Solved

Routing problems?

Posted on 1997-08-28
2
268 Views
Last Modified: 2012-05-04
Hello!
I'm having probs trying to access the net from behind a second
router... it's kind of weird really, maybe then again, I'm just
inexperienced with networks!
I am having probs using the IP numbers 192.168.2.XXX as the IP
numbers for the computers behind the firewall. Here is a breakdown of the
problem. First thing I'd like to say is that the firewall has not been
installed nor configured yet! I have the linux (slack 2.0.29) box with
both ethernet cards up and running but there are no filters set in place.
Actually it's more of a router right now than a firewall.. but anyways.
Here is a description of the setup.
I have 1 (so far) computer (CP1) behind the firewall. CP1 has the IP
address of 192.168.2.2. The Firewall machine has eth0 set as 192.168.2.1
and eth1 as 206.84.66.162. On the outside of the firewall there are 4
stations with 206 addresses, and beyond that is the cisco 1000 router to
the internet, beyond the cisco are DNS servers 206.137.97.254 and 253.
All 4 external stations can surf the net no prob, and they can see CP1 no
prob. How ever CP1 can see as far as the cisco 1000 router (ping and
traceroute wise) but cannot get to the DNS servers!
here is some info I took from shell.
----------------------------
From behind the firewall
web:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window irtt Iface
192.168.2.0     0.0.0.0         255.255.255.0   U      1500 0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U      3584 0        0 lo
0.0.0.0         192.168.2.1     0.0.0.0         UG     1500 0        0 eth0

traceroute to 206.137.97.254 (206.137.97.254), 30 hops max, 40 byte
packets
 1  10.107.136.200 (10.107.136.200)  2.22 ms  23.854 ms  1.482 ms
 2  206.84.66.161 (206.84.66.161)  2.612 ms  1.997 ms  1.972 ms
 3  * * *
 4  * * *
 5  * * ^C and so on until 30

from the firewall machine....
traceroute to 206.137.97.254 (206.137.97.254), 30 hops max, 40 byte
packets
 1  206.84.66.161 (206.84.66.161)  1.769 ms  1.68 ms  1.698 ms
 2  192.168.100.77 (192.168.100.77)  20.077 ms  20.204 ms  20.086 ms
 3  polux.entelchile.net (206.137.97.254)  20.225 ms  19.947 ms  20.168 ms

I see here that the "ISDN modem" has an IP address of 192.168.100.77.
Could that be messing me up?
I don't think so because I had the same prob when I used another set of
reserved IP numbers (10.XXX.XXX.XXX)

I thought of a possible solution, take the IP numbers that were assigned
to me and make 2 networks out of them. One for behind the firewall and of
for outside the firewall.

The good folks that gave me the dedicated lines game me the following
data:
Netmask 255.255.255.224
Network 206.84.66.160
Broadcast 206.84.66.191
Gateway 206.84.66.161

So.. I have X.162 to X.190 available to play with. Now I want to break this
up into 2 smaller networks. One to place behind the firewall and one
outside it. I came up with the following table. Is this correct?
            NET 1                NET 2
Netmask 255.255.255.224            255.255.255.224
Network 206.84.66.178            206.84.66.160
Broadcast 206.84.66.191            206.84.66.177
Gateway 206.84.66.178            206.84.66.161

So in Net 1. Eth0 on the firewall would be 206.84.66.178 and the
individual stations would go from 179 to 190.. Can I use 191?
And in Net 2. Eth1 on the firewall would be 162. 160 is the "ISDN Modem",
161 is the router to the internet 162 would be eth1 on the firewall and
the stations Outside the firewall would go up to 176.. again, could I use
the broadcast number of 177 as an IP number for one of the stations?


By the way. Here is the the netsat results from the firewall machine.
The 3rd line was added automatically by the "ISDN modem" or cisco router,
not sure which but it is not in my /etc/rc.d/rc.inet1 file.

fw:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window irtt Iface
206.84.66.160   0.0.0.0         255.255.255.224 U      1500 0      0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U      1500 0      0 eth1
192.168.100.0   206.84.66.161   255.255.255.0   UG     1500 0      0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U      3584 0      0 lo
0.0.0.0         206.84.66.161   0.0.0.0         UG     1500 0      0 eth0

Thank you for your help!
It is greatly appreciated!

Marcelo Iturbe

206.84.66.160   ________204.84.66.161      204.84.66.162      192.168.2.1              
__  _   \ |          | /   _____________   \   __________ /   ___________
inter-|  \|Cisco 1000|    |      4      |   \ | Firewall |   |192.168.2.2        |
  net \---|  System  |----| Workstations|---  |  (router)|---|    CP1   |
/\_/\_/   |__________|    |__.170 -.173_|     |_(gateway)|   |__________|
                                                                         
UURG!!
You should change the width to of this window to 80 collumns!
0
Comment
Question by:sinner052397
2 Comments
 
LVL 3

Accepted Solution

by:
sauron earned 100 total points
ID: 1586321
I see a few problems here.

You have 4 machines on 206.84.66 addresses behind your Cisco router - these are fine, from what I can see. Your routing from your Linux firewall machine (192.168.2.1/206.84.66.162) is OK, and you can get onto the net from here.

You routing from the machine CP1 (192.168.2.2) is correct, and you can see everything up to the Cisco, right?

I think the Cisco is dropping packets, as it is illegal to advertise routes for the private networks onto the Internet.

The 192.168.x.x address class is reserved for internal use, and as such, you can't put a machine with such an address on the internet. You could get around this with IP masquerading, but I think the best solution for you here is to subnet your network.

>So.. I have X.162 to X.190 available to play with. Now I want to >break this up into 2 smaller networks. One to place behind the >firewall and one outside it. I came up with the following table. >Is this correct?
>          
>NET 1 NET 2
>Netmask 255.255.255.224 255.255.255.224
>Network 206.84.66.178 206.84.66.160
>Broadcast 206.84.66.191 206.84.66.177
>Gateway 206.84.66.178 206.84.66.161

No, this won't work.

Subnet like so:-

Network 1,
----------

Network address   206.84.66.160
Subnet mask       255.255.255.240
Broadcast Address 206.84.66.175

Network 2
----------

Network address   206.84.66.176
Subnet mask       255.255.255.240
Broadcast Address 206.84.66.191

Now you have 206.84.66.161 to 206.84.66.174 available on subnet 1, and 206.84.66.177 to 206.84.66.190 on subnet 2.

The gateway address for the subnet behind the firewall will be whatever IP you give eth0 on that machine, the gateway address for subnet 2 will be the address of one of the interfaces in the Cisco.

You will need to reconfigure the Cisco with a new subnet mask at the very least, and you will need to reconfigure all of the machines currently using the non-subnetted IP's allocated to you.

I'm assuming, by the way, that the Cisco 1000 is the ISDN modem you refer to. If not, then I haven't got a clear picture of your network layout.
0
 

Author Comment

by:sinner052397
ID: 1586322
Kewl.. Verry nicely done...
I did that and it worked well, but I also discovered that soon I will have more thatn 20 pc's behind the linux router and 15 infront of it, so I will run out of IPs and IP numbers are EXPENSIVE here in Chile so I already masqueraded them.
Thanks for your help!


0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now