I have an IP range x.x.x.208/255.255.255.240 dsl router on 209 (no access) fw on x.x.x.210/ masq for internal network goes on 210 eth0 = loc eth1 = net eth2 = dmz
1) on Ext Int. I checked the proxy arp is on
any ideas how to configure the remaining 211-222 ? I configure them like eth1:X aliases is this correct ?
DNAT/SNAT rules forward various connection from 210-222 to the DMZ Packed rules also configured and enable accordingly.
nothing work on them (dead?!?).
2. DNS not resolving Int Loc DNS server configured in the FW like the DNS to query has also the Packed rule: Allow int. eth0 to Loc DNS srv Allow Loc DNS srv to query ISP DNS srv(s)
3. Mail relay works just inside out SMTP configured to accept for varius domain and forward to the mail srv in Loc Packet rules configured allow smtp to Eth1 Allow smtp from Eth0 to Loc Mail srv ?
SMTP proxy fixed ... no many f* rules... removed anything related to SMTP ... read it somewhere that SMTP proxy is managing him self [:O]
This is my current setup: Astaro 4.0.21 dsl router: 1.1.3.209 (no access)
Internal: eth0 192.168.1.1/255.255.255.0 External: eth1 1.1.3.210/255.255.255.0 Gateway: 1.1.3.209 On Eth1 I have an ip pool 1.1.1.3.208/28, hosts from 1.1.3.210-222 They are all configured like 'Additional address on Ethernet interface' Netmask 255.255.255.255 with Gateway: none DMZ: eth2 10.1.1.1/255.255.255.0
Is DMZ_Web_serv's gateway set to Astaro?
Turn on all ICMP (menu choice after packetfilter rules) temporarily and see what traceroute says is the slowest leg...
I have at the moment ShoreWall FW running on Debian. So I just migrated the rules, no changes to the rest of the network was nessesery, besides on Exchange for smtp delivery.
Strange thing is that even if I enable ping and traceroute, Astaro does not reply ! He can ping everything Internal Lan can ping and traceroute outside put not from the Net to the FW ...
The traceroute from the internet stops at the DSL router ... I even did something like this for testing: Allow Any-> { traceroute } -> Group_Of_All_External_Aliases nothing ...
Login to the console did the job .... deleting manualy the default routes and leaving just one ...
Its strange that nobody has a clue !!?! Astaro are you reading this ? For paying this amount of $$$$ with the manual just for the home user, 200+ pages of pics, sorry but is frustrating..
If this is a production environment, that should be made clear from the get go so I do not suggest things that might disrupt you (and you should work with an Astaro Support Partner in person). If it is not, you really are going to need a lot more patience working on this! Let's face it: these boards are a primitive communication medium. Since I can't 'see' what is going on, I have to start with some assumptions as to what is going on on your end, and sometimes those assumptions can be wrong (example: once I spent ten posts talking to somebody until we found out that they had plugged their Internet connection into both their clean AND dirty interfaces!). So we have to be patient and ask what is going on...
To resume: Is each of the external IP's gateway's set to the DSL router??
If it is, I wonder if your DSL router is not amused with your external addresses sharing the same MAC...
Can you ping the router from the console of the firewall? (all ICMP options on; assuming that the router is pingable; some are not by default...)
Can you or your ISP ping the firewall from the router?
With all respect, but GW in the aliases was a bad idea ... its creating additional default route for each GW in the aliases.
it cut mi off from the webadmin when I did it earlier for all range ... the login in in the console and deleting 12 additional default routes was my only solution
----
traceroute to my fw:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 my.fw.nl (10.1.3.210) 25.064 ms 29.003 ms 30.823 ms
traceroute to my .211:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.211 (10.1.3.211) 30.777 ms 30.672 ms 25.151 ms
traceroute to my .212:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.212 (10.1.3.212) 27.939 ms 19.368 ms 20.282 ms
--------------------
Proxy ARP on, gives me the same resoult
traceroute to my fw:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 my.fw.nl (10.1.3.210) 25.064 ms 29.003 ms 30.823 ms
traceroute to my .211:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.211 (10.1.3.211) 30.777 ms 30.672 ms 25.151 ms
traceroute to my .212:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 40.121 ms 23.843 ms 32.201 ms
8 10.1.3.212 (10.1.3.212) 23.150 ms 28.733 ms 21.283 ms
traceroute to my .213:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 * * *
9 * * *
10 * * *
ideas ?
P.S. dust is out of the question, completly new system [:)]
---
I made some typos, needed to re-edit the post.
You said it was slooow; but those millisecond statistics don't look bad; am I misunderstanding your statistics?
Maybe the delay is not in the packet transfer but in the name lookup?
Compare ping by name to ping by IP.
Have you tried the DNS proxy?
It won't require masquerading or rules.
Could you please state the full masquerade rule for the 10... network?
The mail server will need a DNAT rule; or just use the SMTP proxy and tell the mail relay to forward all mail to the IP address of the firewall on the mail server's LAN (it won't need rules or DNAT either).
I am going offline for a few hours. Your answers to my questions should elicit an observation from others who are experienced. Otherwise, I'll pick it up tomorrow...
One last thought: try a single IP on the external NIC (WITH a gateway) and do your traceroute tests, so we have a good baseline (i.e., we rule out that the multiple external IPs is not doing something strange...). Make a Backup before you do the changes; restore once you find out wuzzup...
