On Mon, Feb 14, 2000 at 10:41:35AM -0500, Bill White wrote > Hi. I have a routing question. I have tried this in various combinations, > but I don't seem to have the right one. > > This is my desired HW and SW configuration. > o One GNU/Linux firewall machine. This also has its own IP number. This > will also handle incoming email, ftp and web traffic, but that is not > the issue here. > o Two Windows machines, each with 1 ethernet card, and each with their > own IP address. They are going to run proprietary VPN SW to my > employer's office in San Jose CA. (I am in MA.) It goes through > the firewall machine. > o Two or more Unix/Hurd/Windows machines. These don't have their own > IP numbers, but do IP Masq. through the firewall. These aren't > on the VPN, even when they are booted into Windows. > o One DSL Modem. > o Two hubs, many ethernet cards and much ethernet cabling. > o I want to be able to mount Samba shares from the Unix machines on > the VPN'd Windows machines, but not necessarily to export them to > machines on the company VPN. I don't need to mount the VPN's file > systems on the Unix machines, though it wouldn't hurt. > > In this explanatation I will say the real IP numbers are 10.100.3.1, > 10.100.3.2 and 10.100.3.3, though these are of course not the real ones. > > Right now, I have the > o VPN'd Windows machines, the firewall (eth0) and the dsl modem all on one > hub > o the firewall (eth1) and the Unix/Hurd/Windows machines on the second hub. > o the firewall routes and masquerades the Unix/Hurd/Windows machines. > > This means that the VPN'd Windows machines are not behind the firewall. > I'm not completely happy with this, though these machines crash 10-20 > times a day, and it would be hard to portscan them. (If you don't > reboot your Window machine at least 20 times a day you aren't working > hard enough.) > > I would like to have: > o The firewall has three interfaces: > - One connecting to the DSL modem. This if has IP number 10.100.3.1. > - One connecting to a hub for the VPN'd Windows machines. The > IP number for this if is 192.168.2.10. > - One connecting to a hub for the IPMasq'd Unix/Hurd/Windows machines. > The IP number for this if is 192.168.1.10. > o The firewall does IP masquerade for the Unix/Hurd/Windows machines. > o Everything is routed easily and seamlessly. > > I connected it this way, and then I tried the obvious thing: > o Each non-firewall machine has the firewall machine as a default gw, > on their only interface. > o The fw machine has a default gw route to the DSL gateway. > o The fw machine routes the 192.168.1.0/24 net to eth2 (the if to the > 192.168.1.0/24 hub.) > o The fw machine routes the two real IP addresses 10.100.3.2 and 10.100.3.3 > to eth1 (the if to the 10. hub) > o The fw does proxy arp for the 192.168.1.0/24 machines. (I tried both > with this and without this.)
Unnecessary, and probably a bad idea. > > With this, all machines can get out to the internet, but the IPMasq'd > machines could not ping the 10. machines through the fw machine. > > What am I doing wrong? > Quick check: did you enable ICMP masquerading in the firewall machine's kernel? John P. -- [EMAIL PROTECTED] [EMAIL PROTECTED] "Oh - I - you know - my job is to fear everything." - Bill Gates in Denmark
