[Firehol-support] nat/redirect problem

Les Stott Les at cyberpro.com.au
Wed Jun 27 11:07:15 BST 2012

Ok a weird one.....or I don't know what I'm doing ;}

network A -
Default Gateway on Network A is - where firehol sits
Recently added a 10mb/10mb symmetrical link and its linked to Network A by a cisco router on The link goes to Network B which is
Network B has a default gateway which is the 10mb/10mb link.
The firewall has a route for to go via

If a machine in Network A ( tried to ping a machine in Network B ( it works (and I've verified that it bounces through the firewall first (or the firewall tells it to send via

Now, if a pc in Network B ( tries to ping it doesn't work and I see this in /var/log/messages....
Jun 25 11:54:47 gateway kernel: 'PASS-unknown:'IN=eth0 OUT=eth0 SRC= DST= LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40547 PROTO=ICMP TYPE=0 CODE=0 ID=21016 SEQ=773
If the pc has a static route to send traffic for via the ping works when it originates from Network B.

That tells me that the ping packet from made it through to but the return traffic never got "redirected" by the firewall.

Now, I know I should add permanent static routes, and I have done that for all pc's (pushed out via group policy) in the range, but I am trying to fathom out why it works if the ping originates from Network A, but it doesn't work when the ping originates from Network B.

I have also tried (possible incorrect usage) the following and it hasn't helped.....

masquerade ppp+ src "$PRIVATE" dst not "$PRIVATE"
# above interface rules, but after masquerade rules
nat to-destination inface eth0 dst ""

and also tried a router rule like so....

router redirects inface eth0 outface eth0
        route all accept

Nothing has worked though.

Can someone explain what I'm doing wrong and guide me as to whether the above can be made to work without adding static routes to all pc's?
I cant add static routes to printers and Network B wants to print directly to Printers in Network A. At the moment I'm using a print server in Network A but I need to be able to give some reason why it won't work directly.

Thanks in advance.



