[Firehol-support] nat/redirect problem

Les Stott Les at cyberpro.com.au
Wed Jun 27 12:07:15 CEST 2012


Ok a weird one.....or I don't know what I'm doing ;}

network A - 192.168.1.0/24
Default Gateway on Network A is 192.168.1.254 - where firehol sits
Recently added a 10mb/10mb symmetrical link and its linked to Network A by a cisco router on 192.168.1.252. The link goes to Network B which is 10.0.0.0/16.
Network B has a default gateway which is the 10mb/10mb link.
The firewall has a route for 10.0.0.0/16 to go via 192.168.1.252

If a machine in Network A (192.168.1.5) tried to ping a machine in Network B (10.0.1.118) it works (and I've verified that it bounces through the firewall first (or the firewall tells it to send via 192.168.1.252).

Now, if a pc in Network B (10.0.1.145) tries to ping 192.168.1.5 it doesn't work and I see this in /var/log/messages....
Jun 25 11:54:47 gateway kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 SRC=192.168.1.5 DST=10.0.1.145 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40547 PROTO=ICMP TYPE=0 CODE=0 ID=21016 SEQ=773
If the pc has a static route to send traffic for 10.0.0.0/16 via 192.168.1.252 the ping works when it originates from Network B.

That tells me that the ping packet from 10.0.1.145 made it through to 192.168.1.5 but the return traffic never got "redirected" by the firewall.

Now, I know I should add permanent static routes, and I have done that for all pc's (pushed out via group policy) in the 192.168.1.0/24 range, but I am trying to fathom out why it works if the ping originates from Network A, but it doesn't work when the ping originates from Network B.

I have also tried (possible incorrect usage) the following and it hasn't helped.....

PRIVATE="192.168.0.0/16 10.0.0.0/16"
masquerade ppp+ src "$PRIVATE" dst not "$PRIVATE"
# above interface rules, but after masquerade rules
nat to-destination 192.168.1.252 inface eth0 dst "10.0.0.0/16"

and also tried a router rule like so....

router redirects inface eth0 outface eth0
        route all accept

Nothing has worked though.

Can someone explain what I'm doing wrong and guide me as to whether the above can be made to work without adding static routes to all pc's?
I cant add static routes to printers and Network B wants to print directly to Printers in Network A. At the moment I'm using a print server in Network A but I need to be able to give some reason why it won't work directly.

Thanks in advance.


Regards

Les

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20120627/1cdb59c8/attachment.html>


More information about the Firehol-support mailing list