* RE: Problem Found! - Firewall Rule
@ 2003-06-06 0:56 George Vieira
2003-06-06 6:52 ` Ray Leach
2003-06-09 3:35 ` John Paul
0 siblings, 2 replies; 7+ messages in thread
From: George Vieira @ 2003-06-06 0:56 UTC (permalink / raw)
To: John Paul, netfilter
[-- Attachment #1: Type: text/plain, Size: 1446 bytes --]
Your local IP is the same as the remote networks IP.. so how is the local machine to know that 192.168.0.55 or 66 or 32 is on the VPN!?
The only way I know is to proxyarp the ppp device that the vpn is running on.. I'm assuming it's PPTP so you could try this command when the VPN comes up :
echo 1 > /proc/sys/net/ipv4/conf/$VPNDEV/proxy_arp
and this must be done on the VPN server too..
I've never done it this way with a VPN.. but you can only try it..
I'm surprised that anything really works properly the way you've done it because the firewall has 2 network devices with the same IP range.
Thanks,
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
-----Original Message-----
From: John Paul [mailto:john@pinoylinux.sytes.net]
Sent: Friday, June 06, 2003 9:56 AM
To: netfilter@lists.netfilter.org
Subject: Problem Found! - Firewall Rule
Hello Folks, its me again :(
Below is my config. My problem is, I can connect to VPN but for some reason, I cannot see machines inside the network after being connected. Can somebody give me the simpliest firewall rule on this? just for me to see the machines inside the network.
Thanks!
/JP
[-- Attachment #2: Type: text/html, Size: 5483 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Problem Found! - Firewall Rule
2003-06-06 0:56 Problem Found! - Firewall Rule George Vieira
@ 2003-06-06 6:52 ` Ray Leach
2003-06-09 3:35 ` John Paul
1 sibling, 0 replies; 7+ messages in thread
From: Ray Leach @ 2003-06-06 6:52 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 1997 bytes --]
On Fri, 2003-06-06 at 02:56, George Vieira wrote:
> Your local IP is the same as the remote networks IP.. so how is the
> local machine to know that 192.168.0.55 or 66 or 32 is on the VPN!?
>
> The only way I know is to proxyarp the ppp device that the vpn is
> running on.. I'm assuming it's PPTP so you could try this command when
> the VPN comes up :
> echo 1 > /proc/sys/net/ipv4/conf/$VPNDEV/proxy_arp
You can also use the netfilter P-O-M route patch, which allows you to
redirect traffic via different interfaces (route) based on regular
iptables conditions (-s, -d, -p, etc).
>
> and this must be done on the VPN server too..
> I've never done it this way with a VPN.. but you can only try it..
>
> I'm surprised that anything really works properly the way you've done
> it because the firewall has 2 network devices with the same IP range.
>
> Thanks,
>
>
>
> ____________________________________________
> George Vieira
> Citadel Computer Systems Pty Ltd Systems Managergeorgev AT
> citadelcomputer DOT com DOT au
> Citadel Computer Systems Pty Ltd
> Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698
> http://www.citadelcomputer.com.au
>
>
> -----Original Message-----
> From: John Paul [mailto:john@pinoylinux.sytes.net]
> Sent: Friday, June 06, 2003 9:56 AM
> To: netfilter@lists.netfilter.org
> Subject: Problem Found! - Firewall Rule
>
>
> Hello Folks, its me again :(
>
> Below is my config. My problem is, I can connect to VPN but for some
> reason, I cannot see machines inside the network after being
> connected. Can somebody give me the simpliest firewall rule on this?
> just for me to see the machines inside the network.
>
> Thanks!
> /JP
>
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Problem Found! - Firewall Rule
2003-06-06 0:56 Problem Found! - Firewall Rule George Vieira
2003-06-06 6:52 ` Ray Leach
@ 2003-06-09 3:35 ` John Paul
2003-06-09 3:46 ` firewall bridge , Vlan ? loong
1 sibling, 1 reply; 7+ messages in thread
From: John Paul @ 2003-06-09 3:35 UTC (permalink / raw)
To: George Vieira, netfilter
[-- Attachment #1: Type: text/plain, Size: 1904 bytes --]
Thanks George. I have modified my network to (10.10.0.0/24).
Now, I'am able to ping the machines inside the network after connected to the VPN. The problem now is, I'm not able to map/see machines in Network Neighborhood except the VPN server.
Any clue?
----- Original Message -----
From: George Vieira
To: John Paul ; netfilter@lists.netfilter.org
Sent: Friday, June 06, 2003 8:56 AM
Subject: RE: Problem Found! - Firewall Rule
Your local IP is the same as the remote networks IP.. so how is the local machine to know that 192.168.0.55 or 66 or 32 is on the VPN!?
The only way I know is to proxyarp the ppp device that the vpn is running on.. I'm assuming it's PPTP so you could try this command when the VPN comes up :
echo 1 > /proc/sys/net/ipv4/conf/$VPNDEV/proxy_arp
and this must be done on the VPN server too..
I've never done it this way with a VPN.. but you can only try it..
I'm surprised that anything really works properly the way you've done it because the firewall has 2 network devices with the same IP range.
Thanks,
____________________________________________
George Vieira
Citadel Computer Systems Pty LtdSystems Managergeorgev AT citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698http://www.citadelcomputer.com.au
-----Original Message-----
From: John Paul [mailto:john@pinoylinux.sytes.net]
Sent: Friday, June 06, 2003 9:56 AM
To: netfilter@lists.netfilter.org
Subject: Problem Found! - Firewall Rule
Hello Folks, its me again :(
Below is my config. My problem is, I can connect to VPN but for some reason, I cannot see machines inside the network after being connected. Can somebody give me the simpliest firewall rule on this? just for me to see the machines inside the network.
Thanks!
/JP
[-- Attachment #2: Type: text/html, Size: 7210 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* firewall bridge , Vlan ?
2003-06-09 3:35 ` John Paul
@ 2003-06-09 3:46 ` loong
2003-06-09 10:08 ` Cedric Blancher
0 siblings, 1 reply; 7+ messages in thread
From: loong @ 2003-06-09 3:46 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2851 bytes --]
hi
is there anywhere install bridge firewall and install vlan
http://www.candelatech.com/~greear/vlan.html
so that my firewall can run like netscreen without using hug or switch to my webserver.
currently is
internet -- > eth0 firewall eth1 -- > hub ------> webserver 1
------> webserver 2
is that anywhere i install few network card in my firewall then
internet ---> eth0 firewall eth1 ----> webserver 1
eth2 -----> webserver 2
eth3 -----> webserver 3
thanks
loong
----- Original Message -----
From: John Paul
To: George Vieira ; netfilter@lists.netfilter.org
Sent: Monday, June 09, 2003 11:35 AM
Subject: Re: Problem Found! - Firewall Rule
Thanks George. I have modified my network to (10.10.0.0/24).
Now, I'am able to ping the machines inside the network after connected to the VPN. The problem now is, I'm not able to map/see machines in Network Neighborhood except the VPN server.
Any clue?
----- Original Message -----
From: George Vieira
To: John Paul ; netfilter@lists.netfilter.org
Sent: Friday, June 06, 2003 8:56 AM
Subject: RE: Problem Found! - Firewall Rule
Your local IP is the same as the remote networks IP.. so how is the local machine to know that 192.168.0.55 or 66 or 32 is on the VPN!?
The only way I know is to proxyarp the ppp device that the vpn is running on.. I'm assuming it's PPTP so you could try this command when the VPN comes up :
echo 1 > /proc/sys/net/ipv4/conf/$VPNDEV/proxy_arp
and this must be done on the VPN server too..
I've never done it this way with a VPN.. but you can only try it..
I'm surprised that anything really works properly the way you've done it because the firewall has 2 network devices with the same IP range.
Thanks,
____________________________________________
George Vieira
Citadel Computer Systems Pty LtdSystems Managergeorgev AT citadelcomputer DOT com DOT au
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698http://www.citadelcomputer.com.au
-----Original Message-----
From: John Paul [mailto:john@pinoylinux.sytes.net]
Sent: Friday, June 06, 2003 9:56 AM
To: netfilter@lists.netfilter.org
Subject: Problem Found! - Firewall Rule
Hello Folks, its me again :(
Below is my config. My problem is, I can connect to VPN but for some reason, I cannot see machines inside the network after being connected. Can somebody give me the simpliest firewall rule on this? just for me to see the machines inside the network.
Thanks!
/JP
[-- Attachment #2: Type: text/html, Size: 11103 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: firewall bridge , Vlan ?
2003-06-09 3:46 ` firewall bridge , Vlan ? loong
@ 2003-06-09 10:08 ` Cedric Blancher
0 siblings, 0 replies; 7+ messages in thread
From: Cedric Blancher @ 2003-06-09 10:08 UTC (permalink / raw)
To: loong; +Cc: netfilter
Le lun 09/06/2003 à 05:46, loong a écrit :
> is there anywhere install bridge firewall and install vlan
> http://www.candelatech.com/~greear/vlan.html
This works very well.
> so that my firewall can run like netscreen without using hug or
> switch to my webserver.
You'll still have to use at leat one switch.
> currently is
> internet -- > eth0 firewall eth1 -- > hub ------> webserver 1
> ------> webserver
> 2
>
> is that anywhere i install few network card in my firewall then
>
> internet ---> eth0 firewall eth1 ----> webserver 1
> eth2 ----->
> webserver 2
> eth3 ----->
> webserver 3
Your physical setup will be like this :
Internet -> eth0/Firewall/eth1 -> switch -> Web1
-> Web2
You can also have :
Firewall/eth0 -> switch -> Internet
-> Web1
-> Web2
But I don't recommand this setup as it relies too much on switch
security features.
So, you connect eth1 to your switch. This switch must support VLAN and
802.1q frame tagging. On the switch, configure the port connected to
eth0 as a 802.1q port (called trunk on Cisco). Now, affect one VLAN to
Web1 port, and another one to Web2 port, etc... Eth0's port will carry
all affected VLANs (see you switch documentation).
Now, on your firewall, use vconfig to create virtual interfaces
associated to each VLAN you want to see through the 802.1q link.
Suppose Web1 is on VLAN1, Web2 on VLAN2 :
vconfig add eth0 1
vconfig add eth0 2
This will create vlan0001 and vlan0002 interfaces trhough which you'll
see respectively Web1's traffic and Web2's traffic.
See vconfig man page for further information.
Now, this solution is very scalable as you can add as many VLAN as you
want on your switch. You just have to add them to the 802.1q link and
create proper interface on the firewall. Then you configure your routing
and filtering between those vlan* interfaces just you way you're use to
between physical ones (eth*). Note that eth1 will see 802.1q tagged
frames.
But beware to the fact that this kind of network separation directly
depends on your switch security. If one is able to gain access to the
switch or find a way to bypass it, you loose everything relying on
VLANs. See :
http://www.arp-sk.org/doc/bh-us-02-convrey-switches.pdf
--
Cédric Blancher <blancher@cartel-securite.fr>
IT systems and networks security - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: Problem Found! - Firewall Rule
@ 2003-06-09 4:22 George Vieira
0 siblings, 0 replies; 7+ messages in thread
From: George Vieira @ 2003-06-09 4:22 UTC (permalink / raw)
To: John Paul, netfilter
The only solution to this is to make the VPN server or the other network be the master browser of that network.. so it handles all the netbios broadcasts and all.
Once this is done, setup samba on the remote firewall to do a "remote announce = 10.10.255.255" onto your network... something like that.. it's been a while since I've done this..
Though this must be the VPN server that runs the master browser because broadcasts DO NOT ROUTE so it can't be done with a server inside the VPN servers network..
give that a try. static mappings should work though as long as you know what your looking for.
-----Original Message-----
From: John Paul [mailto:john@pinoylinux.sytes.net]
Sent: Mon 09-Jun-03 1:35 PM
To: George Vieira; netfilter@lists.netfilter.org
Cc:
Subject: Re: Problem Found! - Firewall Rule
^ permalink raw reply [flat|nested] 7+ messages in thread
* Problem Found! - Firewall Rule
@ 2003-06-05 23:56 John Paul
0 siblings, 0 replies; 7+ messages in thread
From: John Paul @ 2003-06-05 23:56 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2049 bytes --]
Hello Folks, its me again :(
Below is my config. My problem is, I can connect to VPN but for some reason, I cannot see machines inside the network after being connected. Can somebody give me the simpliest firewall rule on this? just for me to see the machines inside the network.
Thanks!
/JP
PC1 (192.168.0.20) ----> gateway(LinuxServer) <-------------------> internet <--------------------> VPN Server
eth0 : 1.1.1.1 eth0 : 2.2.2.2
eth1 : 192.168.0.1 local ip: 192.168.0.10
remote ip: 192.168.0.180-200
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
PC1 is already connected to the VPN server. PC1 ip now becomes;
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.253
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.10
PPP adapter Sytes.Net:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.180
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.0.180
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.163.246.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.0.180 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 202.163.246.1 0.0.0.0 UG 0 0 0 ppp0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[-- Attachment #2: Type: text/html, Size: 6026 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-06-09 10:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-06-06 0:56 Problem Found! - Firewall Rule George Vieira
2003-06-06 6:52 ` Ray Leach
2003-06-09 3:35 ` John Paul
2003-06-09 3:46 ` firewall bridge , Vlan ? loong
2003-06-09 10:08 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2003-06-09 4:22 Problem Found! - Firewall Rule George Vieira
2003-06-05 23:56 John Paul
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox