[ previous ] [ next ] [ threads ]
 
 From:  Kev Latimer <kev at ne23 dot net>
 To:  Josh McAllister <josh at bluehornet dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Public IP's on OPT
 Date:  Wed, 08 Dec 2004 10:36:28 +0000
Okay, I'm clearly doing something extremely stupid here.

Traceroutes from both ends die at the router just before they get to the 
subnet OPT2 lies on, ie at the m0n0 from my LAN side and at BT's router 
just before it gets to ours from the other end.

My static route is set up as you described, and I can tell its using the 
static route because it borks on it when I try to ping from the lan side 
to everything in that subnet.  I can change the static route to 
something else on the net, like my colo box, and the traceroutes/pings 
start dying when I apply the new route.

I think the giveaway (now that I've found the ping function in m0n0, 
lol) is that I can ping the DSL gateway from the m0n0 (with no latency, 
so it's not routing via. the WAN) but I can't ping past the m0n0 from 
any box on the lan - makes me reckon my firewall rules are rubbish.  
However, I've relaxed them as far as I can - all traffic from LAN to 
OPT2 is passed, all traffic from OPT2 to LAN is passed.

I've even just watched the lights on the DSL router and the lan light is 
flashing in harmony with my ping attempts.

I'm off to RTFM again and keep trying, but anything anyone can suggest 
is still very much appreciated.

Kev

Josh McAllister wrote:

>Can you try a traceroute from a host on each end to the other end. Also
>a traceroute to a non statically routed host in each direction. I want
>to be sure that it is actually using the static route. It is possible
>that you could be pinging the gateway on the OPT interface via your WAN
>link.
>
>If that looks right, you may want to try setting up a static route to
>say yahoo.com via the OPT interface and see if you can ping that.
>
>Clearly none of this offers a solution... just troubleshooting.
>
>Josh McAllister
>
>
>-----Original Message-----
>From: Kev Latimer [mailto:kev at ne23 dot net] 
>Sent: Tuesday, December 07, 2004 7:04 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: Re: [m0n0wall] Public IP's on OPT
>
>Thanks for the reply Josh, apologies I haven't had a chance to give it a
>
>go, the servers this thing is going to route have absorbed my time.
>
>So, I added a static route to the public IP of a m0n0wall I have out in 
>the wild (for testing ) via OPT2 (OPT1 is routing direct to our current 
>production LAN), via. the IP of my DSL router that OPT2 lives on the 
>same subnet as.
>
>I set up firewall rules to allow anything coming in on OPT2 to see 
>OPT2's public IP (again, relaxed for testing).  However, the remote 
>m0n0wall still cannot see OPT2's public IP, either for IPSEC or for
>pinging.
>
>I can ping OPT2's IP and the gateway defined in the static route so the 
>cabling must be okay,and the ADSL connection is live and definitely
>works.
>
>Anyone care to point out the obvious mistake? :)
>
>Kev
>
>Josh McAllister wrote:
>
>  
>
>>Have you tried using static routes? This should work:
>>
>>For each Interface/ADSL link Add:
>>
>>Add:
>>Interface: OPTx
>>Dest. Network: x.x.x.x / 32
>>Gateway: (Gateway for this ADSL link that's in the same subnet as this
>>OPT interface).
>>
>>You could also specify the full subnet of the far end for Dest.
>>    
>>
>Network.
>  
>
>>Make sure you setup the appropriate firewall rules, allowing traffic in
>>    
>>
>>from the far end's host / subnet via this OPT interface.
>  
>
>>Once you get this far, before moving on to the VPN stuff, try some ping
>>tests. If they should happen to fail from a host on the LAN side, try
>>    
>>
>>from m0n0 itself as well.
>  
>
>>I've had no occasion to try this myself, but it seems it should work.
>>Let me know either way.
>>
>>Josh McAllister
>>
>>-----Original Message-----
>>From: Kev Latimer [mailto:kev at ne23 dot net] 
>>Sent: Thursday, December 02, 2004 4:24 AM
>>To: m0n0wall at lists dot m0n0 dot ch
>>Subject: [m0n0wall] Public IP's on OPT
>>
>>Hallo all,
>>
>>I posted a question on this sometime last month, but I don't think I
>>    
>>
>did
>  
>
>>a very good job of explaining what I wanted to do so I'm having another
>>    
>>
>
>  
>
>>go now that I actually have the kit up and running :)
>>
>>I have an EPIA box with 2 onboard NIC's and a D-Link 4-Port card (a 
>>DFE-580TX if anybody wants a m0n0 compatible one, runs using ste 
>>(sundance?)).
>>
>>The onboard ports are LAN (vr0) and WAN (vr1), which sits on a 2MB ADSL
>>    
>>
>
>  
>
>>line.  The four other ports are OPT1-4 (ste0 - ste3) and the intention 
>>is to have 4 further ADSL lines (just 512down/256up), the logic behind 
>>this being that I can get 1MB of total upstream over 4 lines for a lot 
>>cheaper than a 1MB up SDSL line and there's at least some scope for 
>>fault tolerance should one DSL router die.
>>
>>These 4 ADSL lines on the OPT interfaces are to be used for IPSEC only,
>>    
>>
>
>  
>
>>and will link to each of our other offices for a VPN.  There is no 
>>intention of using these for load balancing or failover, all 'regular' 
>>outgoing traffic will be routed over the 2MB.
>>
>>So far, I've got OPT1 on it's public IP, but without being able to 
>>specify any gateways it's going to have trouble seeing anything, and 
>>indeed, I can't see the interface from a colo box I've got out in the
>>wild.
>>
>>I'm assuming there has to be some way of doing this, simply because you
>>    
>>
>
>  
>
>>can specify OPTx as the local endpoint for an IPSEC tunnel - has anyone
>>    
>>
>
>  
>
>>got any pointers?
>>
>>Please?? lol
>>
>>Cheers ll,
>>
>>Kev
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>> 
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>