[CS-FSLUG] (SOLVED) Routing Issue

Don Parris parrisdc at gmail.com
Sun Feb 5 09:02:47 CST 2012 

Hi all, I just wanted to pass on an update.  I finally resolved this
routing issue just now.  It was my NAT filtering on my router's security
page.  I can now access the external IP from behind my router.  :-)  I was
looking right at it but not seeing it.  Just something goofy to embarrass
myself I guess.

On Thu, Feb 2, 2012 at 16:04, Josiah Ritchie <josiah at josiahritchie.com>wrote:

> Build your own router. You can get some nice kits with an ALIX motherboard
> and then install pfsense for some great power. I'm running a few of these
> and I'm very pleased with them. Don, you can search for some pics and stuff
> on my Google Plus page. I've posted my most recent build over there. I
> haven't tried what you're doing on it, but I'm sure you could tweak it as
> it has iptables under that hood. It's strong, its fun and it's open source
> software.
>
> JSR/
>
>
> On Thu, Feb 2, 2012 at 3:02 PM, Don Parris <parrisdc at gmail.com> wrote:
>
>> Thanks Tim,
>>
>> I should have remembered to put the router in - it's a Linksys WRT54g.  I
>> have used it before and am quite certain I was able to do the u-turn thing
>> before.  It doesn't offer iptables at all (or at least not any interface to
>> that), although my CentOS server does.  Even with the iptables turned off
>> temporarily, I still could not do the u-turn.  I am positive I did this
>> before with this same router.  I am actually considering upgrading the
>> router - this one is ancient and I would like one that supports IPv6 as
>> well as IPv4.
>>
>> I am open to recommendations on such a router as well.
>>
>>
>> On Thu, Feb 2, 2012 at 13:39, Tim Young <Tim.Young at lightsys.org> wrote:
>>
>>> Some routers support this, others do not.  So this could be a router
>>> issue, not just a routing issue.
>>>
>>> What is happening is this.  From inside your network on your client
>>> computer, you attempt to access the external interface.  The local computer
>>> compares the destination ipaddress and netmask with it's own IP address and
>>> determines that the destination IP is not local.  So, it sends it to the
>>> firewall (gateway).  The gateway, upon receiving the packet, realizes that
>>> it needs to port-forward the packet back to the internal server.  The
>>> return packet then goes from the server, back through the reverse NAT, and
>>> then back inside to your client computer.  The issue is probably occurring
>>> inside the firewall when it first gets a packet from the client.
>>>
>>> Many firewalls on the port forwarding side of things only forward
>>> packets that come from the Internet.  They do not have rules that look for
>>> packets with the source on the inside.  The packets from the client are
>>> usually masqueraded to the outside world (so the source IP appears to be
>>> 174.96.151.128 to the outside).  All sort of odd things could occur based
>>> on how the iptables rules are configured, which order they are in, etc.
>>>
>>> Anyway.  Most likely your issue is an iptables issue on your firewall.
>>>  Is that a linux box, or something else?  Do you have the ability to
>>> hand-edit the iptables rules, or are they simply generated by a GUI?  When
>>> you say "you have done this before", was that with this router with this
>>> configuration, or was that using a different router/firewall?
>>>
>>>    - Tim Young
>>>
>>>
>>> On 2/2/2012 11:35 AM, Don Parris wrote:
>>>
>>>> Guys,
>>>>
>>>> I have a routing issue.  I am fairly certain it is a routing issue.  I
>>>> have configured my CentOS 6.2 server to provide SSH and WWW service.  I can
>>>> connect to the server via the internal IP (192.168*).  I can likewise
>>>> connect to the server via the external IP, but only from outside the LAN.
>>>>  What I cannot do is connect to the external IP from inside my LAN.  I have
>>>> done this several times before, but right now am just really confused.
>>>>
>>>> Router Internal IP is *.1 (provides DHCP to my LAN), External = *128
>>>> Server IP is *.22
>>>>
>>>>
>>>> Running traceroute from the server to the internal IP of the router
>>>> gave *** as a result.
>>>> Running traceroute from the laptop the the external IP of the router
>>>> gave *** as a result.
>>>>
>>>> Running traceroute from my laptop to the server (from inside the
>>>> router) gave this result:
>>>> traceroute to 192.168.1.22 (192.168.1.22), 30 hops max, 60 byte packets
>>>>  1  192.168.1.22 (192.168.1.22)  7.639 ms !X  7.646 ms !X  7.639 ms !X
>>>>
>>>> man traceroute says the !X means "communication administratively
>>>> prohibited".
>>>>
>>>> Here is my routing table on my router:
>>>> 0.0.0.0         255.255.255.0   174.96.151.128  WAN (Internet)
>>>> 0.0.0.0         0.0.0.0         174.96.128.1    WAN (Internet)
>>>> 174.96.128.0    255.255.224.0   174.96.151.128  WAN (Internet)
>>>> 192.168.1.0     255.255.255.0   192.168.1.1     LAN & Wireless
>>>>
>>>>
>>>> I am just really confused.
>>>>
>>>>
>>>> --
>>>> D.C. Parris, FMP, LEED AP O+M, ESL Certificate
>>>> Minister, Security/FM Coordinator, Free Software Advocate
>>>> https://www.xing.com/profile/**Don_Parris<https://www.xing.com/profile/Don_Parris> |
>>>> http://www.linkedin.com/in/**dcparris<http://www.linkedin.com/in/dcparris>
>>>> GPG Key ID: F5E179BE
>>>>
>>>>
>>>>
>>>> ______________________________**_________________
>>>> ChristianSource FSLUG mailing list
>>>> Christiansource at ofb.biz
>>>> http://cs.uninetsolutions.com
>>>>
>>>
>>> ______________________________**_________________
>>> ChristianSource FSLUG mailing list
>>> Christiansource at ofb.biz
>>> http://cs.uninetsolutions.com
>>>
>>
>>
>>
>> --
>> D.C. Parris, FMP, LEED AP O+M, ESL Certificate
>> Minister, Security/FM Coordinator, Free Software Advocate
>> https://www.xing.com/profile/Don_Parris  |
>> http://www.linkedin.com/in/dcparris
>> GPG Key ID: F5E179BE
>>
>>
>> _______________________________________________
>> ChristianSource FSLUG mailing list
>> Christiansource at ofb.biz
>> http://cs.uninetsolutions.com
>>
>
>
>
> --
>
> http://about.me/josiah
>
> _______________________________________________
> ChristianSource FSLUG mailing list
> Christiansource at ofb.biz
> http://cs.uninetsolutions.com
>



-- 
D.C. Parris, FMP, LEED AP O+M, ESL Certificate
Minister, Security/FM Coordinator, Free Software Advocate
https://www.xing.com/profile/Don_Parris  |
http://www.linkedin.com/in/dcparris
GPG Key ID: F5E179BE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ofb.biz/pipermail/christiansource_ofb.biz/attachments/20120205/400e376e/attachment.htm>

More information about the Christiansource mailing list