I manaage an office with a slightly unusual network setup. There is a box with
a leased line connection (hereafter leased) which is configured in the classic
three zone setup. However, because we pay for transfer on the leased line, we
have augmented the system with a smoothwall box (herafter smooth) connected to
a leased line, and all the office machines now use smooth as default route.
However, the office boxes regularly need access to the boxes in the DMZ, which
they get via leased. There is a route on smooth to leased, but for some reason
boxes which have smooth as default route don't get to the DMZ - I have to set
up a static route on them to the DMZ via leased.
My understanding is that this should be handled by ICMP redirects - when
smooth receives a packet destined for the DMZ, it should see that its route to
there is via leased, which is on the same LAN, and should send an ICMP
redirect with that information back to the originating machine.
As far as I know, I have all the magic bits in /proc set. On smooth I have
/proc/sys/net/ipv4/conf/all/forwarding
/proc/sys/net/ipv4/conf/all/send_redirects
/proc/sys/net/ipv4/ip_forward
all set to 1 and on the Linux clients, I have
/proc/sys/net/ipv4/conf/all/accept_redirects
set to 1.
Trying to trace this has got me nowhere so far, except to see that it seems
that smooth is not returning ICMP redirects (nor is forwarding the packets) -
in the below, 192.168.1.10 is one of the clients, and somebox.somehost.com is
a box in the DMZ:
[root at smooth1 root]# tcpdump host 192.168.1.10
tcpdump: listening on eth0
10:14:07.744043 192.168.1.10 > somebox.somehost.com: icmp: echo request
This is the routing table on smooth
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
a.b.c.d 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
w.x.y.z 192.168.1.100 255.255.255.248 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 a.b.c.d 0.0.0.0 UG 0 0 0 ppp0
where a.b.c.d is the address of the remote end of the DSL connection,
192.168.1.100 is the LAN address of leased, and w.x.y.z is the DMZ network.
I might add that there is a nice simple solution to all of this - remove the
route to w.x.y.z via 192.168.100. Howeever, that means that all internal
traffic to the DMZ goes out via the DSL and back in via the leased line - not
optimal for speed, and not exactly helping to reduce transfer on the leased
line.
Clearly, as the clients can't reach the DMZ without adding a static route,
I've missed something, or I am doing something wrong - but what?
Clients and servers have assorted kernels, but all fairly recent 2.4.xx series
- but I doubt that this is kernel version related.
This office is situated where alternative leased line arrangements are either
not possible, or more expensive, so don't bother suggesting that.
Oh - this is a rather long post - please only include relevant bits in
replies.
Niall
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
