<div>On 12/10/05, J. K. Cliburn <<a href="mailto:jcliburn@gmail.com">jcliburn@gmail.com</a>> wrote:<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> I'm overlooking something very simple, I know, but I've been looking at this mess for so long, there's little hope now of my seeing what's wrong. For reference, I've uploaded a diagram of my network at <a href="http://home.bellsouth.net/p/s/community.dll?ep=16&ext=1&groupid=266017&ck="> http://home.bellsouth.net/p/s/community.dll?ep=16&ext=1&groupid=266017&ck=</a> Please refer to it for the discussion below. I'm preparing to replace a smoothwall box at my border with a custom-configured Fedora machine (hostname gadwall). In order to test the configuration of gadwall in its new role, I've set up a second subnet inside my home network by putting petrel behind gadwall on the .2 subnet. (Yes, I know, there's some serious triple natting at play.) I added a route on osprey (<a href="http://192.168.1.3">192.168.1.3</a>) that enables me to ssh in to petrel (<a href="http://192.168.2.2">192.168.2.2</a>). From petrel I can get to anything on the <a href="http://192.168.1.0"> 192.168.1.0</a> subnet through gadwall. Unfortunately, from petrel I can't get to the internet; gadwall isn't forwarding packets to smoothwall. From gadwall itself I can get to the internet just fine. Here's some net config stuff from gadwall. [root@gadwall ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:B0:D0:82:6D:DB inet addr:<a href="http://192.168.1.10">192.168.1.10</a> Bcast:<a href="http://192.168.1.255">192.168.1.255</a> Mask:<a href="http://255.255.255.0">255.255.255.0</a> inet6 addr: fec0::2b0:d0ff:fe82:6ddb/64 Scope:Site inet6 addr: fe80::2b0:d0ff:fe82:6ddb/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:11416 errors:0 dropped:0 overruns:0 frame:0 TX packets:8144 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4871805 (4.6 MiB) TX bytes:1066146 (1.0 MiB) Interrupt:5 Base address:0xe880 eth1 Link encap:Ethernet HWaddr 00:0F:B5:8D:63:D9 inet addr:<a href="http://192.168.2.1">192.168.2.1</a> Bcast:<a href="http://192.168.2.255">192.168.2.255</a> Mask:<a href="http://255.255.255.0">255.255.255.0</a> inet6 addr: fe80::20f:b5ff:fe8d:63d9/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1449 errors:0 dropped:0 overruns:0 frame:0 TX packets:1223 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:141635 (138.3 KiB) TX bytes:108304 (105.7 KiB) Interrupt:5 Base address:0x4c00 lo Link encap:Local Loopback inet addr:<a href="http://127.0.0.1">127.0.0.1 </a> Mask:<a href="http://255.0.0.0">255.0.0.0</a> inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1129 errors:0 dropped:0 overruns:0 frame:0 TX packets:1129 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:1313920 (1.2 MiB) TX bytes:1313920 (1.2 MiB) [root@gadwall ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <a href="http://192.168.2.0">192.168.2.0</a> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://255.255.255.0">255.255.255.0</a> U 0 0 0 eth1 <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://255.255.255.0">255.255.255.0</a> U 0 0 0 eth0 <a href="http://169.254.0.0">169.254.0.0</a> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://255.255.0.0">255.255.0.0</a> U 0 0 0 eth1 <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://192.168.1.1">192.168.1.1</a> <a href="http://0.0.0.0">0.0.0.0</a> UG 0 0 0 eth0 [root@gadwall ~]# cat /proc/sys/net/ipv4/ip_forward 1 [root@gadwall ~]# iptables -L Chain FORWARD (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Here's a traceroute from petrel (<a href="http://192.168.2.2">192.168.2.2</a>) to <a href="http://google.com">google.com</a> (<a href="http://72.14.207.99">72.14.207.99</a>). Clearly, gadwall isn't forwarding to smoothwall. </blockquote><div> You don't know that, it could be a lot of things, you need to do tcpdumps on both gadwall and smoothwall to determine what's the cause. can you get to the internet from gadwall? or anything else that's on the <a href="http://192.168.1.0">192.168.1.0</a> network? also, You didn't say anything about smoothwall's setup and NAT translation if you are doing any.... </div> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">[root@petrel ~]# traceroute <a href="http://72.14.207.99">72.14.207.99</a> traceroute to <a href="http://72.14.207.99">72.14.207.99</a> (<a href="http://72.14.207.99">72.14.207.99</a>), 30 hops max, 38 byte packets 1 gadwall (<a href="http://192.168.2.1">192.168.2.1</a>) 0.412 ms 0.144 ms 0.114 ms 2 * * * But it works for .1 subnet addresses. [root@petrel ~]# traceroute <a href="http://192.168.1.3">192.168.1.3</a> traceroute to <a href="http://192.168.1.3">192.168.1.3</a> (<a href="http://192.168.1.3"> 192.168.1.3</a>), 30 hops max, 38 byte packets 1 gadwall (<a href="http://192.168.2.1">192.168.2.1</a>) 0.412 ms 0.119 ms 0.092 ms 2 osprey (<a href="http://192.168.1.3">192.168.1.3</a>) 0.206 ms !<10> 0.160 ms !<10> 0.154 ms !<10> What route should I add to gadwall to make him forward packets from petrel to smoothwall (and hence, the internet)?</blockquote><div> the config on gadwall looks good, I would do tcpdumps on both gadwall and smoothwall (both interfaces) to see where the problem is </div></div> - Yang