Internet/LAN simulation

I am trying to test a gateway/server/firewall in a semi-fake
environment before using it for real, but for some reason, I can't get
it to ping the 'internet' computer.

layout:

<real-internet>
\ | | | /
[isp]
|
{eth0}
(masquerade)
[gateway-current]
{eth1}
|
[--------hub----------] - - - <internal servers>
| | | | | !\!
<dhcp-clients> !\!
{eth1}
[gateway-test]
(masquerade)
{eth0}
|
[fake-internet]

note:
%!\\!% is a disconnected cable (for testing)
%\{[^\}]*\}% is the network interface
%\[[^\]]*\]% is a single machine
%<[^>]*>% is a group of machines
%\([^\)]*\)% is a nat action
%(\||/|\-|\\)% is (part of) a cable

details:

gateway-test:
eth0:
address 1.1.1.2
netmask 255.255.255.0
network 1.1.1.0
broadcast 1.1.1.255
eth1:
address 192.168.1.65 (attached to a real LAN, using dhcp)
netmask 255.255.255.0
network 192.168.1.0
broadcast 1.1.1.255
gateway 192.168.1.1

fake-internet:
eth0
address 1.1.1.1
netmask 255.255.255.0
network 1.1.1.0
broadcast 1.1.1.255

gateway-current:
eth0
address 204.x.x.x
netmask 255.x.x.x
network 204.x.x.x
broadcast 204.x.x.x
gateway 204.x.x.x
eth1
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255

LAN-dhcp:
address 192.168.1.32 - 192.168.1.100
netmask 255.255.255.0
network 192.168.1.32 - 192.168.1.100
broadcast 192.168.1.255
gateway 192.168.1.1

LAN-static
address 192.168.1.2 - 192.168.1.31
netmask 255.255.255.0
network 192.168.1.32 - 192.168.1.100
broadcast 192.168.1.255
gateway 192.168.1.1

TIA

On Mon, 02 Aug 2004 08:22:15 -0700, Some_Other_Nerd wrote:
> I am trying to test a gateway/server/firewall in a semi-fake
> environment before using it for real, but for some reason, I can't get
> it to ping the 'internet' computer.

Which is the 'internet" computer? I don't see any labelled like that.
Do you mean "a real computer on the real internet"? Something like
www.ibm.com? I'll assume that's what you mean.

Also, be aware that some gateways and/or machines specifically block ping!
Which specific machine or site are you trying to ping?

I assume you can do it directly from your "real-internet" gateway machine?
and from your server machines and dhcp-clients attached to your hub? but
not from your fake-internet machines behind your "gateway-test" machine?

> layout:
>
> <real-internet>
> \ | | | /
> [isp]
> |
> {eth0}
> (masquerade)
> [gateway-current]
> {eth1}
> |
> [--------hub----------] - - - <internal servers>
> | | | | | !\!
> <dhcp-clients> !\!
> {eth1}
> [gateway-test]
> (masquerade)
> {eth0}
> |
> [fake-internet]
>
> note:
> %!\\!% is a disconnected cable (for testing)
> %\{[^\}]*\}% is the network interface
> %\[[^\]]*\]% is a single machine
> %<[^>]*>% is a group of machines
> %\([^\)]*\)% is a nat action
> %(\||/|\-|\\)% is (part of) a cable

This is totally incomprehensible to me. What are you trying to say?

BTW, I'm not sure if you can apply NAT twice (nested?)? Normally, for an
internal network you would just do routing, and not NAT. There is normally
only one NAT done at the gateway, where you HAVE to mash all your IP
connections onto a single IP address given you by your ISP. Anyone else?

> details:
>
> gateway-test:
> eth0:
> address 1.1.1.2
> netmask 255.255.255.0
> network 1.1.1.0
> broadcast 1.1.1.255
> eth1:
> address 192.168.1.65 (attached to a real LAN, using dhcp)
> netmask 255.255.255.0
> network 192.168.1.0
> broadcast 1.1.1.255
> gateway 192.168.1.1
>
> fake-internet:
> eth0
> address 1.1.1.1
> netmask 255.255.255.0
> network 1.1.1.0
> broadcast 1.1.1.255
>
> gateway-current:
> eth0
> address 204.x.x.x
> netmask 255.x.x.x
> network 204.x.x.x
> broadcast 204.x.x.x
> gateway 204.x.x.x
> eth1
> address 192.168.1.1
> netmask 255.255.255.0
> network 192.168.1.0
> broadcast 192.168.1.255
>
> LAN-dhcp:
> address 192.168.1.32 - 192.168.1.100
> netmask 255.255.255.0
> network 192.168.1.32 - 192.168.1.100
> broadcast 192.168.1.255
> gateway 192.168.1.1
>
> LAN-static
> address 192.168.1.2 - 192.168.1.31
> netmask 255.255.255.0
> network 192.168.1.32 - 192.168.1.100
> broadcast 192.168.1.255
> gateway 192.168.1.1
>
> TIA

--
Juhan Leemet
Logicognosis, Inc.

Juhan Leemet <(E-Mail Removed)> wrote in message news:<pan.2004.08.02.21.40.38.109044@logicognosis. com>...
> On Mon, 02 Aug 2004 08:22:15 -0700, Some_Other_Nerd wrote:
> > I am trying to test a gateway/server/firewall in a semi-fake
> > environment before using it for real, but for some reason, I can't get
> > it to ping the 'internet' computer.
>
> Which is the 'internet" computer? I don't see any labelled like that.
> Do you mean "a real computer on the real internet"? Something like
> www.ibm.com? I'll assume that's what you mean.
>
> Also, be aware that some gateways and/or machines specifically block ping!
> Which specific machine or site are you trying to ping?
>
> I assume you can do it directly from your "real-internet" gateway machine?
> and from your server machines and dhcp-clients attached to your hub? but
> not from your fake-internet machines behind your "gateway-test" machine?
>
> > layout:
> >
> > <real-internet>
> > \ | | | /
> > [isp]
> > |
> > {eth0}
> > (masquerade)
> > [gateway-current]
> > {eth1}
> > |
> > [--------hub----------] - - - <internal servers>
> > | | | | | !\!
> > <dhcp-clients> !\!
> > {eth1}
> > [gateway-test]
> > (masquerade)
> > {eth0}
> > |
> > [fake-internet]
> >
> > note:
> > %!\\!% is a disconnected cable (for testing)
> > %\{[^\}]*\}% is the network interface
> > %\[[^\]]*\]% is a single machine
> > %<[^>]*>% is a group of machines
> > %\([^\)]*\)% is a nat action
> > %(\||/|\-|\\)% is (part of) a cable

The Important part is

[gateway-test]
(masquerade)
{eth0} <-------1.1.1.2
| <----------------1.1.1.0/24
{eth0} <-------1.1.1.1
[fake-internet]

I can't ping between these two computers with or without masq'ing.

>
> This is totally incomprehensible to me. What are you trying to say?
>
> BTW, I'm not sure if you can apply NAT twice (nested?)? Normally, for an
> internal network you would just do routing, and not NAT. There is normally
> only one NAT done at the gateway, where you HAVE to mash all your IP
> connections onto a single IP address given you by your ISP. Anyone else?
>
> > details:
> >
> > gateway-test:
> > eth0:
> > address 1.1.1.2
> > netmask 255.255.255.0
> > network 1.1.1.0
> > broadcast 1.1.1.255
> > eth1:
> > address 192.168.1.65 (attached to a real LAN, using dhcp)
> > netmask 255.255.255.0
> > network 192.168.1.0
> > broadcast 1.1.1.255
> > gateway 192.168.1.1
> >
> > fake-internet:
> > eth0
> > address 1.1.1.1
> > netmask 255.255.255.0
> > network 1.1.1.0
> > broadcast 1.1.1.255
> >
> > gateway-current:
> > eth0
> > address 204.x.x.x
> > netmask 255.x.x.x
> > network 204.x.x.x
> > broadcast 204.x.x.x
> > gateway 204.x.x.x
> > eth1
> > address 192.168.1.1
> > netmask 255.255.255.0
> > network 192.168.1.0
> > broadcast 192.168.1.255
> >
> > LAN-dhcp:
> > address 192.168.1.32 - 192.168.1.100
> > netmask 255.255.255.0
> > network 192.168.1.32 - 192.168.1.100
> > broadcast 192.168.1.255
> > gateway 192.168.1.1
> >
> > LAN-static
> > address 192.168.1.2 - 192.168.1.31
> > netmask 255.255.255.0
> > network 192.168.1.32 - 192.168.1.100
> > broadcast 192.168.1.255
> > gateway 192.168.1.1
> >
> > TIA


The output of `route' on gateway-test is

Kernel IP Routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo

on fake-internet it shows the same thing.


ifconfig on gateway-test shows:

eth0 Link encap:Ethernet HWaddr 00:01:02:EB:4F:8E
inet addr:1.1.1.2 Bcast:1.1.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:770000 errors:0 dropped:0 overruns:0 frame:0
TX packets:772291 errors:0 dropped:0 overruns:0 carrier:13
collisions:0 txqueuelen:100
RX bytes:75464210 (71.9 MiB) TX bytes:75601676 (72.0 MiB)
Interrupt:17 Base address:0xa000

eth1 Link encap:Ethernet HWaddr 00:60:08:12:33:FE
inet addr:192.168.1.68 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:907 errors:0 dropped:0 overruns:0 frame:0
TX packets:593 errors:0 dropped:0 overruns:0 carrier:512
collisions:0 txqueuelen:100
RX bytes:66311 (64.7 KiB) TX bytes:189157 (184.7 KiB)
Interrupt:17 Base address:0xa400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3455 errors:0 dropped:0 overruns:0 frame:0
TX packets:3455 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

on fake-internet:

eth0 Link encap:Ethernet HWaddr 00:A0:CCE:25:F2
inet addr:1.1.1.1 Bcast:1.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::2a0:ccff:fede:25f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:100 errors:0 dropped:0 overruns:0 frame:0
TX packets:109 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16744 (16.3 KiB) TX bytes:6258 (6.1 KiB)
Interrupt:17 Base address:0xf000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:308 errors:0 dropped:0 overruns:0 frame:0
TX packets:308 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20838 (20.3 KiB) TX bytes:20838 (20.3 KiB)

>>>>SNIP >>>>>>>> (Way to much text : ) )

You have to get a gateway working and this gateway should point from (if I
read your figures correct) eth1 to eth0 on your 'gateway-test'?
As far as I can see from your output from 'route' ther is no gateway up and
going. (UG) (stands for Up Gateway)
The Dest. should be 1.1.1.0 Gateway should be 1.1.1.2 and Genmask
ff.ff.ff.0 (ff=255) right?
Try getting that in to your route. (man route so you find the correct
syntax)

Correct me if I'm wrong.
Micke

> You have to get a gateway working and this gateway should point from (if I
> read your figures correct) eth1 to eth0 on your 'gateway-test'?

I thought I don't need a gateway to connect two computers directly,
only when I want one (or more) computer(s) to connect through another
one (i.e. to have the LAN access the internet for fake-internet).

What I'm trying to do is make a direct ethernet/ip (NOT ppp, slip, or
plip) connection between fake-internet (1.1.1.1) and gateway-test
(1.1.1.2).

I've already disabled iptables on both computers.

Some_Other_Nerd wrote:

>> You have to get a gateway working and this gateway should point from (if
>> I read your figures correct) eth1 to eth0 on your 'gateway-test'?
>
> I thought I don't need a gateway to connect two computers directly,
> only when I want one (or more) computer(s) to connect through another
> one (i.e. to have the LAN access the internet for fake-internet).
>
> What I'm trying to do is make a direct ethernet/ip (NOT ppp, slip, or
> plip) connection between fake-internet (1.1.1.1) and gateway-test
> (1.1.1.2).
>
> I've already disabled iptables on both computers.
Now I'm a bit confused : )
You would like to have to computers to connect to each other? Or do you want
to have two computers connected to eachother most of the time and use one
of them to connect to a third computer as a faked internet?

In the first case you only need to put the to computers on the same network
(that is 10.0.0.1 and 10.0.0.2 net mask someting like 255.255.255.0 or
whatever you like as the last 24 bits as long as they are the same on
both).(or as in your example 1.1.1.2 /24 and 1.1.1.1 /24.)

Second case the same thing BUT you have to have put the 'middle' coomp. to
be a gate way and give the third computer some other address.
As I see from your second post. Is that you have eth0 on one of the
computers set to 1.1.1.2 /24 on the second computer eth0 is set to
1.1.1.2 /24 and then naturally the network address will be 1.1.1.0 /24
Correct?
Is it only between those you need connection? You write that you can't use
ping to check the connection. Is that port open so you can use ping? Some
distros have some ports closed from start and you need to open the port OR
allow the ping protocol.

An other way to check, is to start httpd and se if you get a connection.

Micke