Odd issue with two SNATed Firewalls and Wireless router

ISC Jorge Ceron Galvan jorgec at acerlandslp.com.mx
Wed Aug 24 20:43:07 CEST 2005 


I've been dealing with the same problem for a while and I thougth it was not a routing 
problem, but after I read your mail I don't know.

I'll tell you what I've done just to see if we can find out a solution.

I'm not doing nat because I want a real IP at my wireless client.

cisco eth0  200.0.0.1/24

linux eth0  200.0.0.10/24  gw 200.0.0.1/24

linux eth1  200.0.0.129/27

remote fortinet router eth0 200.0.0.130/27   gw 200.0.0.129

I thougth it could be a routing problem because I'm using subnet 0 at eth0, and at eth1 I 
set up a subnet from eth0. It's not an iptables issue because I'm not using it at all. The 
configuration is quite simple, but I don't know whether you can subnet a class C net this 
way. The mail server we are trying to reach is somewhere in the internet. 

I'm using a wireless AP at my side and a wireless bridge at the other side; the bridge is 
connected directly to the fortinet router. Could it be a protocol bridge problem?

Any Idea?  ( I apologise for my english )

-----Original Message-----
From: Andrew Gargan <andrew at iface.co.za>
To: netfilter at lists.netfilter.org
Date: Wed, 24 Aug 2005 14:30:44 +0200
Subject: Odd issue with two SNATed Firewalls and Wireless router

> Hi All
> 
> have an issue with a network setup. 
> 
> the issue is this some client machines on my network (10 of +- 150)
> keep
> losing their connection to our mail server or any other mail server
> we
> set up their accounts on.
> 
> This is an issue with my network because as soon as they are on
> dialup
> or iburst or ADSL elsewhere they don't have this issue.
> 
> I have a 10.0.0.0/8 network which is my internal net.
> this net routes traffic through 10.0.2.1 (SNAT) which is connected to
> my
> DMZ 172.16.0.0/16.
> the traffic is then sent out to the world via 172.16.0.1(SNAT) over
> sentech mywireless.
> 
> I have isolated the issue to being on the 172.16.0.1 machine since a
> ISDN leased line in the DMZ works 100%.
> 
> Has anyone experienced similar issues using a shared NATed mywireless
> .... 
> 
> most of the mail comes down .... it seems to break when transmissions
> are over +-600 KB)
> 
> I was told that changing the MTU for the ppp0 device to 1300 would
> help
> but no luck there.
> 
> Also one strange thing I noticed (though I don't know TCP/IP that
> well)
> 
> was the txqueuelength value of 3 for the ppp0 interface
> 
> here is my kernel: 2.6.9-1.667 (FC3)
> 
> here is ifconfig:
> eth0      Link encap:Ethernet  HWaddr 00:03:47:71:7B:36
>           inet addr:172.16.0.1  Bcast:172.16.0.255 
> Mask:255.255.255.0
>           inet6 addr: fe80::203:47ff:fe71:7b36/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:27879849 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:26767743 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:669378689 (638.3 MiB)  TX bytes:3461641354 (3.2
> GiB)
> 
> eth1      Link encap:Ethernet  HWaddr 00:03:47:71:7B:37
>           inet addr:10.0.7.2  Bcast:10.255.255.255  Mask:255.0.0.0
>           inet6 addr: fe80::203:47ff:fe71:7b37/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:27333550 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:28013971 errors:1 dropped:0 overruns:0 carrier:1
>           collisions:614337 txqueuelen:1000
>           RX bytes:3798771770 (3.5 GiB)  TX bytes:845067479 (805.9
> MiB)
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:13651 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13651 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:556916 (543.8 KiB)  TX bytes:556916 (543.8 KiB)
> 
> ppp0      Link encap:Point-to-Point Protocol
>           inet addr:196.35.170.61  P-t-P:66.18.87.50 
> Mask:255.255.255.255
>           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1
>           RX packets:7595399 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:7622079 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:3
>           RX bytes:1453866192 (1.3 GiB)  TX bytes:2513716398 (2.3
> GiB)
> 
> 
> and iptables -L:
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  anywhere             anywhere
> ACCEPT     all  --  anywhere             anywhere
> DROP       tcp  --  anywhere             anywhere            tcp
> flags:SYN,RST,ACK/SYN
> DROP       tcp  --  anywhere             anywhere            tcp
> flags:SYN,RST,ACK/SYN
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> TCPMSS     tcp  --  anywhere             anywhere            tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> ACCEPT     all  --  anywhere             anywhere            state
> RELATED,ESTABLISHED
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> and mii-tool:
> eth0: negotiated 100baseTx-FD, link ok
> eth1: no autonegotiation, 10baseT-HD, link ok
> 
> eth1 is the ether used to connect to the mywireless ... for routing
> purposes the ip it has assigned isn't really used ... 
> 
> I am using rp-pppoe I think ... 
> 
> Andrew Gargan
> Developer
> Interface Media (PTY) Ltd.
> Tel: 011 507 3003

More information about the netfilter mailing list