routing two subnets

Hi,

I need to connect two subnets through two firewalls via their internet
interfaces withotu using a tunnel.

subnet A is 192.168.0.0 mask 255.255.255.0 GW 192.168.0.1
subnet B is 192.168.1.0 maks 255.255.255.0 GW 192.168.1.1

The firewall runs ipfwadmn.

I added a route on both firewalls for the firewalls to access each
other's internet network and can ping each internal network fromt he
other firewall.

the problem is that none of the machines on one subnet can access the
machiens on the other subnet. I was under the impression that if the
firewalls can access each other's internal networks then the clients
could also.

billbo

billbo wrote:
> Hi,
>
> I need to connect two subnets through two firewalls via their internet
> interfaces withotu using a tunnel.
>
> subnet A is 192.168.0.0 mask 255.255.255.0 GW 192.168.0.1
> subnet B is 192.168.1.0 maks 255.255.255.0 GW 192.168.1.1
>
> The firewall runs ipfwadmn.
>
> I added a route on both firewalls for the firewalls to access each
> other's internet network and can ping each internal network fromt he
> other firewall.
>
> the problem is that none of the machines on one subnet can access the
> machiens on the other subnet. I was under the impression that if the
> firewalls can access each other's internal networks then the clients
> could also.

That is not quite right. I am not aware of ipfwadm, but i guess it is
not that far away from iptables.

Your firewall box connections are filtered by
the INPUT/OUTPUT chains. The systems behind the fw's are filtered by the
FORWARD/POSTROUTING chains.

So your firewall probably blocks connections from inside to private
networks (such as A and B) outside. Maybe NAT routing is a solution.

Eric

On 6 Feb 2006, in the Usenet newsgroup comp.os.linux.networking, in article
<(E-Mail Removed) .com>, billbo wrote:

>I need to connect two subnets through two firewalls via their internet
>interfaces withotu using a tunnel.
>
>subnet A is 192.168.0.0 mask 255.255.255.0 GW 192.168.0.1
>subnet B is 192.168.1.0 maks 255.255.255.0 GW 192.168.1.1

OK - do the hosts on each of those nets know of the existence of the
other network - looking at host 192.168.0.33 (an example) there would be
two routes - one being the local net, the other being the route that will
use the gateway to reach the other net. This will be either

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth0

or

192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0

You can use the first if there are other routes to other places (such as
the Internet), or use the second if 192.168.0.1 is the only way off the
192.168.0.0 network.

>The firewall runs ipfwadmn.

Never heard of it. There was a tool called 'ipfwadmn' that was for kernels
before 2.0.40, and was replaced by IPCHAINS (2.2.x kernels) and 'iptables'
(2.4.x and later kernels).

>I added a route on both firewalls for the firewalls to access each
>other's internet network and can ping each internal network fromt he
>other firewall.

OK

>the problem is that none of the machines on one subnet can access the
>machiens on the other subnet. I was under the impression that if the
>firewalls can access each other's internal networks then the clients
>could also.

Three concerns. First - do computers on the first net know to use the
firewall to access addresses on the second net, AND VICE VERSA? Second,
did you tell the kernels on the firewalls to forward packets? Assuming a
system with a /proc/ file system, "echo 1 > /proc/sys/net/ipv4/ip_forward".
Depending on the distribution, there is a variable in one of the network
configuration boot scripts that tells the system to set that /proc/ variable.
Third, do your firewall rules permit such traffic. Remember that 'ping' is
an ICMP service, and most firewalls have separate rule sets for ICMP, UDP,
and TCP.

Old guy