How to tell if VLAN is not NAT’d

Home Page Forums Network Management Networking How to tell if VLAN is not NAT’d

This topic contains 24 replies, has 0 voices, and was last updated by  wifiguy 9 years, 11 months ago.

Viewing 11 posts - 16 through 26 (of 26 total)
  • Author
    Posts
  • #49655

    wifiguy
    Member

    The second I add ETH00 back to the NAT Enabled Interfaces, I can then ping the gateway, and get out to the outside. The only that worries me, is once behind our WAN port (in our test environment) I have no routing set up for vlan74 or 90, and right now those interfaces can also get out to the outside world…….

    #49656

    ppalias
    Member

    Yes I can take a peek at the config file.
    Give me the output of

    ifconfig -a
    #49657

    wifiguy
    Member

    @ppalias wrote:

    Yes I can take a peek at the config file.
    Give me the output of

    ifconfig -a

    Thanks, I sure appreciate it!

    root@fw root> ifconfig -a
    DEFAULTBR Link encap:Ethernet HWaddr 32:3D:B4:0E:B0:76
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3A
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:14517 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6022 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2429059 (2.3 Mb) TX bytes:671540 (655.8 Kb)
    Interrupt:16

    ETH00:00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3A
    inet addr:81.181.1.254 Bcast:81.181.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:16

    ETH01 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:13382 errors:0 dropped:0 overruns:0 frame:0
    TX packets:34468 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1287156 (1.2 Mb) TX bytes:39614484 (37.7 Mb)
    Interrupt:17

    ETH01.20 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH01.20: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:172.30.0.1 Bcast:172.30.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.30 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:252 (252.0 b)

    ETH01.30: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.70 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH01.70: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:152.93.0.1 Bcast:152.93.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.74 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:276 errors:0 dropped:0 overruns:0 frame:0
    TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:28154 (27.4 Kb) TX bytes:99970 (97.6 Kb)

    ETH01.74: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:74.116.16.1 Bcast:74.116.19.255 Mask:255.255.252.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.90 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:210 errors:0 dropped:0 overruns:0 frame:0
    TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:16301 (15.9 Kb) TX bytes:12834 (12.5 Kb)

    ETH01.90: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:206.10.124.128 Bcast:206.10.124.159 Mask:255.255.255.224
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01:00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:17

    VPN99 Link encap:Ethernet HWaddr 00:FF:74:4A:11:BB
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    dummy0 Link encap:Ethernet HWaddr 3E:5C:B4:5D:AB:E0
    inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
    BROADCAST NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    dummy1 Link encap:Ethernet HWaddr 22:29:A6:79:AC:A8
    inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
    UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:346 errors:0 dropped:0 overruns:0 frame:0
    TX packets:346 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:31403 (30.6 Kb) TX bytes:31403 (30.6 Kb)

    root@fw root> exit

    #49658

    ppalias
    Member

    ok first clear any entries

    iptables -t nat -F

    then insert the rules followed by the rule

    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE 

    Try to ping, browser, fetch mails and then paste here the output of

    iptables -t nat -L -v
    iptables -L -v
    iptables -t mangle -L -v
    traceroute www.yahoo.com
    #49659

    wifiguy
    Member

    @ppalias wrote:

    ok first clear any entries

    iptables -t nat -F

    then insert the rules followed by the rule

    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE 

    Try to ping, browser, fetch mails and then paste here the output of

    iptables -t nat -L -v
    iptables -L -v
    iptables -t mangle -L -v
    traceroute www.yahoo.com

    So, it would look something like this?
    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 -i lo -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 -i lo -o ETH00 -j MASQUERADE

    Is that what you mean?

    #49660

    wifiguy
    Member

    We are getting you cannot use I with post routing error message.

    #49661

    ppalias
    Member

    Don’t use

    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE 

    3 times.
    If you still have a problem I will try to simulate it in my lab this weekend as it looks very weird to me.

    #49662

    wifiguy
    Member

    I still have not been able to get this to work. I would love to use this as our firewall, but so far I can’t get certain VLAN’s not to be NAT’d.

    #49663

    ppalias
    Member

    I admit that I totally neglected it, my apologies. I will find some time in the forthcoming weekend to do it.

    #49664

    wifiguy
    Member

    I appreciate this. Thank you!

    #49665

    ppalias
    Member

    Okay good news.
    I tried the scenario. It seems to be working fine for me.

    as you can see on the picture (or here if you cannot see it clearly) on the upper left window is the command I gave to ZS to allow only one subnet to NAT out of ETH00.
    On the middle left window is the 2 pings I ran. The one towards 10.14.149.3 was initially not NATed and then I enabled NAT. You can see the change on the Wireshark window on the right. Source address changed from 192.168.20.2 (not NATed) to 10.14.149.25 (ETH00 address of ZS). On the lower left window is a tcpdump of another pc which accepted ping from the other VLAN of ZS, the 192.168.30.2 and it never changed it’s source IP address.
    So to conclude the iptables command is correct

    iptables -t nat -I POSTROUTING --src 192.168.20.0/24 -o ETH00 -j MASQUERADE

    this ensures the 192.168.20.0/24 is NATed when goes out of ETH00 interface. Anything else goes out without NAT.
    My iptables output on ZS is:

    root@zeroshell root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 374 packets, 53544 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 171 packets, 14385 bytes)
    pkts bytes target prot opt in out source destination
    11 924 MASQUERADE all -- any ETH00 192.168.20.0/24 anywhere
    171 14385 SNATVS all -- any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 55 packets, 4641 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
Viewing 11 posts - 16 through 26 (of 26 total)

You must be logged in to reply to this topic.