Something I am missing, but what is it?

So, I set this up to lab some ACL stuff and here is the layout I came up with.

Core SW and PC1 has full internet connectivity. Can also ping 192.168.2.x interfaces.
Can ping PC0 to PC1 and vice versa.

Problem is , anything behind the ACL router does not have full connectivity.

I must be missing something simple, but after playing with this for over an hour can't think of what it is.

I believe DNS is kind of working behind ACL router because when trying to ping outside , it is resolving fqdn to ip but I am getting RTO/detination host unreachable.

I think maybe where I am screwing up is how to correctly configure default name server and default gateway for the ACL/SW_C/ and PC0.

For PC0 since it can ping to 192.168.1.1 I set that as the DNS but 192.168.2.1 as the GW ip
For SW_C I set default gateway and name server as 192.168.1.1
For ACL router I set up ip name server as 192.168.1.1

Problem : Can't ping to outside from behind acl router connected to the core switch.
No problem with going outside from the core switch.
No problem with connecting PC0 to PC1 etc... problem is just with resolving / ping/icmp responses behind ACL router to outside local lan.

Can ping anything else just fine, including the dd-wrt router isp interface.

C:\Users\jean>ping google.com
Pinging google.com [74.125.239.104] with 32 bytes of data:
Reply from 192.168.2.1: Destination host unreachable.
Reply from 192.168.2.1: Destination host unreachable.
Request timed out.
Reply from 192.168.2.1: Destination host unreachable.
Ping statistics for 74.125.239.104:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

layout.jpg

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

networker050184

Default route on the ACL router? Is the 192.168.2.0 network set to be NAT'ed?

JeanM

networker - no NAT/ACL in place at the "acl" router. I did not configure a default route on the ACL router, so I'll give that a shot.

So, to confirm, is it best to configure end systems and stub routers/switches with the most "up stream" interface for name server/dns or does it matter?
What do you recommend.

networker050184

So how do you expect to hit things on the internet with private IPs if you aren't NATing them?

It is best to point your routers and switches at the actual name server, not upstream interfaces.

JeanM

I didn't think NAT is required at ACL router level because I can have multiple computers behind the 192.168.1.1 and 192.168.1.2 access internet just fine.

Basically NAT is in place up the chain, didnt' think it's needed below where I am just going from 1.0 to 2.0 network and where ACL router is taking care of routing?

f0rgiv3n

What about the network between the linksys and the cable modem. If that network is also privately addressed, does the cable modem know to send all traffic destined for 192.168.2.0 to the linksys?

networker050184

You don't need to NAT on the ACL router specifically, but eventually you are going to need to NAT those addresses.

JeanM

I can't make any changes at the cable modem level, the "linksys" is really a netgear dd-wrt router where I have added a route for .2.0 network. So that is working since I can ping between devices on 1.0 and 2.0 networks and interfaces.

The cable modem provides one ip address (192.168.1.1 as the gateway to outside) to the DD-WRT router. The issue is with devices "from" 2.0 not getting icmp on ping, but I think DNS is working since in the example above the fqdn is resolved into ip.

JeanM

networker - ok, so since NAT is already in place at the dd-wrt router and is working for 192.168.1.0 network , and the same router has 2.0 route. Is there something special I need to do for NAT to work with 2.0 ?

f0rgiv3n

The cable modem doesn't know to send the 192.168.2.X traffic to your DD-WRT router. Sure your DD-WRT router knows how to get to it, but the breakage is at the cable modem. You can either do a route on the cable modem sending it to the DD-WRT or if that's not possible configure proxy-arp for the 192.168.2.X network on the DD-WRT (if possible) so it responds to the cable modem looking for that network. I guess you could also configure the DD-WRT router to NAT that traffic so it looks like the 192.168.2.X traffic is coming from the DD-WRT router.

networker050184

Yep, as f0rgiv3n stated, you need two things. Routing to that subnet and a place to NAT it.

JeanM

I see it, that makes sense. Thanks guys! This is why I love hands on labs

networker050184

Always think of routing as a two way street. Just because a packet can get somewhere doesn't mean it can get back. This is one of the biggest problems I see when people are starting out.

JeanM

Not seeing any options for setting up a proxy-arp on the dd-wrt router or to set up NAT for 192.168.2.0
Using Dd-WRT v24-sp2

I guess one thing I am still not sure about is this -

"You can either do a route on the cable modem sending it to the DD-WRT or if that's not possible configure proxy-arp for the 192.168.2.X network on the DD-WRT (if possible) so it responds to the cable modem looking for that network."

If the dd-wrt does natting, and it allows me to add the routes for various networks, doesn't it then only show 192.168.1.1 to the cable modem? Why does the cable modem need to know anything about 2.x? I understand it would be required IF there is not NAT, but since it's doing NAT (dd-wrt is setup as gateway vs. router , if it was set as router then it would not do any NAT), doesn't only "show" one lan ip address to the wan ip address provided by the cable modem/isp?

Wouldn't adding a route on the cable modem to 2.x be the case IF dd-wrt was not doing nat? This is the parts that I would like to understand 100%. Since the dd-wrt router is doing nat translation already, behind the cable modem, why do I need to do anything different other than additing an additional route in the dd-wrt router for the 2.x ? How do I confirm that it's only doing NAT for .1.x ?

f0rgiv3n

I think there might be something else that is going on. You have a 192.168.1.X network on both sides of the dd-wrt router. if that dd-wrt router is routing traffic that could cause some problems. It might not be the cause of your current problem but it will make things easier if you made the three networks different.

My first thought in response to your question is that the dd-wrt router is probably set to automatically NAT it's inside interface to its outside interface. So what I mean is that no matter what the IP is on the inside interface, it has a rule to NAT incoming packets on inside to the outside interface IP. That rule probably doesn't include the 192.168.2.X network. That would be why the 1.X network works while 2.X does not.

With that said, I would change the IP scheme between the cable modem and your dd-wrt to something like 192.168.0.X and see if it makes a difference. If not, take a look at either a route on the cable modem, or see if you can modify the NAT configs on the dd-wrt to encompass 192.168.2.X. Does that make sense?

JeanM

Thanks f0rgiv3n, that does make more sense. The LAN ip between dd-wrt and cable modem is 1.1 and the WAN is 67.174.x.x . Through the dd-wrt gui, I haven't any way to modify NAT but it might be doable from the command line after searching some other forums regarding dd-wrt & nat settings. The only options I am seeing through the gui is for adding other subnets, like I did with 2.0 . It's set as "gateway" and reading the internal help leads me to believe that is the correct setting as it's doing NAT when it's set as gateway vs. setting it as router.

Advanced RoutingOn the Routing screen, you can set the routing mode and settings of the router. Gateway mode is recommended for most users.

Operating ModeChoose the correct working mode. Keep the default setting, Gateway, if the router is hosting your network's connection to the Internet. Select router if the router exists on a network with other routers. In Gateway mode the router performs NAT, while in other modes it doesn't.

Dynamic RoutingDynamic Routing enables the router to automatically adjust to physical changes in the network's layout and exchange routing tables with other routers. The router determines the network packets’ route based on the fewest number of hops between the source and destination.

To enable the Dynamic Routing feature for the WAN side, select WAN. To enable this feature for the LAN and wireless side, select LAN & WLAN. To enable the feature for both the WAN and LAN, select Both. To disable the Dynamic Routing feature for all data transmissions, keep the default setting, Disable.

I'll try changing the ip scheme and go from there.

JeanM

So last night I made this work.... went with different subnets 192.168.20/30/40 and 172.16 and got 5 routers and 3 switches to all have full connectivity via my cable modem to isp and back.... including domain lookup etc, used a combination of rip2 and static routes. Now to add FR to this mix and then a couple more routers with osps and eigrp. For kicks I then run dslreports speed tests over the serial links and with clock rate set at 250000 got
latency 31 ms / download speed 217 kb/sec / upload speed 238 kb/sec . I then bumped the clock rate up to 800000 and got latency 24ms
698 kb/sec down and 763 kb/sec up .