IPCOP Firewall Static Route Problem

I am testing IPCOP 1.4 firewall hoping to replace a Netgear VPN router. It
works perfectly as a firewall router to provide NAT-basaed Internet access
with protection. Unfortunately, there is a static router issue I cannot
resolve. So far no one in the IPCOP forum has any idea.

Here is the network environment:

<< Headquarter >> (192.168.0.x)
| Internet | -- | IPCOP Router | -- | LAN1 | -- | Cisco 1720 | -- | Frame
Relay to Branch |

<< Branch >> (192.168.1.x)
| Internet | -- | Netgear Router | -- | LAN2 | -- | Cisco 1720 | -- | Frame
Relay to Headquarter |

1. In LAN1, all computers are set up to use the IP addreess of LAN
interface of IPCOP as DG
2. In LAN2, all computers are set up to use the IP addreess of LAN
interface of Netgear as DG
3. IPCOP has a static route set up to LAN2, which is the local interface of
the Cisco 1720
4. Netgear has a static route set up to LAN1, which is the local interface
of the Cisco 1720
5. All workstations in both LAN set up to use DHCP and its options.
6. All workstations in LAN1 can ping LAN2
7. Only computers running Windows 98 can telnet to resources in LAN2.
8. Machines running W2K (prof or server) cannot telnet to any hosts in
LAN2.
9. Though all W98 and W2K PC's are set up to use DHCP, TRACERT shows that
W98 mahcines access LAN2 by directly going to the Cisco 1720, then
reach LAN2
W2K machines access LAN2 by going to IPCOP first, then move on to next
hop, Cisco 1720
*** Despite this, All TRACERT results from W98 & W2K show successful
from LAN1 routing to LAN2

10. If add a static route for LAN2 on W2K machines, i.e.
route add 192.168.1.0 mask 255.255.255.0 192.168.1.11
(LAN2)
(Cisco)
then the machine can access resources in LAN2 without a problem
*** In this case, the first hop when accessing LAN2 from LAN1 is
Cisco, not IPCOP
11. When replace IPCOP with another Netgear router, computers in both LAN's
work fine.
LAN1 can access resources (including TELNET) in LAN2 and vice versa
without a problem.
12. I am sure I have IPCOP configured properly, static route to LAN2 set up
correctly. I can PING
LAN2 from IPCOP console.

The workaround is to manually add a static route to all Windows 2000 PC's in
LAN1, which is a tedious work and should be something handled by the DG. I
strongly believe that the problem lies on the IPCOP 1.4 final version I am
using. I am going to have to drop it if this problem cannot be resolved.

Joe

"JP" <(E-Mail Removed)> wrote in
news:5qSdnQuuS64u-RPcRVn-(E-Mail Removed):

> I am testing IPCOP 1.4 firewall hoping to replace a Netgear VPN
> router. It works perfectly as a firewall router to provide NAT-basaed
> Internet access with protection. Unfortunately, there is a static
> router issue I cannot resolve. So far no one in the IPCOP forum has
> any idea.
>
> Here is the network environment:
>
> << Headquarter >> (192.168.0.x)
>| Internet | -- | IPCOP Router | -- | LAN1 | -- | Cisco 1720 | -- |
>| Frame
> Relay to Branch |
>
> << Branch >> (192.168.1.x)
>| Internet | -- | Netgear Router | -- | LAN2 | -- | Cisco 1720 | -- |
>| Frame
> Relay to Headquarter |
>
> 1. In LAN1, all computers are set up to use the IP addreess of LAN
> interface of IPCOP as DG
> 2. In LAN2, all computers are set up to use the IP addreess of LAN
> interface of Netgear as DG
> 3. IPCOP has a static route set up to LAN2, which is the local
> interface of the Cisco 1720
> 4. Netgear has a static route set up to LAN1, which is the local
> interface of the Cisco 1720
> 5. All workstations in both LAN set up to use DHCP and its options.
> 6. All workstations in LAN1 can ping LAN2
> 7. Only computers running Windows 98 can telnet to resources in LAN2.
> 8. Machines running W2K (prof or server) cannot telnet to any hosts
> in LAN2.
> 9. Though all W98 and W2K PC's are set up to use DHCP, TRACERT shows
> that
> W98 mahcines access LAN2 by directly going to the Cisco 1720,
> then
> reach LAN2
> W2K machines access LAN2 by going to IPCOP first, then move on to
> next
> hop, Cisco 1720
> *** Despite this, All TRACERT results from W98 & W2K show
> successful
> from LAN1 routing to LAN2
>
> 10. If add a static route for LAN2 on W2K machines, i.e.
> route add 192.168.1.0 mask 255.255.255.0 192.168.1.11
> (LAN2)
> (Cisco)
> then the machine can access resources in LAN2 without a problem
> *** In this case, the first hop when accessing LAN2 from LAN1
> is
> Cisco, not IPCOP
> 11. When replace IPCOP with another Netgear router, computers in both
> LAN's work fine.
> LAN1 can access resources (including TELNET) in LAN2 and vice
> versa
> without a problem.
> 12. I am sure I have IPCOP configured properly, static route to LAN2
> set up correctly. I can PING
> LAN2 from IPCOP console.
>
> The workaround is to manually add a static route to all Windows 2000
> PC's in LAN1, which is a tedious work and should be something handled
> by the DG. I strongly believe that the problem lies on the IPCOP 1.4
> final version I am using. I am going to have to drop it if this
> problem cannot be resolved.
>
> Joe
>
>
>
>

Port Forwarding should do the trick...Ill look into to this some more..

> Port Forwarding should do the trick...Ill look into to this some more..

Thanks for your idea. Still don't understand why I can PING from LAN1 to
LAN2 but not TELNET. If the route is valid for PING, what is the difference
between other applications. I cannot TELNET or use Terminal Service Client
to access LAN2. The HOSTs there repond to my PING.

By adding a static route to the machines in LAN1, everything works as
expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
of the IPCOP, I don't need the static route on the PC's.

I configured NETGEAR, DLINK, LINKSYS and IPCOP in the exact same way, a
static route to LAN2 is manually entered.

Thanks again for looking into it.

Joe

JP wrote:

> By adding a static route to the machines in LAN1, everything works as
> expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
> of the IPCOP, I don't need the static route on the PC's.

If you have access rules that allow all ICMP and IP traffic, then you
might want to check your network configuration. Have you tried a
different netmask like 255.255.0.0? It looks like these hosts are all in
192.168/16. I didn't see mention of a VPN...

-Gary

It may have to do with what ports your gear is letting through, and in
which direction. In some cases you can set them up bi-directionally,
but in most cases you set them up one direction at a time.

JP wrote:
>>Port Forwarding should do the trick...Ill look into to this some more..
>
>
> Thanks for your idea. Still don't understand why I can PING from LAN1 to
> LAN2 but not TELNET. If the route is valid for PING, what is the difference
> between other applications. I cannot TELNET or use Terminal Service Client
> to access LAN2. The HOSTs there repond to my PING.
>
> By adding a static route to the machines in LAN1, everything works as
> expected. However, if I put in a NETGEAR, DLINK or LINKSYS router instead
> of the IPCOP, I don't need the static route on the PC's.
>
> I configured NETGEAR, DLINK, LINKSYS and IPCOP in the exact same way, a
> static route to LAN2 is manually entered.
>
> Thanks again for looking into it.
>
> Joe
>
>

ping is on port 3503 and telnet is on port 23...your port 23 must be closed
and 3503 open.

Direct:262.767.3325<©¿©> wrote:
| ping is on port 3503 and telnet is on port 23...your port 23 must be
closed
| and 3503 open.
|
|
|

Dumbass... Ping uses ICMP which is a protocol not a port. Better start
learing your shit as opposed to guessing w/ a google search. (which the
origional poster obviously did b4 he posted here)

If you really must know, port 3503 is for MPLS Embeded Managment...a
cisco management protocol... And their pings are UDP, not TCP

Ciao,
Droid...