Robert Wilson wrote:
> Hello,
> I apologise if this question is a regular appearance but i need an answer.
>
> I have a SuSE 10.0 box which is acting as my router, and file server. I
> have a public IP address, which is tied to my eth0 card.
Which means your file server is exposed via the public IP. If you
leave it there, be sure to lock it down tighter than you think possible
:-)
> I also have a pair of NIC's on my local side, which are serving a pair
> of networks. One has a number of windows machines and a Windows server
> which is streaming Digital Television onto my local network which is
> made up solely of Gigabit network cards. This TV stream is UDP
> broadcast in nature, with a TTL of one.
Broadcast or multicast?
> The other network is made up of 100Mb devices, including a print server,
> and a couple of VOIP devices. Therefore because of the level of
> broadcast traffic, it swamps all of my non-gigabit enabled ethernet devices.
Broadcasts should not propagate beyond the local link. What kind of
"broadcasts" are you using? The router's link on the 100 Mb side will
also be running at 100 Mb unless you're using a GigE uplink from a
switch. What equipment lies along the pathways?
> I have managed to get a firewall up, and I am able to gain access to the
> internet from both of my networks. The network hanging off eth2 is all
> made up of statics. The Wi-Fi acess point has it's own DHCP server, so
> those using Wi-Fi still get dynamic IP's.
>
> I am running a DHCP server on eth1.
On the router or do you mean the subnet connected to eth1?
> Now I cannot actually route between either of my local networks. This
> means that my windows boxes cannot gain access to the print server which
> is on the 100Mb side, nor can I see anything on Wi-Fi which is
> frustrating because VNC is therefore not available.
Ie., you can't ping from one lan subnet to the other but can use the
router as the lans' default gateway to reach the internet.
Is the AP on the 100 Mb subnet? Just clarifying my view of your
layout.
> The output of my route -n command reads:
Presumably this is the router's route table.
> LNGBKER0001:/ # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 'Public IP' 0.0.0.0 UG 0 0 0 eth0
> LNGBKER0001:/ #
OK, the routes to the lan subnets are in place. They should
automagically be inserted as they are directly connected. Best to get
rid of the 169.254/16 zeroconf route. Forget just where in Suse you
turn off zeroconf.
"Public IP" should be the IP of your router's gateway, ie., it's
upstream connection to ISP's network. Since it is working, I presume
it is correct.
> My ifconfig also reads:
>
> LNGBKER0001:/ # ifconfig
> eth0 Link encap:Ethernet HWaddr 00:14:2A:56:72:8F
> inet addr:'Public IP' Bcast:'Public IP'
> inet6 addr: fe80::214:2aff:fe56:728f/64 Scope:Link
> UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:80611 errors:0 dropped:0 overruns:0 frame:0
> TX packets:52448 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:88348094 (84.2 Mb) TX bytes:5597558 (5.3 Mb)
> Interrupt:177 Base address:0xe200
>
> eth1 Link encap:Ethernet HWaddr 00:06:4F:0D:74:B8
> inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
> inet6 addr: fe80::206:4fff:fe0d:74b8/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1171 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1249 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:602022 (587.9 Kb) TX bytes:442495 (432.1 Kb)
> Interrupt:225 Base address:0xe900
>
> eth2 Link encap:Ethernet HWaddr 00:13:46:3A:BE:B9
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::213:46ff:fe3a:beb9/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:99343 errors:0 dropped:0 overruns:0 frame:0
> TX packets:148434 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:24998451 (23.8 Mb) TX bytes:151819259 (144.7 Mb)
> Interrupt:209 Base address:0x6000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:52847 errors:0 dropped:0 overruns:0 frame:0
> TX packets:52847 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:40741096 (38.8 Mb) TX bytes:40741096 (38.8 Mb)
>
> LNGBKER0001:/ #
>
Double check that /proc/sys/net/ipv4/ip_forward is set to 1.
[root]# /proc/sys/net/ipv4/ip_forward
0 or 1 ??? Which?
You may want to use syctl and sysctl.conf to set this and several other
networking vaiables so that you can run sysctl at boot.
You can use # echo 1 > /proc/sys/net/ipv4/ip_forward and other
varialbes while initially setting/testing the variables. See:
http://ipsysctl-tutorial.frozentux.n...-tutorial.html
Depending on your firewall rules you may be allowing outgoing traffic
to internet while blocking all SYN (connection requests). This is
common to block unsolicited inbound internet connections. It may be
blocking similar requests between the lans. You should check that you
allow SYNs between the lans and to the file server on the router (?)
_without_ allowing SYNs from the internet (if that is what you want).
Yet another reason to move the file server off the firewall/gateway.
No way to help with firewall rules without seeing them. Are you using
a script? Homegrown? A firewall app? What is the output of
[root]# iptables -L -v [-n] < the -n option produces numeric output.
Use or not.
What is a "typical" route table example from a host on each of the
lans? Do you use static entries for the routes to the "other" lan?
Are your connection attempts dropped silently or so you get an error
message?
Offhand, my guess is that your firewall is blocking SYNs between the
lans.
hth,
prg
Similar Threads
Linear Mode
