[ previous ] [ next ] [ threads ]
 
 From:  "Jesse D. Guardiani" <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Chris Buechler <cbuechler at gmail dot com>
 Subject:  Re: wierd static route problem
 Date:  Mon, 04 Apr 2005 01:12:40 -0400 
On Mon, 2005-04-04 at 01:00 -0400, Jesse D. Guardiani wrote:
> On Sun, 03 Apr 2005 21:31:59 -0500, Chris Buechler wrote:
> 
> > On Apr 3, 2005 12:25 PM, Jesse D. Guardiani <jesse at wingnet dot net> wrote:
> >> Hello,
> >> 
> >> I'm not much of a routing expert, so this could be
> >> just a misconfiguration, but I can't figure it out,
> >> so I hope someone can help.
> >> 
> >> I've got a OPT1 interface called WLAN. The subnet is
> >> 192.168.89.0/24. On that subnet, I have a machine
> >> (192.168.89.52) that needs an IP on a different
> >> subnet (192.168.90.3/32) so I can perform a unique
> >> outbound NAT mapping on daemons bound to that IP.
> >> 
> >> So I set up the following static route:
> >> 
> >>                <route>
> >>                        <interface>opt1</interface>
> >>                        <network>192.168.90.3/32</network>
> >>                        <gateway>192.168.89.52</gateway>
> >>                        <descr>matrixica.guardiani.us static
> route</descr>
> >>                </route>
> >> 
> > 
> > Because 89.52 isn't actually routing to 90.3.
> 
> I don't know why you say that. I can ping 90.3 from the firewall,
> and, like I said, if I add a static route for 90.3=gw89.52 on another
> host then I can access anything at 90.3 perfectly fine.
> 
> 
> > Couldn't you just use
> > 89.52/32 for your NAT?  Not sure if that'd work or not.
> 
> No. I don't want everything on 89.52 hitting that outbound
> NAT rule. Just stuff from a particular daemon. Thus the
> need for another host IP.

I've been doing some tcpdumps, and it looks to me like 89.1
(the m0n0wall) isn't routing, but I'm not particularly skilled
at this sort of thing. Do you agree, based on the below
traceroute output (taken from the perspective of 89.52.
trevarthan-wlan.guardiani.us is the remote host I've been
testing from - my laptop):

00:40:22.303400 IP trevarthan-wlan.guardiani.us.51969 >
192.168.90.3.33435: UDP, length: 12
00:40:22.304485 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
00:40:22.309262 IP trevarthan-wlan.guardiani.us.51969 >
192.168.90.3.33436: UDP, length: 12
00:40:22.310420 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
00:40:22.311891 IP trevarthan-wlan.guardiani.us.51969 >
192.168.90.3.33437: UDP, length: 12
00:40:22.313026 IP 192.168.89.1 > trevarthan-wlan.guardiani.us: icmp 36:
time exceeded in-transit
00:40:22.315039 IP trevarthan-wlan.guardiani.us.51969 >
192.168.90.3.33438: UDP, length: 12
00:40:22.407320 IP asterisk.guardiani.us > 192.168.89.1: icmp 79:
asterisk.guardiani.us udp port 32900 unreachable
00:40:25.854977 IP trevarthan-wlan.guardiani.us.45203 >
205.188.9.40.5190: P 3978001672:3978001678(6) ack 4236333110 win 32767
00:40:25.872358 IP asterisk.guardiani.us > 192.168.89.1: icmp 79:
asterisk.guardiani.us udp port 32900 unreachable
00:40:25.931993 IP 205.188.9.40.5190 >
trevarthan-wlan.guardiani.us.45203: . ack 6 win 16384
00:40:27.314369 IP trevarthan-wlan.guardiani.us.51969 >
192.168.90.3.33439: UDP, length: 12
00:40:27.351854 arp who-has 192.168.89.1 tell asterisk.guardiani.us
00:40:27.355186 arp reply 192.168.89.1 is-at 00:02:b3:15:2d:6d

What do you think? Does the above tell us anything at all
about where the problem is?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net