Forwarding not work in FC9 but ip forward is turn on

Tue Sep 23 20:00:24 UTC 2008

Am Tue, 23 Sep 2008 11:58:37 -0500
schrieb Kevin Martin <kevintm at ameritech.net>:

> 
> 
> ppps wrote:
> >> First off, what is that extra netstat -rn entry for eth6
> >> (169.254.0.0...looks like some Windows default garbage)? Can't
> >> help but wonder what that's doing to routing to the 192.168.10
> >> network on the machine.
> >>     
> > I have tried to eliminate that route with the command
> > route del -net 169.254.0.0 netmask 255.255.0.0
> > This eliminates the route but on reboot again and lift it
> > I do not know which file to modify to be removed.
> >
> >   
> Ok, this has been answered by Mr. Wright.
> > I think that you really don't need to worry about this route. 
> > It's used for default networking when your system is set to DHCP
> > but does not get an address from a DHCP server (NIC self-assigns a
> > 169.254.x.x address to itself). This also happens on Windows. I
> > think that, the route itself will have no effect on your
> > connectivity or networking.
> >
> >   
> >> Next, why do you get two different traceroute results when you
> >> traceroute host 192.168.10.20 as shown below (doesn't make any
> >> sense)?: 
> >
> > In the first tcpdump command,    
> > ping from 192.168.10.250 to 192.168.10.20
> >
> > |firewall |--x-->|switch |----> | host 192.168.10.20 |
> >
> > In de Second tcpdump command
> > ping from 192.168.10.20 to 192.168.5.1
> >
> > |host 192.168.10.20 |---->|switch |----> | FIRWALL |--x-->| switch
> > |-----> | HOST 192.168.5.1 |
> >
> >   
> Ah, ok, my bad for not noticing that.
> 
> Let's take this from the top (please correct me if I'm wrong):
> 
> Your firewall has the 3 interfaces with 192.168.1.231/24,
> 192.168.5.254/24, and 192.168.10.250/24 as the interface addresses. 
> You have 3 machines off-firewall with addresses 192.168.1.201,
> 192.168.5.1, and 192.168.10.20 (all in the /24 bit network, right?).
> 
> 1).From the firewall, if you ping/traceroute to the 3 off firewall
> addresses, do they all work or only some of them?
> 
> 2).From the off firewall addresses, does ping/traceroute to the 3
> firewall addresses *on the same network* (so from ...1.201
> to ...1.231, ...5.1 to ...5.254, and ...10.20 to ...10.250) work?
> 
> 3).On the off firewall machines, what does a tcpdump show about the
> traffic coming from the firewall in (1) (when it works and when it
> doesn't work)?
> 
> 4).From the off firewall machines, what are the results of
> pings/traceroutes from those machines to the other machines (so from
> 1.201 to 5.1, 1.201 to 10.20, 5.1 to 10.20, 5.1 to 1.201, 10.20 to
> 5.1, and 10.20 to 1.201...you need to do all of them to verify that
> the traceroutes are all using the same paths coming and going...I've
> seen networking weirdness where a traceroute from a -> b shows 5 hops
> on 5 routers while a traceroute from b -> a shows different
> routers/hops ).
> 
> 5).On the off firewall machines, what do the routing tables look
> like? And what are the results of the command "arp"?  Are all of the
> off firewall machines Linux boxes or are there Windows or other O.S.
> machines (and is the 5.1 box just a router?)?
> 
> FWIW, it's often handy from a troubleshooting point of view and the
> sake of consistency to, if possible, have your firewall interfaces
> have the same ending octet (again, if possible in the network(s) that
> you are working with).  If the firewall interfaces *always* have .254
> as the last octet (or .110 or .1 or whatever as long as they are the
> same on each interface) then it makes it easier to understand your
> routing/network setup.
> 
> <snip>
> 
> 

erm, btw, what the nic-setup of one of your client-computers?

Roger