if-up.d with no
example scripts inside it. Their example also has commands for me to see
what the route tables look like. However I need the routes added as part of
LEAF on startup, and the 'show' commands are a separate issue of debugging
what I'm trying to accomplish.

For all their instructions, and my reading of
http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and
*how* to set up a script that will automatically send all traffic coming
over eth1 out eth3, excluding traffic directed at eth2's network. Their
example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I
can put the route mapping in /etc/network/interfaces or
/etc/network/if-up.d, and how to format it.

What would you suggest for this case? I feel like my brain is trying to
climb up the down escalator.

It appears I do not need to change Shorewall unless I want special behavior,
such as 'outbound port 80 always goes out cbl interface'. I want no special
behavior until I am completely confident about this general behavior.

Thank you.

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

2005-06-06 Thread William (Andy) Smith

I was given direction from Charles Steinkuehler on my question, but I am
still not clear on how to implement the routing rules in
/etc/network/interfaces, or what specific rules to set since my case is
slightly different from what is recommended at the documentation site.

I am looking at the following URL from what was suggested:

http://lartc.org/howto/lartc.rpdb.multiple-links.html

Going from their model, I have something more like this that I not only need
to set up, but test and verify it works on the wire before we down
production equipment and move it to a new location:

___
  +-+  /
  |Provider 1   | |
 ++ 66.114.33.64/30 +
 || gw 66.114.34.65 |   /
   +-+ ++ +-+  |
   |  DMZ via Prov.1 +-|eth2 eth0   | /
   | 66.114.34.92/30 | || |
   +-+ | Linux Router   | |Internet
   || |
   +-+ || \
   | Lcl NAT via Prv2| ||  |
   | 192.168.2.0/24  +-+eth1 eth3   |   \
   +-+ +-+--+ +-+\
 ||Provider 2   | |
 ++ 192.168.1.0/24  +--\
  | gw 192.168.1.254|   \___
  +-+

I note /etc/iproute2/rt_tables which on my machine has the following as a
default on my existing router:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
1  inr.ruhep

The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.

I suspect I need to add tables to rt_tables, for which the following names
would be useful to match my shorewall names:

Eth0net
Eth1lcl
Eth2dmz
Eth3cbl

So am I correct to comment out 'inr.ruhep' and append the following to
rt_tables?

1  net
2  lcl
3  dmz
4  cbl

It then looks like I need to do the 'ip route add default via '
commands, and they should be in ifup. I have /etc/network/if-up.d with no
example scripts inside it. Their example also has commands for me to see
what the route tables look like. However I need the routes added as part of
LEAF on startup, and the 'show' commands are a separate issue of debugging
what I'm trying to accomplish.

For all their instructions, and my reading of
http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and
*how* to set up a script that will automatically send all traffic coming
over eth1 out eth3, excluding traffic directed at eth2's network. Their
example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I
can put the route mapping in /etc/network/interfaces or
/etc/network/if-up.d, and how to format it.

What would you suggest for this case? I feel like my brain is trying to
climb up the down escalator.

It appears I do not need to change Shorewall unless I want special behavior,
such as 'outbound port 80 always goes out cbl interface'. I want no special
behavior until I am completely confident about this general behavior.

Thank you.

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

2005-06-06 Thread Arne Bernin

On Mon, 2005-06-06 at 10:06 -0700, William (Andy) Smith wrote:
 I was given direction from Charles Steinkuehler on my question, but I am
 still not clear on how to implement the routing rules in
 /etc/network/interfaces, or what specific rules to set since my case is
 slightly different from what is recommended at the documentation site.
 
 I am looking at the following URL from what was suggested:
 
 http://lartc.org/howto/lartc.rpdb.multiple-links.html
 
 Going from their model, I have something more like this that I not only need
 to set up, but test and verify it works on the wire before we down
 production equipment and move it to a new location:
 
 ___
   +-+  /
   |Provider 1   | |
  ++ 66.114.33.64/30 +
  || gw 66.114.34.65 |   /
+-+ ++ +-+  |
|  DMZ via Prov.1 +-|eth2 eth0   | /
| 66.114.34.92/30 | || |
+-+ | Linux Router   | |Internet
|| |
+-+ || \
| Lcl NAT via Prv2| ||  |
| 192.168.2.0/24  +-+eth1 eth3   |   \
+-+ +-+--+ +-+\
  ||Provider 2   | |
  ++ 192.168.1.0/24  +--\
   | gw 192.168.1.254|   \___
   +-+
 
 I note /etc/iproute2/rt_tables which on my machine has the following as a
 default on my existing router:
 
 #
 # reserved values
 #
 255 local
 254 main
 253 default
 0   unspec
 #
 # local
 #
 1  inr.ruhep
 
 The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.
 
 I suspect I need to add tables to rt_tables, for which the following names
 would be useful to match my shorewall names:
 
 Eth0  net
 Eth1  lcl
 Eth2  dmz
 Eth3  cbl
 
 So am I correct to comment out 'inr.ruhep' and append the following to
 rt_tables?
 
 1  net
 2  lcl
 3  dmz
 4  cbl


if i understand correctly what you wish to do, you need to add a
masquerade/SNAT rule for the traffic coming from eth1 to eth3 (and add
an exclude for the network on eth2 in shorewall). As the machine has a
local route to the dmz network it should route the traffic there without
needing any changes.
All traffic coming in via provider 1 (eth0) will be automatically routed
to the dmz, too. So the only thing you need to change, is that all
traffic coming from the dmz will go out on eth0 again.
So, just add one table to rt_tables (you need only to do this once and
backup the package).
echo 1  dmz  /etc/iproute2/rt_tables
(i am not sure about the 1, normally numbers starting at 200 are used).

You now create an appropiate rule:
# ip rule add from 66.114.34.92/30 table dmz
# ip route add default via 66.114.34.65 dev eth0 table dmz
# ip route flush cache

this should basically do it. As the normal traffic will take the default
table...

You can add this to /etc/network/interfaces to the eth0 section like
this:
up ip rule add from 66.114.34.92/30 table dmz
up ip route add default via 66.114.34.65 dev eth0 table dmz
up ip route flush cache

and (if you want ), a corresponding down section...
Or you can put this in a script (for example /usr/local/sbin/addiprules
and use it like:
up /usr/local/sbin/addiprules

or put it in /etc/network/if-up.d. All scripts in there are called with
some environment variables (and example follows):

MODE=stop
IF_NETMASK=255.255.255.0
ADDRFAM=inet
METHOD=static
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
PWD=/root
IF_NETWORK=192.168.5.0
SHLVL=2
IF_BROADCAST=192.168.5.255
IF_GATEWAY=192.168.5.254
IFACE=eth0
IF_ADDRESS=192.168.5.3

(i used ifdown , so mode is stop not start). But you could use something
like:
#! /bin/sh
if [ $IFACE = eth0 ] ; then
 rules stuff from above
fi

all 3 possiblities should work, i think the first one (directly
in /etc/network/interfaces) is the easiest...

--arne

-- 
Arne Bernin [EMAIL PROTECTED]

http://www.ucBering.de





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20

leaf-user

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

2005-06-04 Thread William (Andy) Smith

I have successfully made a three interface setup with Bering uClibc
consisting of eth0 to Net, eth1 for our internal network and eth2 for the
DMZ. We are now moving from the office we had to a home-office where eth0 is
connected to our existing ISP by DSL plus we are adding Cable internet
connection to eth3.

1) I have verified that Comast and DSL work as links to the outside and as
expected.

2) The rules I had under the three card network will continue to apply.
Because we are using the same IP, we even get to keep our old IP addresses
for the DMZ.

3) Comcast is needed as bursty, high-speed outbound access where DSL
supplies fixed IP metered bandwidth.

4) I want the DMZ's default gateway to continue to be eth0.

5) I want eth1's default gateway to become eth3.

6) If eth1 happens to want to hit the DMZ, I want it to go directly to eth2
rather than out through the cable Internet and back through the DSL.

Would anyone be able to point me in the right direction?

Thanks!

--Romaq





---
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[leaf-user] Routing Question

2005-05-11 Thread Stefaan Van Dooren

Hi,

I recently upgraded an old Dachstein firewall to ucBering 2.1 (I prepared it
awhile ago, but only now had a change to put it in place). This
firewall(router) is the default gateway for all the stations in  the network
(local). But it isn't the only router in the network, there are 2 or 3 more
isdn-routers (zyxel prestige 200 serie) which are used to connect to
customers sites which aren't on the net yet.

In the past, all the stations on the local network only had a route to the
default gateway, and this default gateway had a routing table to the other
routers. This worked ok for what we needed it. (no dhcp)

Now with the new ucBering this isn't working anymore. I added the routing on
the ucBering, 192.168.155.0/24 via 192.168.70.251 dev eth1 , but I get this
in the logs :

May 11 09:45:34 firefly FORWARD REJECT eth1 eth1 192.168.70.17 192.168.155.4
UDP 1990 5632 (PcAnywhere)

What do I need to chance to allow this ?


Stefaan






---
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Routing Question

2004-05-05 Thread Rob Asher

Joey,
I personally only have experience with the 3Com 3CRDW696 PCI 
card.  It's worked great so far with Bering-uClibc 2.1 but I've only had it 
running for a couple of weeks now in testing.  I've also had it working on 
Pebble and RH9 in between my searches for info on how to setup Bering as an 
AP.  You can look for some compatible cards at 
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.802.11b.html#Prism2 
There may be a more complete list of prism2+ cards elsewhere though.  A 
quick google of prism2 card list turned up this one 
http://www.personaltelco.net/index.cgi/Prism2Card and several others that 
might be helpful.

Good luck,
Rob
At 11:59 PM 05/04/04, Joey Officer wrote:


I'm currently testing with a Belkin (read: barely working) 802.11b card.
Based off of admtek 8211 chipset.  Finally got a stable link tonight,
however what my ultimate goal is to setup my leaf box as an access point.
Can you recommend a specific prism card to use?  I have no current
investment, so anything I begin to purchase can be planned.
Thanks for the links, I'll be sure to browse them tonight and research.

Joey

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rob Asher
Sent: Monday, May 03, 2004 8:37 AM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Routing Question
At 10:23 AM 05/01/04, Ray Olszewski wrote:

At 07:46 AM 5/1/2004 -0500, Joey Officer wrote:
 Forgive my ignorance, but I have what seems to be a very simple question.
I
 have a wireless card that I'm still attempting to setup, and while I
think I
 have the link issues corrected, I do have some questions about the
routing
 itself.
 
 My configuration is as follows:
 
 eth0 : internet/dhcp
 eth1 : wired local network 192.168.1.254
 eth2 : wireless network (current IP 10.10.55.254 - can be configured
 differently)
 
 What I want to do is to setup an open wireless gateway that will allow
 anyone in the area to use the wireless connection, but only after
 registerring.  Basically I want to forward any requests to a site on my
 bering box that says something like, hey its free, just tell me who you
are
 and I'll add you, after that they would be able to get through.
 
 Has anyone configured this type of setup?  Is there anything I should be
 paying attention to.  One thing that is important is that I don't want
the
 eth2 traffic to be able to get to my local wired LAN, on eth1.

The old hand Linux application for approximately this purpose is called
NoCat; find it at NoCat.net . A Google search (wifi public access linux)
just now found a custom distro called PublicIP (http://www.publicip.net/)
that builds on NoCat.

My hunch (based partly on some work I did about 2 years ago on a similar
idea, but one involving charging usage fees) is that the required
infrastructure is a bit large for LEAF, particularly the parts needed for
reliable user authentication. But I haven't actually tried anything like
this in quite some time, so I may be unaware of newer solutions to some of
the problems.
If you have a Prism2+ based card, the HostAP - http://hostap.epitest.fi/
driver has worked great for me on Bering-uClibc 2.1 as an access
point.  There are alot of other things that can be done with this card and
driver that might be what you're looking for.  While not based off
LEAF/Bering, you might look into some alternative options like Pebble -
http://www.nycwireless.net/pebble/   or hack this modified version of
Pebble that runs off hard disk to suit your needs -
http://www.burngreave.net/~aland/it/bcan/ .  The stock Pebble includes
NoCat and from the sound of what you're wanting, I'd agree that it might be
exactly what you're looking for.  And yet more info for options with the
HostAP driver if that is the card that you have -
http://trekweb.com/~jasonb/articles/hostap_20030727.shtml .
HTH,
Rob


--
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.240 / Virus Database: 262.9.15 - Release Date: 05/04/04


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] Routing Question

2004-05-04 Thread Joey Officer

I'm currently testing with a Belkin (read: barely working) 802.11b card.
Based off of admtek 8211 chipset.  Finally got a stable link tonight,
however what my ultimate goal is to setup my leaf box as an access point.
Can you recommend a specific prism card to use?  I have no current
investment, so anything I begin to purchase can be planned.

Thanks for the links, I'll be sure to browse them tonight and research.

Joey

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Rob Asher
Sent: Monday, May 03, 2004 8:37 AM
To: [EMAIL PROTECTED]
Subject: Re: [leaf-user] Routing Question


At 10:23 AM 05/01/04, Ray Olszewski wrote:


At 07:46 AM 5/1/2004 -0500, Joey Officer wrote:
 Forgive my ignorance, but I have what seems to be a very simple question.
I
 have a wireless card that I'm still attempting to setup, and while I
think I
 have the link issues corrected, I do have some questions about the
routing
 itself.
 
 My configuration is as follows:
 
 eth0 : internet/dhcp
 eth1 : wired local network 192.168.1.254
 eth2 : wireless network (current IP 10.10.55.254 - can be configured
 differently)
 
 What I want to do is to setup an open wireless gateway that will allow
 anyone in the area to use the wireless connection, but only after
 registerring.  Basically I want to forward any requests to a site on my
 bering box that says something like, hey its free, just tell me who you
are
 and I'll add you, after that they would be able to get through.
 
 Has anyone configured this type of setup?  Is there anything I should be
 paying attention to.  One thing that is important is that I don't want
the
 eth2 traffic to be able to get to my local wired LAN, on eth1.

The old hand Linux application for approximately this purpose is called
NoCat; find it at NoCat.net . A Google search (wifi public access linux)
just now found a custom distro called PublicIP (http://www.publicip.net/)
that builds on NoCat.

My hunch (based partly on some work I did about 2 years ago on a similar
idea, but one involving charging usage fees) is that the required
infrastructure is a bit large for LEAF, particularly the parts needed for
reliable user authentication. But I haven't actually tried anything like
this in quite some time, so I may be unaware of newer solutions to some of
the problems.

If you have a Prism2+ based card, the HostAP - http://hostap.epitest.fi/
driver has worked great for me on Bering-uClibc 2.1 as an access
point.  There are alot of other things that can be done with this card and
driver that might be what you're looking for.  While not based off
LEAF/Bering, you might look into some alternative options like Pebble -
http://www.nycwireless.net/pebble/   or hack this modified version of
Pebble that runs off hard disk to suit your needs -
http://www.burngreave.net/~aland/it/bcan/ .  The stock Pebble includes
NoCat and from the sound of what you're wanting, I'd agree that it might be
exactly what you're looking for.  And yet more info for options with the
HostAP driver if that is the card that you have -
http://trekweb.com/~jasonb/articles/hostap_20030727.shtml .

HTH,
Rob


--
Outgoing mail is certified Virus Free.
Checked by AVG Anti-Virus (http://www.grisoft.com).
Version: 7.0.240 / Virus Database: 262.9.13 - Release Date: 05/02/04




---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Routing Question

2004-05-01 Thread Joey Officer

Forgive my ignorance, but I have what seems to be a very simple question.  I
have a wireless card that I'm still attempting to setup, and while I think I
have the link issues corrected, I do have some questions about the routing
itself.

My configuration is as follows:

eth0 : internet/dhcp
eth1 : wired local network 192.168.1.254
eth2 : wireless network (current IP 10.10.55.254 - can be configured
differently)

What I want to do is to setup an open wireless gateway that will allow
anyone in the area to use the wireless connection, but only after
registerring.  Basically I want to forward any requests to a site on my
bering box that says something like, hey its free, just tell me who you are
and I'll add you, after that they would be able to get through.

Has anyone configured this type of setup?  Is there anything I should be
paying attention to.  One thing that is important is that I don't want the
eth2 traffic to be able to get to my local wired LAN, on eth1.

Joey



---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] Routing Question

2004-05-01 Thread Ray Olszewski

At 07:46 AM 5/1/2004 -0500, Joey Officer wrote:
Forgive my ignorance, but I have what seems to be a very simple question.  I
have a wireless card that I'm still attempting to setup, and while I think I
have the link issues corrected, I do have some questions about the routing
itself.
My configuration is as follows:

eth0 : internet/dhcp
eth1 : wired local network 192.168.1.254
eth2 : wireless network (current IP 10.10.55.254 - can be configured
differently)
What I want to do is to setup an open wireless gateway that will allow
anyone in the area to use the wireless connection, but only after
registerring.  Basically I want to forward any requests to a site on my
bering box that says something like, hey its free, just tell me who you are
and I'll add you, after that they would be able to get through.
Has anyone configured this type of setup?  Is there anything I should be
paying attention to.  One thing that is important is that I don't want the
eth2 traffic to be able to get to my local wired LAN, on eth1.
The old hand Linux application for approximately this purpose is called 
NoCat; find it at NoCat.net . A Google search (wifi public access linux) 
just now found a custom distro called PublicIP (http://www.publicip.net/) 
that builds on NoCat.

My hunch (based partly on some work I did about 2 years ago on a similar 
idea, but one involving charging usage fees) is that the required 
infrastructure is a bit large for LEAF, particularly the parts needed for 
reliable user authentication. But I haven't actually tried anything like 
this in quite some time, so I may be unaware of newer solutions to some of 
the problems.





---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Routing Question

2004-04-21 Thread Chris Carbaugh

Trying a different approach to my previous question (Routing/openVPN
Question).

Here's my setup:

10.1.0.2openVPN TUN interface
192.168.11.2Remote Client
  |
  |
192.168.11.1Remote LAN Gateway - Linksys router
192.168.1.33router external interface
  |
  |
192.168.1.0/24  Sprint's local DSL subnet
192.168.1.254   router's gateway
  ?
  ?
65.41.48.33 Sprint's public IP (DSL subnet is NAT'ed behind this)
  |
  |
66.216.159.82   Our T1 public interface (NAT'ing our LAN)
192.168.1.100   Our LAN's Gateway
  |
  |
192.168.1.0/24  Our LAN

Given the above, is it possible to add a route on the remote client
(winxp pro) so that all traffic to a single IP is routed through the
openvpn interface to our LAN, in essence ignoring part of the
192.168.1.0/24 subnet on Sprint's DSL segment.

For those unfamiliar with openVPN, on connection it would create a route
on the remote client such as:

route add 192.168.1.0 mask 255.255.255.0 10.1.0.2

10.1.0.2 being the interface that openVPN creates on the client.

I was thinking changing that route to:

route add 192.168.1.36 mask 255.255.255.252 10.1.0.2

My thoughts are by creating the route to 192.168.1.36/255.255.255.252,
only traffic to 192.168.1.36 would hit the openVPN interface,and all
other traffic to 192.168.1.0 would hit the DSL segment.

Is this at all right?  Is the mask correct?

The bering box on our LAN would have a route such as:

192.168.11.0/24 via 10.1.0.1 dev tun1

I'm stretching my knowledge of routing here, so please set me straight.

Thanks for any help, and to those who replied previously.

Chris



-- 
Chris Carbaugh
Network Administrator
[EMAIL PROTECTED]

Leer Electric Inc.
www.LeerElectric.com
PHONE: (717) 432-9756
FAX:   (717) 432-9758



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [Leaf-user] routing question

2001-10-07 Thread stefan


hi pedro !!!

thanks for your help. 
but this only solved my routing problems on the lrp2-side.
actually the isdn-connection is always started by lrp2.

can i add a second route to the lrp2 on the fw ?
(ro add 192.168.1.0 via portmaster metric 2) 
how will fw know, if the ipsec-link on lrp1 is down ??

could this work ?

thanks  bye
stefan



Am 03.10.2001 12:28:14, schrieb Pedro Barreto [EMAIL PROTECTED]:

hi Stefan,

if you have some piece of software that will automatically connect 
the
isdn line when traffic is received on the isdn device, you could 
add
another default route with a higher metric, like:

ip r add default dev $isdn_dev via $isdn_ip metric 2
(assuming the first default route has a metric of 1)

but that might bring the isdn line when the internet link is too
saturated.

you can also try to create a script to ping LRP2 box trough LRP1 
and
should that ping fail bring on the isdn interface, that script 
could go
to the cron.d (every 2 minutes */2 * * * *)

the script might be like:

#!/bin/bash
/bin/ping -w 2 -n -q -I $INTERNET_DEV -c 1 $LRP2_IP 21  
/dev/null
if [ $? = 1 ]; then
  ip r del default
  bring_up_isdn()
  ip r add default dev $ISDN_DEV 
fi

you could also add to this script functionality to bring down isdn 
when
internet is up again.

that might help you,
pedro


 -Original Message-
 From: stefan [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, October 03, 2001 9:33 AM
 To: [EMAIL PROTECTED]
 Subject: [Leaf-user] routing question
 
 
 
 hi !!
 it's not really a LEAF-specific problem, but maybe a routing-pro 
 reads this also - hopefully.
 i've connected two locations with ipseced-LRP-boxes, now i plan
 a backup with isdn, but i have some routing problems.
 
 
 the network looks like this:
 
 192.168.1.0LRP2-.-.-.-Internet-.-.-.-.-LRP1
 |  ipsec |
 |FW10.1.1.0  
 ||
 | portmaster
 |__isdn__|
 
  
 the FW is running on solaris. portmaster is a RAS-server from 
 lucent.  
 i want the network to work on, if the internet connection fails,
 but i don't know which routing-protocols i can/should use to
 solve this. i'd be glad if there's an easy solution.
 i think the main problem is the firewall, which schould know,
 which route to the 192.168.1 network to use.
 
 
 thanks.
 
 stefan
 
 
 
 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

Re: [leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

[leaf-user] Routing Question

RE: [leaf-user] Routing Question

RE: [leaf-user] Routing Question

[leaf-user] Routing Question

Re: [leaf-user] Routing Question

[leaf-user] Routing Question

RE: [Leaf-user] routing question

11 matches

Site Navigation

Mail list logo

Footer information