I recently installed a new server in my home network. I can ping the server from my workstation and vice versa. I have a DMZ (Astaros eth2 Interface) but currently this box is in the Internal (eth1) network.
Problem:
I can't create a ssh session to my astaro box from that server (of course ssh from my workstation is working). SSH is allowed for "Internal (Network)". I neither can ping a server in my DMZ nor in the internet whereas I CAN ping those server from any other already installed machine in the same net (like my workstation).
This is the servers interface
Code:
eth0 Link encap:Ethernet HWaddr 00:10:4B:48:52:18
inet addr:192.168.20.87 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::210:4bff:fe48:5218/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1317 errors:0 dropped:0 overruns:0 frame:0
TX packets:1536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:124796 (121.8 Kb) TX bytes:141992 (138.6 Kb)
Interrupt:17 Base address:0xd400
My Routing Table on that box seems to be correct (.20.100 is Astaros Internal Network Interface).
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.20.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.20.100 0.0.0.0 UG 0 0 0 eth0
So far so good... Now I had the idea to have a look at my Packet Filter Live Log an found this entry while I was trying to SSH from the Server to Astaro.
Code:
02:33:35 192.168.20.87 32769 -> 192.168.20.100 22 TCP 60 64 Spoofing MAC 00:10:5a[[:D]]6:16:84:00 -> 10:4b:48:52:18:08:00
Due to "Spoofing MAC" all packets from that box passing the Router are dropped but what the heck does that mean? Why is this spoofing going on? I think 10:4b:48:52:18:08:00 would match the MAC Addr. of eth0 of the server... and 00:10:5a[[:D]]6:16:84:00 looks like the HWaddr. of eth2 of my Astaro Box. As already said, eth2 represents my DMZ and has its own network that has nothing to do with this Internal Network-Setup (in my opinion).
This is an entry while pinging an internet host by its FQDN
Code:
03:10:22 192.168.20.87 32768 -> 192.168.20.100 53 UDP 20 46 64 Spoofing MAC 00:10:5a[[:D]]6:16:84:00 -> 10:4b:48:52:18:08:00
03:10:23 192.168.20.87 Echo request -> 192.168.30.100 ICMP 84 63 Spoofing MAC ->
And this while pinging an internethost by its IP
Code:
03:11:20 192.168.20.87 Echo request -> 192.168.30.100 ICMP 84 63 Spoofing MAC ->
03:11:21 192.168.20.87 Echo request -> 194.25.2.129 ICMP 84 63 Spoofing MAC ->
Finally eth2 of my Astaro Box:
Code:
eth2 Link encap:Ethernet HWaddr 00:10:5A[:D]6:16:84
inet addr:192.168.30.100 Bcast:192.168.30.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:8501 (8.3 Kb) TX bytes:960 (960.0 b)
Interrupt:11 Base address:0xec00
After all, I thought it might have something to do with my DMZ, so I took down eth2 by brute force (ifconfig eth2 down)... Guess what: Ping and SSH suddenly worked like a charm.
Now I have come to the point that my DMZ setup must be faulty.
I have no static routes defined. What follows is my MASQ Setup:
Code:
MASQ_T-DSL Internal (Network) -> All / All MASQ__External None
MASQ_T-DSL_DMZ DMZ (Network) -> All / All MASQ__External None
NAT_FTP_DMZ_FTP_SERVER Any -> External (Address) / Group_FTP None DMZ_FTP_SERVER
NAT_HTTPS_DMZ_WWW_SERVER Any -> External (Address) / HTTPS None DMZ_WWW_SERVER
NAT_HTTP_DMZ_WWW_SERVER Any -> External (Address) / HTTP None DMZ_WWW_SERVER
What's wrong? And why is everything running fine except this new box?
The Astaro Version is 5.011.
This thread was automatically locked due to age.
