<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: Routing: Ping from router A to Host behind Router B does not work
From: "Nils Lichtenfeld" <Nils.Lichtenfeld,AT,gmx,DOT,net>
Date: Tue, 5 Feb 2002 20:35:58 +0100
In-reply-to: <OFE5D1E49C.DC458517-ONC1256B56.0053012C@medisearch-int.com>

Hallo Keith!

Thanks for your reply! It pushed me another step near the goal :)

From: "Keith Smith" <keith,AT,ksmith,DOT,com>
> The simplest thing is something along these lines
> ipchains -F
> ipchains -P input ACCEPT
> ipchains -P forward REJECT
> ipchains -P output ACCEPT

Ok thats already set, just the forward-policy is DENY, but that sould not 
make any difference concerning the VPN(?).

> # Don't need -b here :) forward anything private
> ipchains -A forward    -s 192.168.0.0/16  -d 192.168.0.0/16 -j ACCEPT

Ok, but a
ipchains -I forward 1 -b -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT
would do the same concerning my two networks?

> # But Masq to external hosts
> ipchains -A forward -b -s 192.168.0.0/16 -d 0.0.0.0/0 -j MASQ

When I do that the ping is getting through.... And when I do this
ipchains -A forward -b -s 192.168.3.0/24 -d 0.0.0.0/0 -j MASQ # router B
ist still gets through.

But when I cut out the -b here, it is not working (though I can still use the 
Internet with a Host behind the router).  Why is that?
Can anyone explain why I need to make masquerading bidirectional? I works 
fine without as long as Router A doesn't try to ping Host
B....

> Then you need to make sure the machine behind routerB uses routerB as:
> 1) It's default route

Yes this is set, since both cipe-machines are the routers at the same time.

> Finally the routers need to have routing entries for each other's networks
>
> route add -net 192.168.1.0/24 gw 192.168.1.1
> and on the .1 box
> route add -net 192.168.3.0/24 gw 192.168.3.1

Well, they look like
route add -net 192.168.1.0/24 gw 10.10.1.1 # gw is IP of cipe-interface
and
route add -net 192.168.3.0/24 gw 10.10.3.1 # gw is IP of cipe-interface
Does that make any difference?

> Your problem is common, and is
> usually routing or a firewall rule.  CIPE could care less, it's just a
> connection.

I think it is a firewall rule... since I can make it work and not work when I 
play around with the firewall.

Thanks!
MFG Nils





<< | Thread Index | >> ]    [ << | Date Index | >> ]