-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark Fletcher wrote: > [...] > AirStation LAN is 192.168.11.0/24, outside AirStation LAN is > 192.168.1.1, .2 and .3 -- note the third octet difference for internal
You seem to have set up a situation of double-NAT. This means that while 11.x can easily talk to a device on the 1.x network, the opposite is not true. > Once I introduce the PI, (by plugging it into the switch, in case that > isn't obvious) I find I cannot reach it (by ping or by SSH) from inside > the LAN of my AirStation. For example, from my main Stretch desktop, I > cannot ping or SSH to the PI at 192.168.1.3. I can both ping and SSH to > the firewall at 192.168.1.1. > > If I SSH into the firewall, and then try to SSH from _there_ to > 192.168.1.3, I can connect no problem. And I log in to the PI to find it > bright eyed and bushy tailed, and able to connect to the internet (which > it must do through the firewall just as all traffic from the AirStation > does). But if I can't see it from the LAN, I can't use it for the > purpose I spent the last week of my life building it for... :( Sounds like perhaps the airstation is blocking client devices from talking to "bogus" network addresses. This is generally a feature of consumer gear to stop you from trying to ask the internet for information about a RFC1918 address (as they are private / not routable on the internet). > > Now 192.168.1.1 is the default gateway the firewall supplies the > AirStation (ie it supplies itself as the gateway) when the AirStation > makes a DHCP request, and I'm guessing that is why I can reach > 192.168.1.1 from inside the LAN (ie the LAN side of the AirStation). I > am wondering if the AirStation somehow doesn't know that it can reach > 192.168.1.3 directly, which I would expect it to since it is plugged > into the same switch as it and 192.168.1.1 -- and if so, how I would > persuade it to know that? I would also expect that if it did not know > that, it would send packets for 192.168.1.3 to 192.168.1.1 for > forwarding, just as it does every packet that is destined for the > internet -- and I would expect the firewall to be able to forward them, > since it can clearly see the PI. No, the airstation having been given an address 192.168.1.x/24 will know that it can directly reach any host 192.168.1.1 through 192.168.1.254 inclusive. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJaQjN0AAoJEI4R3fMSeaKBphsH/2LEj+7f49OPmcpz3HO/yjqU bewELs1d0pWNWS6Tx92Wgy0RyL5j0NEqJIaz/FmmFu3gQ2wF2EZGwM7e1eUl3EJX E0tdd1/pFDfBX54inKKWIwF1egj/vo4AVl8KzjXRRL7FWfp+pB0wm96f/yjj6qXV knA6LuH6utJyI/jPqc3oyRUbB2KsTIvfLfyY5YhaN4uAZLWsk+ylKowYm13rys2d 8Lx7bi3ATRb6gR2UGQWY+6ddMOVtMp+b0FH0GUFp3NX3ppbqZkM2uTviBqxppzAZ zLK5QewjMu99KhrVJcPAFTO/B8tfwUgP/cC0aCFJjkkkaqIOPVVKPp3g4V60mHE= =0FzT -----END PGP SIGNATURE----- -- |_|O|_| Registered Linux user #585947 |_|_|O| Github: https://github.com/dpurgert |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281
