[Last Call] Learn how to a build a cloud-first strategyRegister Now


Routing problems?

Posted on 1997-08-28
Medium Priority
Last Modified: 2012-05-04
I'm having probs trying to access the net from behind a second
router... it's kind of weird really, maybe then again, I'm just
inexperienced with networks!
I am having probs using the IP numbers 192.168.2.XXX as the IP
numbers for the computers behind the firewall. Here is a breakdown of the
problem. First thing I'd like to say is that the firewall has not been
installed nor configured yet! I have the linux (slack 2.0.29) box with
both ethernet cards up and running but there are no filters set in place.
Actually it's more of a router right now than a firewall.. but anyways.
Here is a description of the setup.
I have 1 (so far) computer (CP1) behind the firewall. CP1 has the IP
address of The Firewall machine has eth0 set as
and eth1 as On the outside of the firewall there are 4
stations with 206 addresses, and beyond that is the cisco 1000 router to
the internet, beyond the cisco are DNS servers and 253.
All 4 external stations can surf the net no prob, and they can see CP1 no
prob. How ever CP1 can see as far as the cisco 1000 router (ping and
traceroute wise) but cannot get to the DNS servers!
here is some info I took from shell.
From behind the firewall
web:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window irtt Iface   U      1500 0        0 eth0       U      3584 0        0 lo         UG     1500 0        0 eth0

traceroute to (, 30 hops max, 40 byte
 1 (  2.22 ms  23.854 ms  1.482 ms
 2 (  2.612 ms  1.997 ms  1.972 ms
 3  * * *
 4  * * *
 5  * * ^C and so on until 30

from the firewall machine....
traceroute to (, 30 hops max, 40 byte
 1 (  1.769 ms  1.68 ms  1.698 ms
 2 (  20.077 ms  20.204 ms  20.086 ms
 3  polux.entelchile.net (  20.225 ms  19.947 ms  20.168 ms

I see here that the "ISDN modem" has an IP address of
Could that be messing me up?
I don't think so because I had the same prob when I used another set of
reserved IP numbers (10.XXX.XXX.XXX)

I thought of a possible solution, take the IP numbers that were assigned
to me and make 2 networks out of them. One for behind the firewall and of
for outside the firewall.

The good folks that gave me the dedicated lines game me the following

So.. I have X.162 to X.190 available to play with. Now I want to break this
up into 2 smaller networks. One to place behind the firewall and one
outside it. I came up with the following table. Is this correct?
            NET 1                NET 2

So in Net 1. Eth0 on the firewall would be and the
individual stations would go from 179 to 190.. Can I use 191?
And in Net 2. Eth1 on the firewall would be 162. 160 is the "ISDN Modem",
161 is the router to the internet 162 would be eth1 on the firewall and
the stations Outside the firewall would go up to 176.. again, could I use
the broadcast number of 177 as an IP number for one of the stations?

By the way. Here is the the netsat results from the firewall machine.
The 3rd line was added automatically by the "ISDN modem" or cisco router,
not sure which but it is not in my /etc/rc.d/rc.inet1 file.

fw:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window irtt Iface U      1500 0      0 eth0   U      1500 0      0 eth1   UG     1500 0      0 eth0       U      3584 0      0 lo         UG     1500 0      0 eth0

Thank you for your help!
It is greatly appreciated!

Marcelo Iturbe   ________204.84.66.161              
__  _   \ |          | /   _____________   \   __________ /   ___________
inter-|  \|Cisco 1000|    |      4      |   \ | Firewall |   |        |
  net \---|  System  |----| Workstations|---  |  (router)|---|    CP1   |
/\_/\_/   |__________|    |__.170 -.173_|     |_(gateway)|   |__________|
You should change the width to of this window to 80 collumns!
Question by:sinner052397

Accepted Solution

sauron earned 400 total points
ID: 1586321
I see a few problems here.

You have 4 machines on 206.84.66 addresses behind your Cisco router - these are fine, from what I can see. Your routing from your Linux firewall machine ( is OK, and you can get onto the net from here.

You routing from the machine CP1 ( is correct, and you can see everything up to the Cisco, right?

I think the Cisco is dropping packets, as it is illegal to advertise routes for the private networks onto the Internet.

The 192.168.x.x address class is reserved for internal use, and as such, you can't put a machine with such an address on the internet. You could get around this with IP masquerading, but I think the best solution for you here is to subnet your network.

>So.. I have X.162 to X.190 available to play with. Now I want to >break this up into 2 smaller networks. One to place behind the >firewall and one outside it. I came up with the following table. >Is this correct?
>NET 1 NET 2

No, this won't work.

Subnet like so:-

Network 1,

Network address
Subnet mask
Broadcast Address

Network 2

Network address
Subnet mask
Broadcast Address

Now you have to available on subnet 1, and to on subnet 2.

The gateway address for the subnet behind the firewall will be whatever IP you give eth0 on that machine, the gateway address for subnet 2 will be the address of one of the interfaces in the Cisco.

You will need to reconfigure the Cisco with a new subnet mask at the very least, and you will need to reconfigure all of the machines currently using the non-subnetted IP's allocated to you.

I'm assuming, by the way, that the Cisco 1000 is the ISDN modem you refer to. If not, then I haven't got a clear picture of your network layout.

Author Comment

ID: 1586322
Kewl.. Verry nicely done...
I did that and it worked well, but I also discovered that soon I will have more thatn 20 pc's behind the linux router and 15 infront of it, so I will run out of IPs and IP numbers are EXPENSIVE here in Chile so I already masqueraded them.
Thanks for your help!


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question