[ previous ] [ next ] [ threads ]
 
 From:  Jack <jack at jbyte dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Odd routing issue
 Date:  Tue, 27 Aug 2013 09:42:02 +0200
Hello Lee,

(I think there is a typo in the network diagram, 192.168.42.2 should be 
192.168.40.2 as far as I understand)

I would design that in that way: http://snag.gy/nzJz6.jpg

but anyway,

You have kind a Triangle- Route which i think is suboptimal

Ping starting from 192.168.40.x
Query:
192.168.40.x -> 192.168.40.1(ICMP redirect to 192.168.40.2) -> 
192.168.40.2 -> 192.168.43.x
Response:
192.168.43.x -> 192.168.40.2 -> 192.168.40.x

I thinke there is one firewall or host having trouble with MAC address 
learning:

What MACs are learned on Host 192.168.40.x when the ping doesn't work 
from 192.168.43.x to 192.168.40.x?
What MACs are learned on Host 192.168.40.x when the ping magically work 
from 192.168.43.x to 192.168.40.x?

And the same on FW 2 Interface 192.168.40.2?

Thats just a hint, im not 100% shure.

HTH

~ Jakob

On 26.08.2013 22:48, wrote Lee Sharp:
> To start, look at the not attached network diagram. :)
>
> https://files.one.ubuntu.com/e4Xpdsm5QWy74UuLTZ6wSg:tCQlN_5iTiG7pJlYGb2Ijw 
>
>
> I have an odd routing issue with the network described there.  The 
> flaming firewall is a typical m0n0wall firewall, running 1.34. Work 
> well, and the 5 IPsec tunnels are not represented.
>
> We just installed a virtual network on 192.168.43.x and m0n0wall is 
> the VMware router to the vnet.  (Ignore the virtual aspect if it 
> helps)  It has been on both 1.8b and 1.34...  NAT is turned off in 
> advanced outbound NAT, and the firewall on both sides is wide open.  
> There is also a static route in the primary firewall (192.168.40.1) 
> pointing to the virtual router (192.168.40.2 WAN, 192.168.43.1 LAN).
>
> Now, from the 192.268.40.x network I can ping any device on the 
> 192.168.43.x network.  No device on the 192.168.43.x network can ping 
> any device on the 192.168.40.x network.  However, running wireshark on 
> a 192.168.40.x device, I can see both the ping and the echo reply.  
> But it never gets back.  But if I then ping from the 192.168.40.x 
> device to the 192.168.43.x device in question, the pings magically 
> start working.
>
> Odd, right?  Any ideas?
>
>             Lee
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>