solarbird: (molly-thats-not-good-green)
[personal profile] solarbird
The 1995 P166 that has been until now door.murkworks.net has formally and abruptly retired itself. So I'm having to move the new box into place now. This is the DMZ box I was talking about earlier.

Henceforth, "Door" refers to "New Door," not the old machine that is broken. It is latest Debian.

Door has three network cards: eth0 going to cable modem, eth1 going to fixed IP LAN segment, eth2 going to DHCP LAN segment. Door is running both DNS and DHCP servers.

Door can see everything in the world, on all cards. Complete functionality.

DHCP side can see everything in the world, on all cards. Complete functionality.

Fixed IP machines can all see Door (including its DNS services), and each other, and talk to the DHCP side, but can talk to nothing living out on eth0.

tcpdump on Door shows Door handing off ICMP packets on eth0, so that direction seems okay.

I am not seeing ACKs coming back to Door on eth0 from google.com but I can't be sure they aren't doing something tricky and my filters are confused.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         173.160.243.46  0.0.0.0         UG    0      0        0 eth0
173.160.243.40  0.0.0.0         255.255.255.248 U     0      0        0 eth1
173.160.243.42  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.43  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.44  0.0.0.0         255.255.255.255 UH    0      0        0 eth1
173.160.243.46  0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2


Door is 173.160.243.41 (on eth0), 173.160.243.45 (on eth1), 192.168.1.1 (on eth2). 173.160.243.46 is the modem. 173.160.243.40 is a network to eth1.

Anybody know wtf?

eta: The router - in addition to not showing door any ACKs for anything from .42 and .43 - is sending out a lot of ARP packets looking for 173.160.243.42 and 173.160.243.43, and I'm starting to think it won't talk to a gateway box in the fixed-IP range. I try to add .41 as a gateway address for .42 and .43 and it refuses, saying illegal LAN address. SUPER RAGIFICATION ENGAGED.

eta2: And the new problem is that the PS4 won't pick up the gateway information from the Linux-based DHCP server. It will pick up an address! It's also not getting the DNS server number either. Why? Fuck if I know, everything else does it right.

Date: 2017-06-26 10:34 am (UTC)
wrog: (Default)
From: [personal profile] wrog
Have you looked at or done anything with the iptables rules (i.e., what does iptables -L -n on door give you?

My current crazy theory is that there's a default DROP rule in there that's screwing you, say, if the default iptables config only expects there to be 2 interfaces... or is doing the usual firewall thing of aggressively DROPping everything coming from "outside" that's not explicitly approved, and it's treating everything other than eth2 as "outside"
Edited Date: 2017-06-26 10:41 am (UTC)

Date: 2017-06-30 01:34 am (UTC)
wrog: (howitzer)
From: [personal profile] wrog
I am a bit boggled that they don't let you put the Comcast box into bridge mode

(also iptables can, in fact, be blocking stuff in one direction, but if door isn't actually serving as a firewall, then I guess you don't need to mess with that unless you want to be paranoid...)
Edited Date: 2017-06-30 01:34 am (UTC)

August 2017

S M T W T F S
  12 3 4 5
67 8 910 1112
1314 15 16 171819
20212223242526
2728293031  

Most Popular Tags

Page Summary