I have an IP range x.x.x.208/255.255.255.240 dsl router on 209 (no access) fw on x.x.x.210/ masq for internal network goes on 210 eth0 = loc eth1 = net eth2 = dmz
1) on Ext Int. I checked the proxy arp is on
any ideas how to configure the remaining 211-222 ? I configure them like eth1:X aliases is this correct ?
DNAT/SNAT rules forward various connection from 210-222 to the DMZ Packed rules also configured and enable accordingly.
nothing work on them (dead?!?).
2. DNS not resolving Int Loc DNS server configured in the FW like the DNS to query has also the Packed rule: Allow int. eth0 to Loc DNS srv Allow Loc DNS srv to query ISP DNS srv(s)
3. Mail relay works just inside out SMTP configured to accept for varius domain and forward to the mail srv in Loc Packet rules configured allow smtp to Eth1 Allow smtp from Eth0 to Loc Mail srv ?
With all respect, but GW in the aliases was a bad idea ... its creating additional default route for each GW in the aliases.
it cut mi off from the webadmin when I did it earlier for all range ... the login in in the console and deleting 12 additional default routes was my only solution
----
traceroute to my fw:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 my.fw.nl (10.1.3.210) 25.064 ms 29.003 ms 30.823 ms
traceroute to my .211:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.211 (10.1.3.211) 30.777 ms 30.672 ms 25.151 ms
traceroute to my .212:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.212 (10.1.3.212) 27.939 ms 19.368 ms 20.282 ms
--------------------
Proxy ARP on, gives me the same resoult
traceroute to my fw:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 my.fw.nl (10.1.3.210) 25.064 ms 29.003 ms 30.823 ms
traceroute to my .211:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 10.1.3.211 (10.1.3.211) 30.777 ms 30.672 ms 25.151 ms
traceroute to my .212:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 40.121 ms 23.843 ms 32.201 ms
8 10.1.3.212 (10.1.3.212) 23.150 ms 28.733 ms 21.283 ms
traceroute to my .213:
6 isp.provide.net (x.x.x.x) 6.521 ms 9.183 ms 8.757 ms
7 10.1.3.209 (10.1.3.209) 34.837 ms 27.235 ms 21.170 ms
8 * * *
9 * * *
10 * * *
ideas ?
P.S. dust is out of the question, completly new system [:)]
---
I made some typos, needed to re-edit the post.
You said it was slooow; but those millisecond statistics don't look bad; am I misunderstanding your statistics?
Maybe the delay is not in the packet transfer but in the name lookup?
Compare ping by name to ping by IP.
Have you tried the DNS proxy?
It won't require masquerading or rules.
Could you please state the full masquerade rule for the 10... network?
The mail server will need a DNAT rule; or just use the SMTP proxy and tell the mail relay to forward all mail to the IP address of the firewall on the mail server's LAN (it won't need rules or DNAT either).
I am going offline for a few hours. Your answers to my questions should elicit an observation from others who are experienced. Otherwise, I'll pick it up tomorrow...
One last thought: try a single IP on the external NIC (WITH a gateway) and do your traceroute tests, so we have a good baseline (i.e., we rule out that the multiple external IPs is not doing something strange...). Make a Backup before you do the changes; restore once you find out wuzzup...
I don't want that at the moment, because nothing is going outside from the DMZ starting the connection. Connections are all starting from outside and then DNZT/SNAT rules and Packet filter definitions. In case I will have something going out from the DMZ, then I will create a masq rule.
Ping to the FW works well.
I thing I found the reason why my DMZ was not responding to any request to it...
I made a test environment, a sub-net in my own network, with the same characteristics, and switched between Internal and DMZ net ... and guess what ... at one moment switching to DMZ nothing was working any more ... rules remained the same, just a quick change in Net/Hosts definitions, and 2 test DNAT/SNAT rules …
Conclusion is that during my initial testing that eth was working, so, when I was testing some rules and VPN, 2 weeks ago, was fine. During the period of migration of the current FW rules to Astaro and actual testing, the eth for DMZ went KO. [:O]
I am now ordering some new NICs. Thinking about 3c9x or Intel EtherExpress PRO/100S Desktop Adapter … today my new PowerEdge will arrive …
