Sorry to post this here, but since last week I've posted to Fedora's mailing list, pptp-devel's list, and linuxgeneral forum. No one has given much for answers, or the people that have replied have not understood what I'm looking for. Hoping someone here can. For the record, I'm doing this on FC3 not CentOS. Anyway, if anyone can provide assistance I would be very appreciative.
I'm trying to setup linux as a router instead of a MASQ/NAT over a VPN. So I'm trying to "connect" to private networks using the VPN as the conduit.
Here are the details:
On a Fedora Core 3 machine 1) running pptpclient 2) pptpclient is configured to do "LAN to LAN" 3) machine set to act as a router: /proc/sys/net/ipv4/ip_forward is set to 1
After I make the pptp connection I do: iptables -F
When I try to use the connection the machine is still doing NAT.
So next I also do: iptables -t nat -F
Now, that breaks it so other machines cannot access the remote network at all, even though the static routes are still in place. For example, I have a windows machine that can access the remote network before blowing the nat table away. After blowing the nat table away, if I do a tracert on the windows machine, the tracert stops at the internal nic (eth0) of the FC3 pc with the vpn connection. It is also setup as a router. So it never does an routing.
I've also played with lots of different rules found on the net for dealing with H323 over iptables and have had no success. I've also loaded ip_conntrack and that did not make a difference.
So the FC3 machine, with a connection to eth0 and ppp0, plus set to act as a router, does not appear to act as a router between eth0 and ppp0.
Is it possible to make it be a router between eth0 and ppp0 WITHOUT masquerade? Just be a router.... We have routes on the other side telling the routers how to reach my internal network.
To ask the question why? I have an IPPhone that does not work through iptables. In the past I used IPCop as my firewall and connect to my company with branch office VPN. The VPN was great and super stable, but the IPPhone would connect once in a while at best. Research showed the problem was iptables. I now have a hardware router that does branch office and the phone works pretty well. I want to try and get it to work with the above scenrio so I can take the phone with me on the road. I would like to pptp vpn using laptop's wireless NIC. Then have the phone directly connected to the 10/100 NIC with a crossover cable. Maybe I'm in a dreamland and this is not possible, I don't know.
Any assistance is appreciated.
James
On Mon, 13 Mar 2006, James Pifer wrote:
Sorry to post this here, but since last week I've posted to Fedora's mailing list, pptp-devel's list, and linuxgeneral forum. No one has
On a Fedora Core 3 machine
- running pptpclient
- pptpclient is configured to do "LAN to LAN"
- machine set to act as a router: /proc/sys/net/ipv4/ip_forward is set to 1
After I make the pptp connection I do: iptables -F
I think I would first disable iptables to get it out of the mix - as root:
/sbin/service iptables stop && /sbin/service iptables save /sbin/chkconfig iptables off
and then want to see the ip assignments and routes when you think you have it runningL
netstat -rn
on the Linux side, and a statement of what the remote IP and destination subnet and mask are.
Then, remember that tcpdump is a good friend -- some techinques for use are toward the top of:
in a mail context, but there is an ICMP example in there as well which will help.
-- Russ Herrold
/sbin/service iptables stop && /sbin/service iptables save /sbin/chkconfig iptables off
and then want to see the ip assignments and routes when you think you have it runningL
netstat -rn
on the Linux side, and a statement of what the remote IP and destination subnet and mask are.
Then, remember that tcpdump is a good friend -- some techinques for use are toward the top of:
in a mail context, but there is an ICMP example in there as well which will help.
# cat /etc/sysctl.conf kernel.sysrq=0 net.ipv4.ip_forward=1 net.ipv4.conf.default.accept_source_route=0 net.ipv4.conf.default.rp_filter=1 kernel.core_uses_pid=1
I have already tried disabling iptables, but when pptpclient makes the connection it readds rules to iptables. I ran the commands you suggested, I still have to manually go in and flush after pptpclient runs.
The routes are there when I run netstat -rn.
Looking at tcpdump and how I should run it, but ehre's what I've tried so far:
**** Try 1 **** I tried running it with, host is the machine on my network initiating a ping to something on the remote side, eth0 local interface on router: tcpdump -i eth0 -nN -xX -s 1500 host 192.168.1.30
I can see in tcpdump that it gets the request, but no response ever comes through. ****
**** Try 2 **** Next, host is the machine on my network initiating a ping to something on the remote side, ppp0 is VPN interface on router: tcpdump -i ppp0 -nN -xX -s 1500 host 192.168.1.30
From a client I try to ping something on the other side and I can see in
tcpdump that it gets the request, but no response ever comes through. ****
**** Try 3 **** Next, host is the machine that I'm trying to ping on the remote side, ppp0 is VPN interface on router: tcpdump -i ppp0 -nN -xX -s 1500 host 10.96.10.1
From a client I try to ping something on the other side and I can see in
tcpdump that it gets the request, but no response ever comes through. ****
Does this mean that the FC3 machine IS definitely routing from eth0 to ppp0 and that the problem is the routing on the remote side? It's not correctly routing back to my network?
Thanks, James
On Mon, 2006-03-13 at 10:29 -0500, R P Herrold wrote:
On Mon, 13 Mar 2006, James Pifer wrote:
Sorry to post this here, but since last week I've posted to Fedora's mailing list, pptp-devel's list, and linuxgeneral forum. No one has
On a Fedora Core 3 machine
- running pptpclient
- pptpclient is configured to do "LAN to LAN"
- machine set to act as a router: /proc/sys/net/ipv4/ip_forward is set to 1
After I make the pptp connection I do: iptables -F
I think I would first disable iptables to get it out of the mix - as root:
/sbin/service iptables stop && /sbin/service iptables save /sbin/chkconfig iptables off
and then want to see the ip assignments and routes when you think you have it runningL
netstat -rn
on the Linux side, and a statement of what the remote IP and destination subnet and mask are.
One more thing as an addendum to the last post. If I run tcpdump on the machine on the remote side of the vpn I never see the echo request come in. So it's more than just a return route problem.
As I see it, the problem is either on the FC3 machine not properly routing, or the VPN device is not properly handling it. Not sure how to really determine which is the culprit.
James
One more thing as an addendum to the last post. If I run tcpdump on the machine on the remote side of the vpn I never see the echo request come in. So it's more than just a return route problem.
As I see it, the problem is either on the FC3 machine not properly routing, or the VPN device is not properly handling it. Not sure how to really determine which is the culprit.
James
Thanks for the help. Looks like the problem is on the VPN switch. It can't do the routing like I want it to do. It wants to do a branch office so I think I'll try to install freeswan and see what happens with that. I know IPCop uses freeswan, or at least they used. The only problem I had with that was that it only supported one network on the "right" side. So if you had multiple networks, like 10. and 192. and 206. that were all routable, you could only get to one of them.
Again, thanks for the help.
James
On Mon, 13 Mar 2006, James Pifer wrote:
As I see it, the problem is either on the FC3 machine not properly routing, or the VPN device is not properly handling it. Not sure how to really determine which is the culprit.
Thanks for the help. Looks like the problem is on the VPN switch. It can't do the routing like I want it to do. It wants to do a branch
No problem, James - sometimes talking and working through a problem from the bottom up exposes wheere things are falling apart.
For those who are still following this thread, this approach -- of guided questions which help the admin of a box think and diagnose analytically, and to grow as a sysadmin -- is the approach of the Centos IRC channel #centos, on irc.freenode.net
... from the /topic of the channel ...
We are pretty careful to encourage research in posing questions there: How to ASK a question: http://tinyurl.com/anel
We try to keep the Signal to Noise ratio up pretty high (*cough* see contra., #linux, #fedora, #debian), by encouraging the use of out-of-channel collaborative debugging tools: Use a pastebin http://pastebin.com
We try to stay close to 'on topic' and do not usually attempt to support packages or issues outside of the upstream PNAELV's packages: http://www.pnaelv.com/
and best of all ...
We have a pretty good floorshow for the price (i.e., 'free') -- the trout award spoons to people who 'spoonfeed' answers.
All of the channel operators are well known names to this mailing list and the centos project, chosen in part because they have shown sustained skills and good judgment in the CentOS problemspace.
-- Russ Herrold
On 3/13/06, James Pifer jep@obrien-pifer.com wrote:
I'm trying to setup linux as a router instead of a MASQ/NAT over a VPN. So I'm trying to "connect" to private networks using the VPN as the conduit.
I presume you have set
net.ipv4.ip_forward = 1
in /etc/sysctl.conf ?
You also need to make appropriate entries in /etc/sysconfig/network-scripts/route-eth0 and /etc/sysconfig/network-scripts/route-ppp0. I don't think you need to do anything with iptables at all if sysctl.conf and the routes are set correctly.
See /usr/share/doc/kernel-doc-2.6.9/Documentation/networking/ip-sysctl.txt and also /usr/share/doc/initscripts-7.93.24.EL/sysconfig.txt for details.
-
Bart Schaefer -
James Pifer -
R P Herrold