Solved

ipmasq

Posted on 2000-02-27
37
247 Views
Last Modified: 2010-03-18
I have 2 computers networked together. in the server computer i have two network card one the lan and the other is for the adsl router(cisco 677)
i can ping the network on the client compuuters but can't get on the net. the server is the only computer that can get on the net. i have ipmasq setup but still not working the most i can can do is ping 10.,0.0.2 and that is the dsl network card.

info
server
eth0 is 192.168.0.1
eth1 is dchp (10.0.0.2) the router

client
eth0 is 192.168.0.5

please help me ??
0
Comment
Question by:tgrandinetti
  • 15
  • 15
  • 6
  • +1
37 Comments
 

Author Comment

by:tgrandinetti
ID: 2562884
Adjusted points to 75
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2562964
Do the clients have their default gateway set to point to the "inside" NIC of Linux box?
0
 

Expert Comment

by:lugnut1221
ID: 2563452
The router should have the real ip shouldnt it..i dont see a need for the server to have two ethernet cards because its not routing between any nets. that is what the router is for.  The router should be getting the "real" ip from your ISP and there should be a second ethernet port on the router which should be 10.10.10.1 or something like that... This should be the default gatway for the entire network..even the server
0
 

Author Comment

by:tgrandinetti
ID: 2563596
i can ping the eth1 but can't get on the net. these computers will be for an web server and an dns server
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2563612
When you say you can ping eth1, does that mean from one of client or from within the server box?  Can you ping the inside machine from the server box?

On the server and the client what is the output of "netstat -rn"? It would also help to seen the output of "ifconfig -a" from both machines.

What ethernet cards are in the IP Masq server (make/model)? I'd also like to see the contents of /etc/conf.modules.
0
 

Expert Comment

by:lugnut1221
ID: 2563616
Now im not  that familiar of the Cisco dsl router.  but what i do know is that the dsl router will be assigned the real ip , not your server.  your router will also have a second eth interface with an internal IP. I do know that that cisco router does support NAT which will get all you internal computers on the net but i dont THINK it will forward web and DNS requests to an internal server.  What your talking about would best be accomplished by using Linux as your server OS which will do NAT to give net access and will be your web and DNS server.
0
 

Expert Comment

by:lugnut1221
ID: 2563746
ok i did some reading on the Cisco 677.  The routing situation that your describing does not make scence.  The as you know the Cisco 677 is basicly a router / dsl modem in one.  it has the eth0 port which is your internal port (gets connected to the hub and has an internal IP address such as 10.10.10.1) The wall port is not really an ether net port but for simplicity sake we can talk like it is one. The cisco can be a DHCP Client which will obtain a valid IP address from your ISP and assign that to the WAN or "eth1" port.  What is going to happen here is the router will take all traffic from the 10.10.10.* side and route it to the its default gateway.  (The internal pc gateway will be 10.10.10.1, and the router default gateway will be the gateway for that dsl subnet (if you dont know this ip your ISP will tell you). for  The net to work you need NAT enabled on the cicso and you need to add a default route to the cisco. again i am pretty sure now that the cisco will not alow trafic to the server from the outside so you cant have a web and DNS server.  Again to do this use a linux server as both the router, web and DNS server....to utilize the cisco as just a plain dsl modem you need to put it in to bridge mode and not routing mode.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2563850
Uh, I hate to sound picky, but, lugnut1221, did you actually read the question? All of that information about the 677, while basically correct isn't applicable to the question. The server has two NIC's and is IP Masquerading the internal net onto the single external IP. So whether on not the 677 can do NAT is immaterial (and he may not have admin privs on the 677 anyway).
0
 

Expert Comment

by:lugnut1221
ID: 2564634
then what is the point of the 677 if the server is doing the doing the NAT.  If you only have one real IP then the router should have the real ip.  If your using the 677 as strictly a dsl modem then i can see what you mean
0
 

Expert Comment

by:lugnut1221
ID: 2564645
where exactly do you have the 677 connected to...eth0 should be connected to the hub and the WAN or wall port should be connected to the dsl line itself
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2564752
He says in the question that the 677 is connected to one of the server NIC's, eth1 to be exact.
0
 

Expert Comment

by:lugnut1221
ID: 2565238
well if thats the case the 677 is not going to be the router. Its going to function as a plain dsl modem.  the Server is going to have to do the routing.  for this to happen the server #1 has to be able to get on the net (which you say it can), #2 ip fowarding has to be enabled, #3 two ipchain commands must be executed on boot. thest lines are as follows

ipchains -P forward DENY
ipchains  -A forward -s 192.168.0.5 /24 -j MASQ

the gateway should be set to the 192.168.0.1 for all the internal pcs

0
 

Author Comment

by:tgrandinetti
ID: 2566825
netstat=
192.168.0.1 0.0.0.0 255.255.255.255 uh 0.0 0 eth0

10.0.0.0  0.0.0.0  255.255.255.0 u 0.0 0 eth1

192.168.0.0 0.0.0.0 255.255.255.0 u 0.0 0 eth0

127.0.0.0  0.0.0.0  255.0.0.0 ug 0.0 0 lo

0.0.0.0  10.0.0.1 0.0.0.0  ug 0.0 0 eth1


0
 

Author Comment

by:tgrandinetti
ID: 2566864
if i hook every thing up to hub it all works but then i 'm on my isp network. if i do it like that will the dns and apache work. i have a really fast line speed. 8m down and 2.345 upload and i want to start my own web server and to lease out space so what everway will work i will try.....You guys are the experts. Remember i have just one ip address 199.190.xx.xx. and that goes to the router and the router is 10.0.0.2 to my computer.

yes my router using dchp

when i do nslookup i get ns1.madbbs.com my isp.

what sucks about adsl is that i'm on the isp network. but for 219.00 a month i'm going fast than a t1 line that is alot cheaper (2300 a month) Now you guys know what i want to do can i do this idea i have? AND can you help, find the best way to set it up
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2567007
Is NAT already configured on the 677? According to the data in the netstat output it would have to be for those addresses to be in use on the outside of the Linux box.

And yes, you could hook the 677 directly to the hub and have Apache, DNS, and other servers, but your network would be wide open... No firewall between your machines and the Internet. The config on the 677 would undoubtedly need massaging in that case to allow inbound port forwarding. Who controls (has "enable" privs on the 677) the config of the 677, you or the ISP?
0
 

Author Comment

by:tgrandinetti
ID: 2570033
yes my isp

why isn't it working
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2571011
I've worked with a lot of Cisco gear, but not with a 677, so some of this is conjecture...

A couple of definitions...
NPAT (or PAT as Cisco frequently calls it) is Network Port Address Translation. It's used to allow multiple machines on a local net to share a single external IP address. NPAT translates both the TCP/IP port in use for a connection and the IP address. IP Masquerade is frequently called NAT, but in fact it's NPAT. For inside systems to be able to provide services to outside (Internet) systems the box that is doing NPAT has to be configured to "port-forward" all inbound requests on a specific port to one of the inside systems.

NAT is Network Address Translation, which only translates the IP address. NAT requires more than one external IP as each inside system will require an external IP for at least the life of a particular session. NAT, since it has to have multiple external IP's, can be configured for static translations between inside and outside IP's. This in conjunction with rules to allow inbound requests on a specific port or ports allows machines inside to act as servers to Internet clients.
 
I think what's happening is the the 677 is NPAT'ing your 10.0.0.0 network onto a single external IP, which is fine and works when all the systems and the router are hooked to the hub. However when you introduce a second level of NPAT with the IP Masq the router can't figure out how to translate the "translated ports" and can't return the data stream back to the originating host.

Since you don't control the router, your options are somewhat limited. To have servers that are accessible from the outside, the router must be configured to allow that traffic inbound. If, as I suspect, it is doing NPAT, that would mean configuring a port forward for each service to one of the internal machines.
Even if it was doing NAT instead, it would still require a configuration change to set up the static translations and allowed port(s). In either case the ISP would have to do this as they control the router.

Whether or not the ISP is willing to do this may depend on what kind of service you've got and what their Terms and Conditions are for each kind of service they offer. Some ISPs have T&C that absolutely prohibit any kind of server on their "personal Internet services". Others are more generous and as long as the traffic isn't too great they'll tolerate a "home user" running a server or two. If you haven't already done so, you should probably check the Terms and Conditions of you service to see if it allows you to run servers. Of course if you have a "commercial" service that allows servers, the ISP should be more than willing to help set this up.


0
 

Author Comment

by:tgrandinetti
ID: 2574681
my isp set it up for i'll double the point if you can help me set an dns server
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 40

Expert Comment

by:jlevie
ID: 2574807
Yeah we can do that. First it would be good to verify that the external IP for your name server works. I can probably tell if you'll tell what IP they said the DNS server should appear at.

Also I'm going to need your domain name, the host name of your dns server and he IP of your second dns server (quite possibly your ISP is willing to provide that service oor may have already agreed to it).
0
 

Author Comment

by:tgrandinetti
ID: 2574945
my ip adress is 206.162.25.239
get get on the net (ny isp) 199.190.126.13
199.190.126.14
i don't have an domain namei was think of lionsden

if you talking about my two computer
kandy.advantage.net 192.168.0.1
mal.advantage.net 192.168.0.5

kandy is also the web server

0
 
LVL 40

Expert Comment

by:jlevie
ID: 2575352
Okay, let's see. Your external IP is within a network that belongs to madbbs.com. In fact your IP has the hostname of dsl206.162.25.239.madbbs.com. Currently the nameservers for advantage.net are:

advantage.net   nameserver = NS2.NETSERVE.NET
advantage.net   nameserver = NS1.NETSERVE.NET
 
It looks like you registered the domain through Network solutions, sound correct?
0
 

Author Comment

by:tgrandinetti
ID: 2577155
no i have no domain name
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2577305
I based that comment on what you said earlier, that your inside computers were:

kandy.advantage.net 192.168.0.1
mal.advantage.net 192.168.0.5

So I guess I'm confused, is advantage.net registered to you?
0
 

Author Comment

by:tgrandinetti
ID: 2577917
no
0
 

Author Comment

by:tgrandinetti
ID: 2578335
no i don't have a domian name please help
0
 

Author Comment

by:tgrandinetti
ID: 2578663
the name i want to use is advantiumplus.com
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2578705
Hang on instructions forthcomming...
0
 

Author Comment

by:tgrandinetti
ID: 2581032
i just got a domainname today advantiumplus.com
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2581097
Okay, I got a few minutes now. When you registered the domain, what nameserver IP's were specified? If you intend to set up your machine as the primary name server for the domain, you'll need the cooperation of your ISP to get the public IP that you'll be using for the dns server delegated to your domain. You also are required to have a second nameserver, and you may want to get your ISP to provide provide that service.
0
 

Author Comment

by:tgrandinetti
ID: 2583356
don't under stand
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2583448
Which part?
0
 

Author Comment

by:tgrandinetti
ID: 2620639
how do setup an mailserver for my office
xxx@advantiumplus.com
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2622158
Okay, your ISP has set up an MX record for you pinting mail for your domain to mail.advantiumplus.com, which resolves to 206.162.25.239. The IP is live in that it can be pinged, but there doesn't appear to be a sendmail server running. Is that the IP that you intend to use as the mail server? Is its hostname set to "mail.advantiumplus.com"?

I'm a little concerned that I can't connect to the SMTP port at that IP. Even if sendmail isn't configured to accept email or to send email out to other servers, I would expect to be able to connect to it.
0
 

Author Comment

by:tgrandinetti
ID: 2622326
i dont know how to set send mail
my domain is www.advantiumplus.com
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2634376
I'm sorry, I accidentally filed the last email notification on this question in the wrong folder and just now found it again.

Let's see... Actually your domain name is advantiumplus.com. Your web server would be www.advantiumplus.com. The DNS is set up to deliver all mail to mail.advantiumplus.com, but that could be easily changed by your ISP.

I hope this won't become to confusing, but what I would recommend that you do is to make the machine's official name be mail.advantiumplus.com and set the web server up as a virtual server responding to www.advantiumplus.com. The reason is that mail systems don't need to change very often and email is more picky about hostnames & IP addresses than a web server is. If the web server isn't tightly bound to this system it's very easy later to move it to another system. You don't have to use mail.advantiumplus.com as this machines hostname, but if you decide to use something else you'll need to get your ISP to change the dns records.

Which way do you want to proceed? I don't think I know what Linux you are running, and to go further I guess I need to know.
0
 

Accepted Solution

by:
egf9ef041700 earned 75 total points
ID: 2724972
change all those IP addresses in the
192 subnet from 192.168.0.X to
something like 192.168.1.X

May work now

;^)
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2725128
Why??? 192.168.0.x is just as valid as 192.168.1.x as far an OS (Linux/Unix/Windows, etc) is concerned. And it perferctly acceptable to a router if you tell the router that it's allowed to use subnet zero.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now