On Wednesday 18 May 2005 07:23, Ken Schneider wrote:
On Wed, 2005-05-18 at 06:42 -0700, Merton Campbell Crockett wrote:
On Tue, 17 May 2005, Mark A. Taff wrote:
All,
I sure hope someone can enlighten me. I am having a weird routing issue. Everything works OK, except I can't access the the external interface from a machine on my internal network.
In addition, you have a weird network configuration.
See network map pdf at http://www.marktaff.com/network.map.pdf See output of `ifconfig` and `route` below.
From any internal (192.168...) machine, I can't ping/ssh liberty1-ext, but I
can ping/ssh to liberty1-int.
From each internal machine, I can reach all the other internal machines, and
the router's external ip, but not liberty1's external ip.
There is no need to reach the router's external IP (internally), only the internal IP. Let the router do the job it was designed for, route traffic.
From outside my private network, I can ping/ssh liberty1-ext just fine.
I want to be able to access the machine
Which one, liberty1? You just stated that you can ping/ssh liberty1-ext.
via liberty1-ext both at home and
while traveling, yet still be able to access the private network from liberty1 via liberty1-int interface.
Could the problem be my hub? Do I need to replace it with a switch, or perhaps a separate router? Seems like the hub should work?
No. The problem seems to be in your logic. If you can access liberty1 from the internet you can then access all of the internal machines via eth1 Let the router handle the connection to liberty1 via port forwarding. I believe the d-link can handle this, I know linksys routers can. port forward ssh from the router to liberty1-int but no other ports, unless needed for other services and then you can setup a vpn tunnel to further protect any traffic between your internet connection and liberty1. Then you can eliminate liberty1-ext interface and the hub by having the cable/modem connect directly to the d-link wan port.
-- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
"The day Microsoft makes something that doesn't suck is probably the day they start making vacuum cleaners." -Ernst Jan Plugge
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish: Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server. Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine. This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop. Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext. Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny). I really don't care if I have to access liberty1 via liberty1-int when I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always use the same connection parameters, and don't have to tell the computer I'm at home. Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-) Thanks again for all your help. -- Mark A. Taff