Network / Firewall-masqerading Problem
Dieter Demerre
RH5.1 Firewall
one segment intranet (192.168.127.*)
clients on intranet = WinNT/95, MacOS7.5, Linux RH50/51
one segment Internet (194.78.86.64/28)
2NICS 3c509 (UTP)
ifconfig
--------
eth0 Link encap:Ethernet
inet addr:194.78.86.66 Bcast:194.78.86.96
Mask:255.255.255.224
Interrupt:11 Base address:0x210
eth1 Link encap:Ethernet
inet addr:192.168.127.254 Bcast:192.168.127.255
Mask:255.255.255.0
Interrupt:10 Base address:0x300
route
-----
Destination Gateway Genmask Flags Metric Ref Use
Iface
194.78.86.64 0.0.0.0 255.255.255.224 U 0 0 179
eth0
192.168.127.0 0.0.0.0 255.255.255.0 U 0 0 284
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 9
lo
0.0.0.0 194.78.86.65 0.0.0.0 UG 0 0 656
eth0
ipfwadm -F -l -n
----------------
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all 192.168.127.45 0.0.0.0/0 n/a
acc/m all 192.168.127.1 0.0.0.0/0 n/a
acc/m all 192.168.127.4 0.0.0.0/0 n/a
Apache http-proxy installed
--- end configuration information ---
Now on this gateway machine I can always ping the Internet-connection
port 194.78.86.65 with satisfying respons.
On the machines of the intranet I can always ping this gateway
(192.168.127.254).
The problem is
Sometimes (without apparent reason, at random interval (or so it
seems)), I can't reach some machines on the intranet anymore, while
these can reach the gateway.
i.e.
on machine 192.168.127.1 I do
ping 192.168.127.254 and it responds (always) with correct transmission
on machine 192.168.127.2 I do
ping 192.168.127.1 and it responds (always) with correct transmission
BUT
on these returning occasions of problem,
on machine 192.168.127.254 (the gateway) I do
ping 192.168.127.1 and it DOES NOT respond at all.
while
ping 192.168.127.2 does respond.
The same scenario can occur with the other machines (concurrently or
not).
This problem causes the firewall/masquerading server not to respond to
requests of the clients (192.168.127.1), which puts our Internet
connectivity at a dead-end.
I already replaced NIC's, I replaced cables (UTP). Didn't help.
apparently, the Mac machine never causes any problem.
the intranet. All other machines, on occasion, are unreachable by the
gateway so they can't reach the Internet themselves.
All help urgently requested
and of course greatly appreciated
Much regards !
--
**** Groetjes vanwege ****** Greetings From ****
Dieter Demerre - mailto:ddem...@privacy.fgov.be
ace
I had a similar problem once, but this was when using BNC, when I changed to
TP it worked out just fine.
--
ace
ace
--
ace
Lorne Shantz
out there that have defective drivers. You might consider getting a
different brand nic and try that. ??
> I already replaced NIC's, I replaced cables (UTP). Didn't help.
>
David Wilburn
> You don't mention what brand of NIC you are using. There are a couple
> out there that have defective drivers. You might consider getting a
> different brand nic and try that. ??
> Dieter Demerre wrote:
>> 2NICS 3c509 (UTP)
I've got a 509b myself. I would have to believe that it is the best
10bt ISA card in existence.
-Bug
--
* David Wilburn, a.k.a. "Bug"
* JMU Computer Science Student
* Boycott naugahyde! Save the naugas!
Dieter Demerre
192.168.127.2 (and put 192.168.127.254 as alias on eth1:0). Now it
seems to work again (for the moment. Could this mean the driver doesn't
like an ip-addres 254 ?
--
**** Groetjes vanwege ****** Greetings From ****
http://ace.ulyssis.student.kuleuven.ac.be/~dede/
David Wilburn
> I changed my configuration (back) to
> 192.168.127.2 (and put 192.168.127.254 as alias on eth1:0). Now it
> seems to work again (for the moment. Could this mean the driver doesn't
> like an ip-addres 254 ?
Um...last time I checked, 254 was a valid host IP. Unless, of course,
you are using subnets designed for job security, like having the host
portion on the leftmost nibble and the network portion on the
rightmost nibble (with maybe a random digit flipped just to increase
the obscurity and confusion). I somehow doubt that this is your
situation, though. Therefore, I have no idea why it doesn't like 254.
Dieter Demerre
>
> Dieter Demerre <ddem...@acm.org> babbled:
> > I changed my configuration (back) to
> > 192.168.127.2 (and put 192.168.127.254 as alias on eth1:0). Now it
> > seems to work again (for the moment. Could this mean the driver doesn't
> > like an ip-addres 254 ?
>
> Um...last time I checked, 254 was a valid host IP. Unless, of course,
> you are using subnets designed for job security, like having the host
> portion on the leftmost nibble and the network portion on the
> rightmost nibble (with maybe a random digit flipped just to increase
> the obscurity and confusion). I somehow doubt that this is your
> situation, though. Therefore, I have no idea why it doesn't like 254.
In quite an obscure way, my problems had to do sth with IP-address. The
machine and configuration stated above (and in previous mails in the
thread) was originaly configured on
192.168.127.2 == 194.78.86.66
Here the firewall masquerading options worked fine together with the
proxy-server in Apache.
Then a day I decided that a router/gateway would be nicer to have the
highest ip-address in the subnet (like a non-spoken or de-facto
aggrement states). I changed IP-addresses in the intranet (192.168.x.x
portion) to 192.168.127.254
From that moment on the problems referred to earlier started. Since I
didn't believe it could have sth to do with the change of IP-address, I
checked almost everything else (as was nicely suggested by some of you).
In a discussion with Wim Crolls, I finally decided to return the
original ip-addresses (192.168.127.2), and apparently everything's ok
again.
Can anybody explain the reason for my former problems ? Is this a fault
in the 3c509-driver, I don't think so since it started with a ne2000
adapter. So it should be in the tcp/ip-part. But this I don't believe
since it would have been recognised much earlier.