Jason, I don't think that windows clients will handle your setup correctly. You can see from your route print dump that 192.168.65.x clients assume to be alone on that segment and dont know nothing about 192.168.66.y or others at first sight. What you are doing is called supernetting; you form a supernet of several 192.169.a.b nets and treat them as a whole. Cisco routers do handle this very well, I don't know of windows clients and even if SuSEfirewall is handling this correctly... Netbios uses broadcasts to find other windows pcs resources in a network, one has to make sure that broadcasts get through a router, or one has to use other methods of windows name resolution (WINS. DDNS in w2k and so on). Others may add their comments here, please. One thing I would try, just to be sure: give a prinout from route print from one of the 10.62.56.xx clients. Could try to add a route from there to 192.168.0.0: route add 192.168.0.0 mask 255.255.0.0 gateway 10.62.56.252 and the other nets clients should have: route add 10.62.56.0 mask 255.255.255.0 gateway 192.168.66.252 HTH, Philipp Jason Dobbs schrieb:
Ok on the 192.168.0.0 network ... I don't have a choice ... I have workstations and servers on 66.xx also have workstations on 65.xx and POS workstations on 67.xx ... Don't ask! I didn't have a choice with most of it :) ... as far as the 10.62.56.0 network ... everything is within the 56.xx range.
Windows Print Route Dump ------------------------------------------------------- Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.66.252 192.168.65.228 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.0.0 255.255.0.0 192.168.65.228 192.168.65.228 20 192.168.65.228 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.65.255 255.255.255.255 192.168.65.228 192.168.65.228 20 224.0.0.0 240.0.0.0 192.168.65.228 192.168.65.228 20 255.255.255.255 255.255.255.255 192.168.65.228 192.168.65.228 1 Default Gateway: 192.168.66.252 ===========================================================================
Persistent Routes: None
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Jason, Ok, we are one step further !
To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far)
there are classes of IP-networks:
A-class : mask /8 B-class : mask /16 C-class : mask /24
which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance.
OK,
10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance.
172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so.
192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup.
The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route.
In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2.
Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well !
Post a route print example output of both networks back here.
Regards, Philipp
Jason Dobbs schrieb:
Ok here is the tracert data:
From a windows PC (192.168.65.228) to a windows PC (10.62.56.8) ----------------------------------------------------------------- 1 <1 ms <1 ms <1 ms 192.168.66.252 2 * * * Request timed out. 3 * * * Request timed out. 4 * * * Request timed out. 5 * * * Request timed out.
/var/log/messages ----------------------------------------------------------------- Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24065 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24321 ] Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24577 ] Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905
192.168.66.252 is the gateway for the 192.168.0.0/16 network. 10.62.56.252 is the gateway for the 10.62.56.0/24 network.
as far as your note on /16 and /24 ... maybe I have them backwards! I though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please clearify this!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas
Philipp Rusch wrote:
Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ?
When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ?
Lets get this to work, Philipp
Jason Dobbs schrieb:
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface <public ip> 0.0.0.0 255.255.255.128 U 0 0 0 eth0 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 eth0
ip forwarding is turned on in yast!
Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas p. 702.836.5939 f. 270.913.7462 mailto: jdobbs@casuarinacasino.com
Philipp Rusch wrote:
Hi Jason what is your routing table looking like ? post route -nv back here are you routing at all ? (set ip_forward=yes in YAST)
other comments inline ...
Jason Dobbs schrieb:
> --SNIP ---
> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 > 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server > ip>/32"
----------------------------------^ this ----------------------------------and this ^ is redundant, 192.168.65.224/27 is completely contained in 192.168.0.0./16 network, which means all 192.168."something" nets ... you know that normally 192.168.x.y net is a /24-type network and a 10.x.y.z has a /16 type mask ??
--SNIP--
> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 > 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ > 192.168.0.0/16,10.62.56.0/24,udp,1:65535 > 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ > 192.168.0.0/16,10.62.56.0/24,icmp > 10.62.56.0/24,192.168.0.0/16,icmp" > FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 > 0/0,192.168.65.227,tcp,5900 \ > 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632"
what are you trying to do here ? If routing just doesn't work then forwarding doesn't help that much ...
I think something different is causing your troubles than missing entries here, seems you did to much of a work, it is normally quite simple, what you try to do :-)
Regards from Germany, Philipp