Odd issue with two SNATed Firewalls and Wireless router

ISC Jorge Ceron Galvan jorgec at acerlandslp.com.mx
Thu Aug 25 18:50:40 CEST 2005


No, that's not my real net.

let's say my real net is 1.2.3.0/24, so I have this

cisco sync0    5.6.7.9/30    (internet)
cisco eth0     1.2.3.1/24
linux eth0     1.2.3.10/24   gw 1.2.3.1

linux eth1     1.2.3.129/27
remote router  1.2.3.130/27  gw 1.2.3.129

as I understood I should be doing something like this

cisco sync0    5.6.7.9/30    (internet)
cisco eth0     1.2.3.1/27
linux eth0     1.2.3.10/27   gw 1.2.3.1

linux eth1     1.2.3.129/27
remote router  1.2.3.130/27  gw 1.2.3.129

I told you I was not using iptables because I didn't think it was part of the problem but, 
as a matter of fact, I do. I'm doing nat on eth0 using (again) 1.2.3.17/24 so linux eth0 was

linux eth0     1.2.3.10/24
linux eth0     1.2.3.17/24 secondary

and as I you say, this worst things, thouhgt; finally the right configuration would be:

cisco sync0    5.6.7.8/30    (internet)
cisco eth0     1.2.3.1/27
linux eth0     1.2.3.10/27   gw 1.2.3.1
linux eth0     1.2.3.17/27   secondary

linux eth1     1.2.3.129/27
remote router  1.2.3.130/27  gw 1.2.3.129

iptables -t nat -A POSTROUTING -o eth0 -s 10.10.2.0/24 -j SNAT --to 1.2.3.17


right? is this simplier? do you think using /24 at eth0 could be affecting the smtp?

the main problem is at 1.2.3.130 : this is a small router doing nat using 1.2.3.130, but the 
pc's behind it could´t reach an internet mail server


thx !!!!


-----Original Message-----
From: /dev/rob0 <rob0 at gmx.co.uk>
To: netfilter at lists.netfilter.org
Date: Wed, 24 Aug 2005 15:47:18 -0500
Subject: Re: Odd issue with two SNATed Firewalls and Wireless router

> On Wednesday 2005-August-24 13:43, ISC Jorge Ceron Galvan wrote:
> > I'm not doing nat because I want a real IP at my wireless client.
> >
> > cisco eth0  200.0.0.1/24
> 
> What a great netblock that is! Uh, this *is* your real IP, or did you
> munge it for posting? It's not the same as what appears in your mail 
> headers.
> 
> If you're going to munge IP addresses, you should not use a live 
> netblock. Pick something from RFC 1918 or an unassigned (bogon)
> range.
> 
> > linux eth0  200.0.0.10/24  gw 200.0.0.1/24
> 
> /24 covers 200.0.0.0 (the network address) through 200.0.0.255 (the 
> broadcast address.)
> 
> > linux eth1  200.0.0.129/27
> 
> And this is included in the eth0 network. Perhaps you should use /25 
> netmask or greater on eth0.
> 
> > remote fortinet router eth0 200.0.0.130/27   gw 200.0.0.129
> 
> I don't know what this means.
> 
> > I thougth it could be a routing problem because I'm using subnet 0
> at
> > eth0, and at eth1 I set up a subnet from eth0.
> 
> Yes, that is a part of the problem, I would think.
> 
> > It's not an iptables 
> > issue because I'm not using it at all. The configuration is quite
> 
> This is the netfilter list, so you're off topic here.
> 
> > simple, but I don't know whether you can subnet a class C net this
> 
> I don't know either. I generally find that doing things the right way
> works better. ;)
> 
> > way. The mail server we are trying to reach is somewhere in the
> > internet.
> >
> > I'm using a wireless AP at my side and a wireless bridge at the
> other
> > side; the bridge is connected directly to the fortinet router.
> Could
> > it be a protocol bridge problem?
> 
> 1. Check the routing
> 2. Check the routing
> 3. Check the routing
> 4. Look at packet counters, is eth1 being used at all?
> 
> replying to the OP as well:
> > -----Original Message-----
> > From: Andrew Gargan <andrew at iface.co.za>
> snip
> > > Has anyone experienced similar issues using a shared NATed
> > > mywireless ....
> > >
> > > most of the mail comes down .... it seems to break when
> > > transmissions are over +-600 KB)
> > >
> > > I was told that changing the MTU for the ppp0 device to 1300
> would
> > > help but no luck there.
> 
> It does sound like a possible router MTU issue. It does not sound
> like 
> iptables/netfilter is involved.
> 
> > > eth1      Link encap:Ethernet  HWaddr 00:03:47:71:7B:37
> > >           inet addr:10.0.7.2  Bcast:10.255.255.255 
> Mask:255.0.0.0
> > >           inet6 addr: fe80::203:47ff:fe71:7b37/64 Scope:Link
> > >           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >           RX packets:27333550 errors:0 dropped:0 overruns:0
> frame:0
> > >           TX packets:28013971 errors:1 dropped:0 overruns:0
> > > carrier:1 collisions:614337 txqueuelen:1000
> 
> That is a lot of collisions. It might not indicate a problem, but 
> likewise, it might.
> 
> > > and iptables -L:
> 
> ... is utterly useless. "iptables -vL" is better, but
> iptables-save(8) 
> is greatly preferred.
> 
> That said, nothing indicates the likelihood of a problem with your 
> iptables rules.
> 
> > > I am using rp-pppoe I think ...
> 
> You think?
> -- 
>     mail to this address is discarded unless "/dev/rob0"
>     or "not-spam" is in Subject: header




More information about the netfilter mailing list