Post #124,224
11/5/03 2:36:48 AM
|
I don't get it. Networking, I mean. Box? Anyone?
I thought I understood but I obviously don't. Okay, we had 3 DSL lines connected like this: \nDSL DSL\n \\ /\n Router DSL\n | \\ /\n | Router\n | |\n VPN PIX 506\n | |\n +--(3) 10/100 switches-->LAN The first two routers are standard DSL router/firewall combos, except they each have 2 WAN ports. The PIX 506 has one WAN, one LAN port. Now, we dropped the 3 DSL lines and went to a T1. The provider installed their own modular router (a nice Adit 600), which handles both the voice and data lines. It has a single router card in it for the data. I hooked it up like this: \nT1\n \\\n Adit 600\n \\\n PIX 506\n |\n Switches Fine. Everything works. Except. I had created a VPN using OpenVPN, installed on a Linux box. That box had two NICs: one on the internal LAN subnet (192.168.0.x), and one outside the last DSL router; connections would come in on one of the DSL lines, the router would pass the packets to the external NIC on UDP 5000, and OpenVPN would then unpack them, sending them over the bridge into the LAN. Cool stuff, that bridged ethernet. Anyway, what do I do now? The PIX can manage all of our new IP's (a /240 subnet), but it's only got one internal port. What hardware/software combo do I need to take one of those IP's and route it to another network, so I can put the bridge back in place? I don't think the bridge will work if both NICs are on the same subnet. The one thing I do not have is time to spend creating/learning a new solution--I'm literally not leaving my house for the next two weeks while I finish a major software port. Any ideas are welcome--but I'm going to prefer the cheap and simple solutions. :)
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,345
11/5/03 5:31:53 PM
|
stuff 2nic box on pix
one nic on the 10.0.0.1 net the other on whatever the pix wants, route between the 2 nics. thanx, bill
"You're just like me streak. You never left the free-fire zone.You think aspirins and meetings and cold showers are going to clean out your head. What you want is God's permission to paint the trees with the bad guys. That wont happen big mon." Clete questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #124,404
11/5/03 10:41:51 PM
|
You mean route all traffic through the 2-nic box?
Like this? \nT1\n \\\n Adit 600\n \\\n PIX 506\n |\n VPN\n |\n Switches\n I don't have a 10.0.0.1 net, so I'm not sure what you're describing. If the above isn't it, can you make a quick diagram? If I didn't make it clear, the Adit has only one Ethernet port. The Pix has only one port on each side. It's the lack of jacks that's killing me, I think. Could I do this:? \n __Hub__\nT1 / | \\\n \\ / | \\\n Adit | \\\n VPN PIX 506\n | |\n Switches-->LAN\n
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,410
11/5/03 11:05:36 PM
|
10.0.0.1 net is like he 192.168.0.0 net
no problems using or assigning, it is considered an internal address space. thanx, bill
"You're just like me streak. You never left the free-fire zone.You think aspirins and meetings and cold showers are going to clean out your head. What you want is God's permission to paint the trees with the bad guys. That wont happen big mon." Clete questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
|
Post #124,359
11/5/03 8:14:06 PM
|
Re: I don't get it. Networking, I mean. Box? Anyone?
I'm confused. Why not state what you want to do instead of what you think is not working?
Did you mean you have a /24 subnet? Or does your subnet mask end with .240? These are very different - /24 means 255.255.255.0 while 255.255.255.240 would imply a restricted range of IPs, probably real ones assigned by your provider (not 192.168 or 10.).
Generally the answer to this kind of question is NAT.
-drl
|
Post #124,406
11/5/03 10:48:11 PM
|
It's hard to do when you don't understand.
> I'm confused. Why not state what you want to do > instead of what you think is not working?
I want to have 50-odd machines on my LAN hooked up to the T1. I want them firewalled and NAT'ed, which the PIX does. That all works great. In addition, I want a VPN. I had one which depended on having a separate subnet somewhere in the chain, which I no longer have.
> Did you mean you have a /24 subnet? > Or does your subnet mask end with .240?
Sorry, that was a typo: it should be .240, which equals 16 or so addresses which the ISP is giving us.
> Generally the answer to this kind of question is NAT.
Heh. I got NAT up the wazoo. Where particularly in the chain did you have in mind to put it?
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,412
11/5/03 11:16:54 PM
|
Re: It's hard to do when you don't understand.
Well, as long as the external world sees what it did before, your VPN will be fine.
So, you do a host-to-host NAT so that the outside world thinks nothing has changed inside.
So your internal network - lets say will be be 192.168.1.x - these go to some router - say a Linux box with a kernel that does iptables - having 2 NICs - the external NIC will be configured as one of the IP addresses your provider gave you - so
NIC 1 - IP address 192.168.1.1 mask 255.255.255.0 NIC 2 - IP address "mumble" mask 255.255.255.240
Replace "mumble" by one of the provided addresses. Set up all the internal nodes with a default gateway of 192.168.1.1. You can either give out 192.168.1.x addresses with DHCP or make static ones.
That takes care of one part - having the internal network see the world. To the external world, it will look like all traffic is coming from "mumble". I assume that "mumble" is going into the DSL-provided router. From that point on, it's their world. So the internal nodes never know about the DSL router, and as far as the DSL side is concerned, there is the one IP address "mumble".
Can you now give some info about the VPN and how it was connected before?
-drl
|
Post #124,419
11/6/03 12:34:31 AM
|
I'm *always* ready to give more info. :)
> Well, as long as the external world sees > what it did before, your VPN will be fine.
The problem is, the external world used to see three different networks, and now it only sees one.
>So your internal network - lets say will be be 192.168.1.x > - these go to some router - say a Linux box with a kernel > that does iptables - having 2 NICs - the external NIC will > be configured as one of the IP addresses your provider gave you... > Can you now give some info about the VPN and how it was connected before?
The thing I think I'm not making clear is that I don't want ALL of the traffic to go through the VPN box--I want it to continue to be a 'back door' into the LAN, mostly because I want the normal traffic to go through hardware (like the PIX), not software (like a Linux box). Obviously there's HW and SW on both, but I think you understand what I mean.
The VPN used to bridge its virtual ethernet tap device with the internal NIC. AFAICT, it can't work if both the external and internal NICs are on the same network. So I need an 'external' network now. The only network I have besides the Nat'ed internal one (192.168.0.0) is the set of IP's the ISP is doling out--problem is, there's only one ethernet jack on their router, and that goes straight into the WAN jack on the PIX router that we own. So I think I'll try putting them both on a hub I've got lying around and see if I can get all three devices (the ISP's router/gateway, the PIX, and my VPN's external NIC) on the same network.
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,420
11/6/03 1:07:50 AM
|
Re: I'm *always* ready to give more info. :)
What network was the VPN on before?
Plus, by definition, if your internal nets were 172.16to31, 192.168, or 10. they would be invisible from outside.
-drl
|
Post #124,433
11/6/03 4:35:14 AM
|
Check out my first post in this thread.
Since the diagram explains best, I think. The VPN had 2 NIC's: one on the internal network (192.168.0.0) and one on the network which existed between the two DSL routers (172.16.0.0, IIRC). In addition, since it was running an ethernet bridge, it had a virtual NIC (a tap device), which was bridged to the internal NIC. The bridged ethernet was set up per [link|http://openvpn.sourceforge.net/bridge.html|http://openvpn.sourc...e.net/bridge.html]
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,449
11/6/03 9:23:42 AM
|
Re: Check out my first post in this thread.
I don't understand your diagram without network addresses.
-drl
|
Post #124,509
11/6/03 2:56:44 PM
|
Ahhh.. here ya go.
\n DSL DSL 66.126.207.234\n 66.126.207.242 \\ /\n Router DSL 63.200.221.34\n 172.16.0.1 | \\ /\n | Router\n | | 10.0.0.8\n | |\n 172.16.0.16 | | 10.0.0.5\n VPN PIX 506\n 192.168.0.251 | | 192.168.0.110\n | |\n (3) 10/100 switches\n | | | | | |\n LAN computers on 192.168.0.x\n clients and servers\n Plus a wireless hub in that 172.16.x.x network that I left out for clarity. :)
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,515
11/6/03 3:36:47 PM
|
What a mess :)
OK now draw what's happening now.
-drl
|
Post #124,557
11/6/03 10:22:22 PM
|
Working solution:
\n __Dumb Hub__\n / | \\\n 64.73.226.17 / | \\ 64.73.226.18 /\n T1 GW (Adit) | Wireless Router--WLAN Clients\n | | 192.168.3.1 \\\n | |\n 64.73.226.19 | | 192.168.3.3\n PIX OpenVPN\n 192.168.0.110 | | 192.168.1.251\n | |\n (3) 10/100 Switches\n | | | | | | | |\n LAN clients and servers\n Someday Real Soon Now I'm going to switch the innermost network (on the bottom) to 10.x, just need time.
I was one of the original authors of VB, and *I* wouldn't use VB for a text processing program. :-) Michael Geary, on comp.lang.python
|
Post #124,558
11/6/03 10:33:15 PM
|
That's better :)
You shouldn't switch to a 10. network unless you need to do a lot of internal subnetting - say, if you're IBM.
-drl
|
Post #124,437
11/6/03 5:00:32 AM
|
That extra hub sounds like the solution.
Particularly now you've re-described the situation.
Wade.
Is it enough to love Is it enough to breathe Somebody rip my heart out And leave me here to bleed
| | Is it enough to die Somebody save my life I'd rather be Anything but Ordinary Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #124,510
11/6/03 2:57:00 PM
|
Thanks. I'll try it tonight.
|