Access to two identical subnets

Andreas Granheim andreasg at
Wed Sep 1 08:53:48 CEST 2004

Hello, sorry for the spaghetti ASCII, here you maybe have a better

    |                       |
    |                       |   
    |                       |
 ROUTER                 IPTables FW
    |                       |
    |                       |                VPN1

When I ping from the IPTables FW I get reply. This means that the packet
makes it way from the and back. 
It's just the IPTables FW and the VPN1 box that stands on the

On the other NIC, on the IPTables FW, the IP is, who is a
VLAN bone on the FW, the box have a default GW to, who is the
main FW, who connects it with the subnet.

ETH1 is on the side
ETH0 is on the side.

Networks involved:\25 - Our main network, using to SSH to Subnet A,
and use to SSH to on Subnet B

When trying from the, its mangles right, looks fine in the
VPN1 log. 

Where is mangled to, then the VPN1 routes this
through the VPN tunnel, to VPN2, who routes to the machine, then the tries to answer, goes back, through the vpn
tunnel. Think it stops at the VPN1 box or the IPTables FW.

How could I log incoming trafic on the IPTables box? Iptables
-A INPUT -j LOG --log-level 3?
Cant se anything in the syslog, or either log.

Do you think the packet from reaches the computer on the net?, and that tries to answer, but when it comes to the
VPN1, it don't know where to go?

Should I see an echo reply already then? Before it has come back to that is the goal for that packet?
Or will the VPN1 log display echo reply when the packet has reached back

Or even, it makes back to the box, but it there doesn't know
where to go... should the one DNAT rule mangle back to by itself? Or do I need another rule that does that? 

What do you people think about that?

Very thankfully for any reply :)

Message: 7
Date: Tue, 31 Aug 2004 09:26:10 -0400
From: "Jason Opperisano" <Jopperisano at>
Subject: RE: Access to two identical subnets
To: <netfilter at>
<D5C9032B2B09C64EA2409D6214E91AC905130D at>
Content-Type: text/plain;	charset="iso-8859-1"

> Hello
> The goal is that all computers on the net should have
> to two identical subnets.
> Like this:

[snip:  incomprehensible ascii art]

> When I ping (linux server on B Subnet) from
> (linux comp), I LOG in the VPN 1 box:
> 12206.080946 -> icmp: echo request
> 12207.081074 -> icmp: echo request
> But it doesn't get any reply.

it sounds like (B) doesn't route traffic back through the
VPN1 box.
is the VPN1 box the default gateway on the 10.50.50 (B) subnet?

No, I don't think so. Don't remember how the customer sat it up. It, is
an policy on the VPN2 box that route trafic back in the
tunnel, and trafic.

> The output NIC on IPTABLES box is on the net, who also the
> VPN 1 box stands on.
> The and the net is in a group on the VPN 1 box,
> who routes the traffic from these nets to the net via the
> If I ping from the IPTABLES box to, I get echo reply, but
> from the machine.
> 134.344974 -> icmp: echo request
> 134.491585 -> icmp: echo reply

ok...  what are the networks involved in the VPN?  your source addresses
all over the place here...  are the above packets encrypted or clear?

It is encrypted through the VPN tunnel, other than that I think they are
The is just a router; involved is and
network, who should communicate.

> What must I do, will this work at all?

this can be made to work, yes...  it's complicated, and takes some
understanding of how routing is supposed to work (so that you can then
mess with it).

> Do I need other rules?


> Will be happy for answers/suggestions :-)

is there any way you can make a better/more readable diagram available?


Yes, at the beginning of this mail.

More information about the netfilter mailing list