firewall/router - subnet/router - subnet

Discussion in 'Linux Networking' started by S James, Sep 4, 2003.

  1. S James

    S James Guest

    Dear networking group,

    This is a posting about my network which has a Netgear ADSL Router,
    behind which is a firewall/router, behind which is another router to
    which a network is attached.

    Initially I had the following simple network, which is working
    perfectly:

    ----------------------------------------------------------------------
    |Netgear ADSL} External IP: a fixed IP number
    |Modem } Internal IP: 192.168.0.1
    | |
    | |
    |circle: } External IP obtained by dhcp to Netgear, and is
    |Firewall/ } 192.168.0.3. Internal IP: 192.168.10.1
    |NAT Router } |
    | |
    | |
    |Subnet of clients on 192.168.10.0/24, These access internet using
    |ip masq through the machine circle.
    -----------------------------------------------------------------------

    circle also has a group of filtering rules which I've set up with
    iptables. It's a RH9 box. This all works fine, and machines on the
    subnet 192.168.10.0/24 all access the internet, getting MASQed through
    the firewall and then through the Netgear router.

    Now I wish to add subnet behind one of the machines on the
    192.168.10.0/24 subnet. This machine is called xerxes. It is also a
    RH9 box. It will not do any ip packet filtering. It will actually act
    as a thin client server, and the clients on the 192.168.20.0/24
    network will be the thin clients. However, this is by the by and not
    immediately relevant.

    -------------------------------------------------------------------------
    |xerxes: } External IP: 192.168.10.5, (by dhcp to circle)
    |Router } Internal IP: 192.168.20.1
    | |
    | |
    | Subnet of clients on 192.168.20.0/24
    -------------------------------------------------------------------------


    Here is what I would like the .20.x clients to do: [And if it does it]

    1. Access addresses on 192.168.20.0 net. [Yes]
    2. Access addresses on 192.168.10.0 net. [No]
    3. Access the internet, using xerxes router. [No]

    And I'd like this from the members of the .10.x subnet:

    4. Access addresses on 192.168.20.0 net. [No]
    5. Access addresses on 192.168.10.0 net. [Yes]
    6. Access the internet, through circle. [Yes]

    And I'm currently failing to find how to do this. Can anyone help with
    the ip commands that I need to execute on xerxes to do this? Also,
    Redhat has a little gui for setting up the network devices, which also
    has facility for setting up static routes. Does this give enough
    flexibility to set up my network?

    I imagine I also have to add static routes to the .20.x network on
    circle, so it knows where replies to the .20.x subnet need to go. Is
    this right?

    Here is circle's routing table:

    [[email protected] root]$ /sbin/ip route list
    192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.3
    192.168.10.0/24 dev eth1 scope link
    169.254.0.0/16 dev eth1 scope link
    127.0.0.0/8 dev lo scope link
    default via 192.168.0.1 dev eth0

    (I don't know what the 169.254.0.0/16 entry is, but may be related to
    xerxes which happens to be running Shaolin Aptus, so I'll ignore that
    for now.)

    Here is xerxes' routing table:

    [[email protected] root]$ ip route list
    192.168.20.0/24 dev eth1 scope link
    192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.5
    169.254.0.0/16 dev eth1 scope link
    127.0.0.0/8 dev lo scope link
    default via 192.168.10.1 dev eth0

    Can anyone see why it is that I am unable to access circle from one of
    xerxes' clients, nor am I able to access any of the other members of
    the .10.x subnet from a client on the .20.x subnet?

    With best regards,

    Seb James.
     
    S James, Sep 4, 2003
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.