# Using PC behind Router behind PC behind the internet

## strider2003

I know the subject is quite strange   :Smile: 

I had a Gentoo workstation with an iptables firewall (and two ethernet cards), and two other pcs that accessed the internet through the first gentoo box (by means of a switch).

Recently, I bought a SMC wireless router and set it instead of the switch, so that I could use wireless cards, and keep a single firewall (that is always up, and this is no problem).

The net topology is as follows:

```

|-------------------|

|   INTERNET      |

|-------------------|

           |

|----------------------|

|         | DHCP IP    |

| WS  1|--------------|

|         | 192.168.1.1|

|-----------------------|

           |

|--------------------------|

|           | 192.168.1.10 |

| Router|-----------------|

|           | 192.168.2.1   |

|---------------------------|

           |

|-------------------------|

| WS  2 | 192.168.2.x  |  <-- there are more workstations like this

|--------------------------|

```

With ipmasquerade activated in the firewall, WS 2 can access the internet without any problems, and without this, it can access to the http and imap servers in WS 1 (but not to the internet).

The problem is that samba, that worked with the switch, doesn't work now. So WS 2 can't see the samba server in WS 1. I think this must be a stupid error, but I can't find it.

I hope you can help me. Thanks.

P.S. You have to imagine ascii boxes above  :Smile: Last edited by strider2003 on Sat Feb 05, 2005 5:21 pm; edited 1 time in total

----------

## NeddySeagoon

strider2003,

Please post the output from both

```
ifconfig 

route
```

for WS 1 and WS 2.

You can do ASCII art in a code box.

----------

## strider2003

From ifconfig in WS 1:

```

eth0      Link encap:Ethernet  HWaddr 00:50:FC:70:CE:04

          inet addr:84.121.231.**  Bcast:255.255.255.255 Mask:255.255.224.0

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:987942 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2891 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:61151636 (58.3 Mb)  TX bytes:381475 (372.5 Kb)

          Interrupt:10 Base address:0xc000

eth1      Link encap:Ethernet  HWaddr 00:02:44:4F:8B:F5

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:13886 errors:0 dropped:0 overruns:0 frame:0

          TX packets:14077 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:1060847 (1.0 Mb)  TX bytes:1264631 (1.2 Mb)

          Interrupt:11 Base address:0xc400

```

and from route in WS 1:

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth1

84-121-224-0.on *               255.255.224.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         84-121-224-1.on 0.0.0.0         UG    0      0        0 eth0

```

It's easier for me to put the output of WS 2 in the next post, so I will do.

----------

## nobspangle

If I were you I would use the SMC router as an access point for your network. Plug all your boxes into the LAN side rather than the WAN side and all should be good.

----------

## strider2003

As I promised:

From ifconfig (note this is MacOSX):

```

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

        inet6 fe80::20d:93ff:fe27:ed82 prefixlen 64 scopeid 0x4 

        inet 192.168.2.101 netmask 0xffffff00 broadcast 192.168.2.255

        ether 00:0d:93:27:ed:82 

        media: autoselect (100baseTX <full-duplex>) status: active

        supported media: none autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 100baseTX <half-duplex> 100baseTX <full-duplex> 100baseTX <full-duplex,hw-loopback>

```

And instead of route, this is the output of the route table in apple network tool (I think is the same):

```

Routing tables

Internet:

Destination        Gateway            Flags    Refs      Use  Netif Expire

default            192.168.2.1        UGSc        4        6    en0

127                localhost          UCS         0        0    lo0

localhost          localhost          UH         19     2563    lo0

169.254            link#4             UCS         0        0    en0

192.168.2          link#4             UCS         1        0    en0

192.168.2.1        0:4:e2:d1:9:b2     UHLW        4       71    en0   1198

192.168.2.101      localhost          UHS         0        0    lo0

Internet6:

Destination        Gateway            Flags      Netif Expire

localhost          localhost          UH          lo0

fe80::%lo0         fe80::1%lo0        Uc          lo0

fe80::1%lo0        link#1             UHL         lo0

fe80::%en0         link#4             UC          en0

fe80::20d:93ff:fe2 0:d:93:27:ed:82    UHL         lo0

ff01::             localhost          U           lo0

ff02::%lo0         localhost          UC          lo0

ff02::%en0         link#4             UC          en0

```

----------

## strider2003

nobspangle:

I know this is the easiest solution, but then I'd have to setup a firewall in each of the pcs and, since they run three different operating systems, I would not like to do this.

Also, when I turn on the windows pc, I want it to access the LAN, but not the internet.

Of course, if there is no other solution, I will do as you say, but I'm sure there must be a way to do what I want.

----------

## NeddySeagoon

strider2003,

I slipped up a bit there, I should havs asked for ifconfig and route from your router box. 

What does it do for for the 192.168.2.0/24 ?

Does it just do packet forwarding between the two subnets or does it do NAT from the 192.168.2.0/24 onto 192.168.1.10?

It it just does forwarding then WS 1 will see packets from 192.168.2.x and needs to know what to do with them. The routing table from WS 1 should therefore have a static route to tell it what to do with these 192.168.2.x packets.

----------

## nobspangle

I must be missing the point here

Does WS1 not provide firewall for all the boxes behind it?

----------

## strider2003

nobspangle:

You are right, WS 1 is the firewall for the rest of the boxes.

NeddySeagoon:

The firewall is configured so that it allows all traffic through eth1. At the moment, I'm switching by hand the state of ipforwarding:

```

#!/bin/sh

IPTABLES=/sbin/iptables

$IPTABLES -F -t nat

$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward

```

Please, ask me the information you need.   :Embarassed: 

----------

## NeddySeagoon

strider2003,

Install tcpdump and see what is happening on the the interface in WS 1 called 192.168.1.1

If the router has forwarding on, you should see packets arriving from the 192.168.2.x network.

Do you see those packets?

What does WS 1 do with them?

On a machine on the 192.168.2.x subnet, try pinging 

192.168.2.1, that should work no problems

192.168.1.10, should work if packet forwarding is on

192.168.1.1, packets should arrive (watch tcpdump) but without a return route in the routing table there will be no response to the pining machine. The response packets will probably be routed as per the defualt route in WS 1 and sent to the internet.

On WS 1 you need to do 

```
route add -net 192.168.2.0 gw 192.168.1.10 eth?
```

fill in the ? with the right interface.

----------

## strider2003

 *Quote:*   

> 
> 
> 192.168.1.10, should work if packet forwarding is on
> 
> 

 

I understand from this that I should activate packet forwarding in the router. Am I right?

----------

## strider2003

Ok, ping from 192.168.2.100 to 192.168.1.10 works fine. I'm adding this route to the table...

----------

## NeddySeagoon

strider2003,

The router either needs to do packet forwarding or NAT. The choice is yours.

If you use packet forwarding then packets from the 192,168.2.0 network appear unchanged on the the wires being used for the 192.168.1.0 network and reach WS 1.

If you use NAT then packets from 192.168.2.0 are NATed to look like they came from the router box.

As always, the choice is yours. I use packet forwarding in my two network segment home net.

Here is the routing table from my router (with forwaring on)

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.100.0   *               255.255.255.0   U     0      0        0 eth1

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

default         192.168.100.1   0.0.0.0         UG    1      0        0 eth1
```

and from one of my PCs on 192.168.100.0 that is able to talk to the 192.168.0.0 network

```
/sbin/route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.0.0     192.168.100.6   255.255.255.0   UG    0      0        0 eth0

127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo

0.0.0.0         192.168.100.1   0.0.0.0         UG    0      0        0 eth0

```

----------

## strider2003

 :Sad: 

I'm trying to set up the rule you said, but an error is returned:

```

SIOCADDRT: Invalid argument
```

----------

## NeddySeagoon

strider2003,

I forgot the netmask, the 

```
/24 
```

is the shorthand. Sorry about that.

```
route add -net 192.168.2.0/24  gw 192.168.1.10 eth?
```

fix the ? as before.

```
route -h
```

will provoke the route command into providing syntax help.

----------

