Routing Problem Using NAT & Multiple SSL Web Sites

I'm having a problem routing subnets using port forwarding on Netgear
Firewalls. I'd
appreciate any assistance in making this work.

I have a small hosting setup at a colocation facility to host my clients
web sites. I've had
trouble with very weird random crashes that I narrowed down to network
related. So, I
installed two Netgear firewalls.

I'm now getting clients that want to use SSL and SSL requires a distinct
IP for each web
site. Since I'm using firewalls, it gets the IP from the firewall. So I
discovered I needed
a different firewall for each SSL web site. I've been able to find the
Netgear 114s real
cheap, so this isn't a big expense.

I've come up with the following network setup below to take care of the
different IPs for
each ssl. Basically, port 80 (http) and 443 (ssl/https) will be forwarded
to the primary
server. Should I have a major failure on the primary server, I'll change
the port forwarding
to forward everything to the backup server. This arangement has worked
great in the past.

I've done some test pings, tcp dump and have the results below the
diagram. Basically,
everything can reach everything else on the inside of my lan. If I try to
accesses anything
through the middle firewall doesn't work. It just hangs. I can see from
the tcpdump below
that the packets are making it inside my lan, they just must not be making
it back to the
destination.

Can anyone help me figure out where the problem is or a better way to get
done what I'm
doing? Thanks in advance for the help.

Diagrams and test results are below:





INTERNET
|
|a
+-----+----+
| Hub |
+-+---+--+-+
|b |c |d
| | |
+-------------+ | +--------------+
e|.34 f|.32 g|.33
+------+------+ +------+------+ +------+------+
| Netgear 318 | | Netgear 114 | | Netgear 114 |
+---+-------+-+ +-+---------+-+ +-+--------+--+
192.168.1.4|h i| j| 192.168 |k |l
m|192.168.1.17
| +-------+ .2.2 +-------+ |
| Crossover Crossover |
| |
| |
ns1 | | ns2
192.168.1.101->eth0 | |
192.168.1.102->eth0
192.168.2.101->eth0:2| |
192.168.2.102->eth0:2
192.168.3.101->eth0:3|n o|
192.168.3.102->eth0:3
+-+---------+ +---------+-+
| | | |
| SMTP, FTP | | SMTP, FTP |
| DNS, HTTP | | DNS, HTTP |
| HTTPS | | HTTPS |
| | | |
| | | |
| Primary | | Backup |
| Linux | | Linux |
| Server | | Server |
| | | |
+-----------+ +-----------+


ns1 Routing Table
=================

[root@downhomewebdesign /root]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 192.168.1.4 0.0.0.0 UG 0 0 0
eth0


Firewall 192.168.2.2 Port Forwarding
=====================================

Rule Start Port No. End Port No. IP Address
---------------------------------------------------
1. Default Default 0.0.0.0
2. 22 22 192.168.2.101
3. 80 80 192.168.2.101
4. 443 443 192.168.2.101


Pings from ns1
==============

[root@downhomewebdesign /root]# ping -c 1 192.168.1.102
PING 192.168.1.102 (192.168.1.102) from 192.168.1.101 : 56(84) bytes of
data.
64 bytes from 192.168.1.102: icmp_seq=0 ttl=255 time=590 usec

--- 192.168.1.102 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.590/0.590/0.590/0.000 ms

[root@downhomewebdesign /root]# ping -c 1 192.168.2.102
PING 192.168.2.102 (192.168.2.102) from 192.168.2.101 : 56(84) bytes of
data.
64 bytes from 192.168.2.102: icmp_seq=0 ttl=255 time=1.011 msec

--- 192.168.2.102 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 1.011/1.011/1.011/0.000 ms

[root@downhomewebdesign /root]# ping -c 1 192.168.3.102
PING 192.168.3.102 (192.168.3.102) from 192.168.3.101 : 56(84) bytes of
data.
64 bytes from 192.168.3.102: icmp_seq=0 ttl=255 time=986 usec

--- 192.168.3.102 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.986/0.986/0.986/0.000 ms

[root@downhomewebdesign /root]# ping -c 1 192.168.1.4
PING 192.168.1.4 (192.168.1.4) from 192.168.1.101 : 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=0 ttl=63 time=896 usec

--- 192.168.1.4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.896/0.896/0.896/0.000 ms

[root@downhomewebdesign /root]# ping -c 1 192.168.2.2
PING 192.168.2.2 (192.168.2.2) from 192.168.2.101 : 56(84) bytes of data.
64 bytes from 192.168.2.2: icmp_seq=0 ttl=254 time=1.701 msec

--- 192.168.2.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 1.701/1.701/1.701/0.000 ms

[root@downhomewebdesign /root]# ping -c 1 192.168.1.17
PING 192.168.1.17 (192.168.1.17) from 192.168.1.101 : 56(84) bytes of
data.
64 bytes from 192.168.1.17: icmp_seq=0 ttl=254 time=1.784 msec

--- 192.168.1.17 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 1.784/1.784/1.784/0.000 ms
[root@downhomewebdesign /root]#


Internet Access Attempt
=======================

[dlhinkley@downhom dlhinkley]$ ping -c 1 xx.xx.xx.32
PING xx.xx.xx.32 (xx.xx.xx.32) from 192.168.1.110 : 56(84) bytes of data.
64 bytes from xx.xx.xx.32: icmp_seq=0 ttl=235 time=217.267 msec

--- xx.xx.xx.32 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 217.267/217.267/217.267/0.000 ms

[dlhinkley@downhom dlhinkley]$ telnet xx.xx.xx.32 80
Trying xx.xx.xx.32...

(hangs.....)


[dlhinkley@downhom dlhinkley]$ telnet xx.xx.xx.32 443
Trying xx.xx.xx.32...

(hangs.....)


[dlhinkley@downhom dlhinkley]$ ssh xx.xx.xx.32 -l root

(hangs......)


tcpdump from ns1 During Internet Access Attempt to port 443
================================================== =========

tcpdump: listening on eth0
08:24:19.325831 67.23.138.131.26265 > 192.168.2.101.https: S
3973948661:39739486
61(0) win 5840 <mss 1460,sackOK,timestamp 156346935 0,nop,wscale 0> (DF)
[tos 0x
10]
0x0000 4510 003c 0ec2 4000 2d06 ae42 4317 8a83 E..<..@.-..BC...
0x0010 c0a8 0265 6699 01bb ecdd a4f5 0000 0000 ...ef...........
0x0020 a002 16d0 f2de 0000 0204 05b4 0402 080a ................
0x0030 0951 aa37 0000 0000 0103 0300 .Q.7........
08:24:19.325924 192.168.2.101.https > 67.23.138.131.26265: S
1909310785:19093107
85(0) ack 3973948662 win 5792 <mss 1460,sackOK,timestamp 160171906
156346935,nop
,wscale 0> (DF)
0x0000 4500 003c 0000 4000 4006 aa14 c0a8 0265 E..<..@.@......e
0x0010 4317 8a83 01bb 6699 71cd c541 ecdd a4f6 C.....f.q..A....
0x0020 a012 16a0 aae0 0000 0204 05b4 0402 080a ................
0x0030 098c 0782 0951 aa37 0103 0300 .....Q.7....
08:24:22.317071 67.23.138.131.26265 > 192.168.2.101.https: S
3973948661:39739486
61(0) win 5840 <mss 1460,sackOK,timestamp 156347235 0,nop,wscale 0> (DF)
[tos 0x
10]
0x0000 4510 003c 0ec3 4000 2d06 ae41 4317 8a83 E..<..@.-..AC...
0x0010 c0a8 0265 6699 01bb ecdd a4f5 0000 0000 ...ef...........
0x0020 a002 16d0 f1b2 0000 0204 05b4 0402 080a ................
0x0030 0951 ab63 0000 0000 0103 0300 .Q.c........
08:24:22.317116 192.168.2.101.https > 67.23.138.131.26265: S
1909310785:19093107
85(0) ack 3973948662 win 5792 <mss 1460,sackOK,timestamp 160172205
156346935,nop
,wscale 0> (DF)
0x0000 4500 003c 0000 4000 4006 aa14 c0a8 0265 E..<..@.@......e
0x0010 4317 8a83 01bb 6699 71cd c541 ecdd a4f6 C.....f.q..A....
0x0020 a012 16a0 a9b5 0000 0204 05b4 0402 080a ................
0x0030 098c 08ad 0951 aa37 0103 0300 .....Q.7....
08:24:22.717307 192.168.2.101.https > 67.23.138.131.26265: S
1909310785:19093107
85(0) ack 3973948662 win 5792 <mss 1460,sackOK,timestamp 160172246
156346935,nop
,wscale 0> (DF)
0x0000 4500 003c 0000 4000 4006 aa14 c0a8 0265 E..<..@.@......e
0x0010 4317 8a83 01bb 6699 71cd c541 ecdd a4f6 C.....f.q..A....
0x0020 a012 16a0 a98c 0000 0204 05b4 0402 080a ................
0x0030 098c 08d6 0951 aa37 0103 0300 .....Q.7....
08:24:28.717928 192.168.2.101.https > 67.23.138.131.26265: S
1909310785:19093107
85(0) ack 3973948662 win 5792 <mss 1460,sackOK,timestamp 160172846
156346935,nop
,wscale 0> (DF)
0x0000 4500 003c 0000 4000 4006 aa14 c0a8 0265 E..<..@.@......e
0x0010 4317 8a83 01bb 6699 71cd c541 ecdd a4f6 C.....f.q..A....
0x0020 a012 16a0 a734 0000 0204 05b4 0402 080a .....4..........
0x0030 098c 0b2e 0951 aa37 0103 0300 .....Q.7....
08:24:40.719143 192.168.2.101.https > 67.23.138.131.26265: S
1909310785:19093107
85(0) ack 3973948662 win 5792 <mss 1460,sackOK,timestamp 160174046
156346935,nop
,wscale 0> (DF)
0x0000 4500 003c 0000 4000 4006 aa14 c0a8 0265 E..<..@.@......e
0x0010 4317 8a83 01bb 6699 71cd c541 ecdd a4f6 C.....f.q..A....
0x0020 a012 16a0 a284 0000 0204 05b4 0402 080a ................
0x0030 098c 0fde 0951 aa37 0103 0300 .....Q.7....

7 packets received by filter
0 packets dropped by kernel
[root@downhomewebdesign scripts]#



Sincerely,

Duane Hinkley
Down Home Web Design, Inc.
(208) 424-0572 Fax(208) 587-0738

(E-Mail Removed)
www.downhomewebdesign.com