wifiguy

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 27 total)
  • Author
    Posts
  • in reply to: How to tell if VLAN is not NAT’d #49664

    wifiguy
    Member

    I appreciate this. Thank you!

    in reply to: How to tell if VLAN is not NAT’d #49662

    wifiguy
    Member

    I still have not been able to get this to work. I would love to use this as our firewall, but so far I can’t get certain VLAN’s not to be NAT’d.

    in reply to: How to tell if VLAN is not NAT’d #49660

    wifiguy
    Member

    We are getting you cannot use I with post routing error message.

    in reply to: How to tell if VLAN is not NAT’d #49659

    wifiguy
    Member

    @ppalias wrote:

    ok first clear any entries

    iptables -t nat -F

    then insert the rules followed by the rule

    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE 

    Try to ping, browser, fetch mails and then paste here the output of

    iptables -t nat -L -v
    iptables -L -v
    iptables -t mangle -L -v
    traceroute www.yahoo.com

    So, it would look something like this?
    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 -i lo -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 -i lo -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 -i lo -o ETH00 -j MASQUERADE

    Is that what you mean?

    in reply to: How to tell if VLAN is not NAT’d #49657

    wifiguy
    Member

    @ppalias wrote:

    Yes I can take a peek at the config file.
    Give me the output of

    ifconfig -a

    Thanks, I sure appreciate it!

    root@fw root> ifconfig -a
    DEFAULTBR Link encap:Ethernet HWaddr 32:3D:B4:0E:B0:76
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3A
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:14517 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6022 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:2429059 (2.3 Mb) TX bytes:671540 (655.8 Kb)
    Interrupt:16

    ETH00:00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3A
    inet addr:81.181.1.254 Bcast:81.181.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:16

    ETH01 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:13382 errors:0 dropped:0 overruns:0 frame:0
    TX packets:34468 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:1287156 (1.2 Mb) TX bytes:39614484 (37.7 Mb)
    Interrupt:17

    ETH01.20 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH01.20: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:172.30.0.1 Bcast:172.30.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.30 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:252 (252.0 b)

    ETH01.30: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.70 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    ETH01.70: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:152.93.0.1 Bcast:152.93.255.255 Mask:255.255.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.74 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:276 errors:0 dropped:0 overruns:0 frame:0
    TX packets:355 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:28154 (27.4 Kb) TX bytes:99970 (97.6 Kb)

    ETH01.74: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:74.116.16.1 Bcast:74.116.19.255 Mask:255.255.252.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01.90 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:210 errors:0 dropped:0 overruns:0 frame:0
    TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:16301 (15.9 Kb) TX bytes:12834 (12.5 Kb)

    ETH01.90: Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:206.10.124.128 Bcast:206.10.124.159 Mask:255.255.255.224
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

    ETH01:00 Link encap:Ethernet HWaddr 00:1C:23:E1:53:3B
    inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    Interrupt:17

    VPN99 Link encap:Ethernet HWaddr 00:FF:74:4A:11:BB
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    dummy0 Link encap:Ethernet HWaddr 3E:5C:B4:5D:AB:E0
    inet addr:192.168.141.142 Bcast:192.168.141.255 Mask:255.255.255.0
    BROADCAST NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    dummy1 Link encap:Ethernet HWaddr 22:29:A6:79:AC:A8
    inet addr:192.168.142.142 Bcast:192.168.142.255 Mask:255.255.255.255
    UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:346 errors:0 dropped:0 overruns:0 frame:0
    TX packets:346 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:31403 (30.6 Kb) TX bytes:31403 (30.6 Kb)

    root@fw root> exit

    in reply to: How to tell if VLAN is not NAT’d #49655

    wifiguy
    Member

    The second I add ETH00 back to the NAT Enabled Interfaces, I can then ping the gateway, and get out to the outside. The only that worries me, is once behind our WAN port (in our test environment) I have no routing set up for vlan74 or 90, and right now those interfaces can also get out to the outside world…….

    in reply to: How to tell if VLAN is not NAT’d #49654

    wifiguy
    Member

    I am stumped…..We use this same config (minus the WAN IP) on a production router that we have, and all works well.

    Anyway you would be willing to take a peek at our config file?

    in reply to: How to tell if VLAN is not NAT’d #49653

    wifiguy
    Member

    @ppalias wrote:

    There seems to be something wrong with the interfaces you are using, as the iptables command is correct.

    -t nat = apply this command in “nat” table.
    -I POSTROUTING 1 = install this command in POSTROUTING chain in line 1
    –src x.x.x.x/yy = the source IP is x.x.x.x/yy
    -o ETH00 = the output interface is “ETH00”
    -j MASQUERADE = masquerade the source IP with the IP of the interface ETH00

    How so? What would be wrong with the interfaces?

    in reply to: How to tell if VLAN is not NAT’d #49651

    wifiguy
    Member

    @ppalias wrote:

    Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.


    iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE

    Ok. So I have tried this several ways.

    Way 1:
    Eth01, eth01.20, eth01.30 and eth01.70 in the NAT Enabled Interfaces with the following IP TAbles.

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

    The iptables -t nat -L -v result is:

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 22 packets, 2606 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 38 packets, 2966 bytes)
    pkts bytes target prot opt in out source destination
    37 3430 SNATVS all — any any anywhere anywhere
    3 704 MASQUERADE all — any ETH01 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.20 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.30 anywhere anywhere
    0 0 MASQUERADE all — any ETH01.70 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 41 packets, 3670 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    I also tried it with no interfaces in the Nat Enabled Interface using the following IP Tables:

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
    iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE

    The output iptables -t nat -L -v result

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 194 packets, 16902 bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 243 packets, 18350 bytes)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all — any eth1.70 152.93.0.0/16 anywhere
    0 0 MASQUERADE all — any eth1.30 192.168.1.0/24 anywhere
    0 0 MASQUERADE all — any eth1.20 172.30.0.0/16 anywhere
    0 0 MASQUERADE all — any ETH00 172.30.0.0/16 anywhere
    0 0 MASQUERADE all — any ETH00 192.168.1.0/24 anywhere
    0 0 MASQUERADE all — any ETH00 152.93.0.0/16 anywhere
    239 18110 SNATVS all — any any anywhere anywhere

    Chain OUTPUT (policy ACCEPT 70 packets, 5525 bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    eitherway, it appears as though it’s not NAT’ing anything. I can’t get out from behind interfaces eth01.20, 30, or 70 that are supposed to be NAT’d.

    Thoughts?

    in reply to: How to tell if VLAN is not NAT’d #49649

    wifiguy
    Member

    @ppalias wrote:

    First of all which one is the WAN interface…

    ETH00

    in reply to: How to tell if VLAN is not NAT’d #49647

    wifiguy
    Member

    @ppalias wrote:

    There is a huge mixup here. ZS is NATing everything going out of interface ETH00 and you are trying to NAT some VLANs on interface ETH01. Firstly make sure which interface is the outside and then remove the general NAT that ZS does on interface ETH00.

    I guess I am confused on how to make ZS view my ETH00 as the wan port, and make ETH01, ETH01.20, ETH01.30 and ETH01.70 NAT’d behind ETH00, and how to make ETH01.74 and ETH01.90 not NAT’d……

    How should my Router>NAT page look like? I have had ETH00 in the “NAT Enabled Interfaces”, that’s when everything appears to be NAT’d and I have had ETH01, ETH01.20, ETH01.30 and ETH01.70 in there leaving ETH00 out….

    Not sure what I am doing wrong.

    in reply to: How to tell if VLAN is not NAT’d #49645

    wifiguy
    Member

    Alright, here is the output from the iptables -t nat -L -v command.

    root@fw root> iptables -t nat -L -v
    Chain PREROUTING (policy ACCEPT 9173 packets, 1528K bytes)
    pkts bytes target prot opt in out source destination

    Chain POSTROUTING (policy ACCEPT 40 packets, 3240 bytes)
    pkts bytes target prot opt in out source destination
    4134 311K SNATVS all — any any anywhere anywhere
    4098 308K MASQUERADE all — any ETH00 anywhere anywhere

    Chain OUTPUT (policy ACCEPT 3949 packets, 300K bytes)
    pkts bytes target prot opt in out source destination

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    *****Edit*****
    Here are our pre-boot iptable commands. Just so you have them also. The below commands should not include vlan74 to be NAT’d correct?

    iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
    iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

    in reply to: How to tell if VLAN is not NAT’d #49644

    wifiguy
    Member

    I’ll run the above command from the server when I get back to the office on Monday.

    Thanks all,

    in reply to: How to tell if VLAN is not NAT’d #49642

    wifiguy
    Member

    @ppalias wrote:

    1) Make sure eth1 is the wan interface.
    2) Print here the output of

    iptables -t nat -L -v

    Does Eth1 have to be the WAN port? Can it be Eth0?

    in reply to: VLAN to VLAN blocked routing not working (SOLVED) #49565

    wifiguy
    Member

    @marcelo wrote:

    Hmmm, not sure if you really can block communication with the native VLAN, but only between non-native vlans, but I may be wrong.

    I have this new rule set up to block traffic from vlan20 and vlan30

    DROP all opt — in ETH01.20 out ETH01.30 0.0.0.0/0 -> 0.0.0.0/0
    DROP all opt — in ETH01.30 out ETH01.20 0.0.0.0/0 -> 0.0.0.0/0

    Traffic is still able to pass between those two vlans. 😕

Viewing 15 posts - 1 through 15 (of 27 total)