solarbird: (molly-thats-not-good-green)
[personal profile] solarbird

I’m finally getting back to working on a new gateway/router server and I’m basically setting up this old-school sort of DMZ, with the rest of our servers hanging off one card, and our internal LAN/DHCP/NAT side hanging off the other. (Using ISC, which Debian seems to like.) And all of that seems to be right from the new server’s perspective, which is yay!

Except there’s no packet forwarding from the DHCP side even though it’s enabled and I’m sure I enabled it and yes the kernel thinks its enabled but it isn’t happening.

Any ideas where to start?

Mirrored from Crime and the Blog of Evil. Come check out our music at:
Bandcamp (full album streaming) | Videos | iTunes | Amazon | CD Baby


Date: 2017-06-24 01:05 pm (UTC)
rmd: (Default)
From: [personal profile] rmd
speaking from near ignorance about that particular debian setup, but with some clue about larger scale networks, is debian configured to act as a dhcp relay, here? I think dhcp-relay is a separate package, so I figured I'd ask the stupid question.

Date: 2017-06-25 09:15 pm (UTC)
deskitty: Angry pouncy siamese cat head (Default)
From: [personal profile] deskitty
So, it's been a long time since I've touched Linux routing (college, maybe?), but here's some tidbits from what I remember.

Quick checklist of "did you plug it in" things:

  1. Are routes/gateways configured correctly on all affected systems including the router?

  2. sysctl net.ipv4.ip_forward == 1

  3. iptables -t nat -L has proper entries (IPs and interfaces) for all your networks in POSTROUTING (and PREROUTING for anything in the DMZ with forwarded ports).

    • You may need to do something special for UPnP if you want to enable it for systems in your internal network; I'm not sure what that would entail since I've never had to do this myself.

  4. iptables -L has appropriate ACCEPT rules in the FORWARD chain.

  5. Make sure you don't have any other rules (in INPUT and OUTPUT) that would drop packets that would otherwise be routable.

More details would be helpful -- what exactly are you observing that suggests forwarding isn't happening? (Wireshark/tcpdump, missing TCP ACKs, etc.?)

If none of the above rings a bell, I suggest taking tcpdump traces on the router at your ingress and egress interfaces, and comparing what's coming in with what's going out. That would help narrow things down.

September 2017

3456 789
1011 12 13141516
17 1819 2021 2223

Most Popular Tags