Routing issue

From: Peter Boosten (niemand_at_nergens.loc)
Date: 03/04/05 

Date: Fri, 4 Mar 2005 08:25:07 +0000 (UTC)

All,

I have an issue with my routing:

Our network layout can be found here:

http://boosten.dyndns.org/tijdelijk/image001.gif

I manage two LANs, each connected to the internet via an OpenBSD
firewall (firewall 1 and firewall 2). These LANs are connected through a
third party VPN. This VPN only routes traffic between 192.168.2/24 and
192.168.3/24.

For that purpose I added an routing entry on both firewall 1 and 2
(because they are default gateway for anything connected to the LAN):

on firewall 1: route add 192.168.3.0 192.168.2.254
on firewall 2: route add 192.168.2.0 192.168.3.254

This works perfect for the 192.168.3/24 LANi (in short: 3-LAN). If they try to
connect to anything on the 192.168.2/24 LAN (2-LAN), the OpenBSD box redirects
them to the VPN-router.

This doesn't work however on the 2-LAN. They get replies
whenever pinging something on the 3-LAN, but connecting to
anything doesn't work.

There is however something different on the 2-LAN: there is
another LAN connected (200-LAN through 192.168.201/24). Firewall 3 is a
netscreen firewall (it has a specific purpose there).

Because some machines in the 200-LAN need access to the machines in the
3-LAN (for administrative purposes) and users in the 3-LAN need to
access machines in the 200-LAN, and our third party VPN does not
route traffic other than between the 2-LAN and the 3-LAN, I've created
some NAT-rules on firewall 1 ($int_if = 192.168.2.1):

binat on $int_if from 192.168.200.4 to any -> 192.168.2.249
binat on $int_if from 192.168.200.6 to any -> 192.168.2.252
binat on $int_if from 192.168.200.7 to any -> 192.168.2.251

Tracerouting from the 2-LAN to the 3-LAN always mentiones 192.168.2.249
in its output.

For now, I've created some static routes on machines in the 2-LAN who
need to communicate with machines in the 3-LAN.

Can anyone help me with this issue? Are these NAT rules responsible for
this strange behaviour?

Thanks in advance.

Regards, Peter 

-- 
Statisticians probably do it.
 
MSN/Mail: pboosten at hotmail dot com

Relevant Pages

  • Re: My computers cant see each other on the net
    ... Perhaps you might consider connecting to the internet through one of the PCs ... connected and you can disable the firewall on the PC that isn't connected ... > enabled on both machines, plus the firewall within the Belkin Router. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Was: Using old..IS: Thanks
    ... >and then get Tiny Personal Firewall. ... >machines on your lan will be behind the firewall. ... I'm running 98 on both machines. ...
    (comp.security.firewalls)
  • Re: Remote Connection and SP2
    ... I totally missed the fact that you're connecting to ... these machines from within your LAN. ... "Nepatsfan" wrote in message ... However i am not able to connect to one of the machines ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: adding another PC to LAN
    ... The wiring and hardware seems to be working as the new PC can access the internet over the LAN, but the new PC cannot see a server or a network printer on the LAN. ... Sharing in Vista. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall or overlooked firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Was: Using old..IS: Thanks
    ... >>and then get Tiny Personal Firewall. ... Once that is setup, all ... >>machines on your lan will be behind the firewall. ...
    (comp.security.firewalls)