Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mjb



922 posts

Ultimate Geek
+1 received by user: 21

Trusted

Topic # 31233 9-Mar-2009 20:06
Send private message

So, I was under the mistaken impression that routing a /29 over my AM300-in-half-bridge would be easy... apparently not, unless It'll actually work but I'm doing something stupid on my linux firewall.

tcpdump is certainly not showing any incoming traffic on the firewall, but a traceroute on a remote host is getting to my DSL IP, just not to the host after that. Of course with half bridge my DSL IP appears twice, once on the AM300, and second on the NIC on the firewall, and it'll be hitting the first. I'm assuming that the AM300 is not very clever with anything other than the IP it gets from the connection.

I've tried various configurations - with and w/o half-bridge, with and w/o a static route on the AM300, etc etc.

Anyone got any ideas?




contentsofsignaturemaysettleduringshipping


Create new topic
8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 200249 9-Mar-2009 21:52
Send private message

You can test whether it's the configuration on the AM300 or on the firewall by bypassing the firewall and plugging any PC straight into the AM300 with dhcp/obtain ip address automatically enabled on the PC.  If the PC is able to send and recieve traffic when un-firewalled like this then it points to a problem in the configuration of your firewall.

mjb



922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 200256 9-Mar-2009 22:08
Send private message

Maybe, but the problem is not with the general operation of the modem and the IP for the PPPoA link, it's the routing of a /29.

PInging one of the /29 from a remote host, I get ICMP redirects with a next hop of the IP I'm pinging. If I add a static route to the AM300 that routes the subnet to the firewall on the internal private network, I no longer get redirects, but I also get no traffic at all on the NIC of the firewall.

Maybe I need to re-adjust the LAN segment between the modem and firewall to use that /29 range? Maybe it's just time for a Cisco 877 which I know can do this :) Just expensive :(




contentsofsignaturemaysettleduringshipping


 
 
 
 


mjb



922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 200263 9-Mar-2009 23:41
Send private message

Nasty, but it does work....

You need to turn off NAT, and disable half-bridge mode. The modem needs to use one of the IP addresses in the /29 range, and then things just suddenly start working. I'm currently experimenting with adjusting the IP range to a /28 so that I can have the modem on a non-routed IP because it's accessible externally otherwise...




contentsofsignaturemaysettleduringshipping


8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 200302 10-Mar-2009 10:02
Send private message

mjb:  ...Maybe I need to re-adjust the LAN segment between the modem and firewall to use that /29 range...(


Having the AM300 and Firewall LAN IP's in the /29 range would make sense.  However I wouldn't expect too much from the AM300.  I found the half bridging on the Dynalink RTA1320 to simply work better.  The AM300 struggled when the Gateway was on a different subnet to the WAN IP address then they released firmware to fix that and broke being able to get to the AM300 via LAN ip address when the half bridging is up and running.

mjb



922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 200308 10-Mar-2009 10:23
Send private message

Ragnor:

Having the AM300 and Firewall LAN IP's in the /29 range would make sense.? However I wouldn't expect too much from the AM300.? I found the half bridging on the Dynalink RTA1320 to simply work better.


Seems to be performing OK at this stage, I am aware that its NAT/SPI implementations leave a lot to be desired, but fortunately in the configuration I have at the moment, they're both off.

Turns out that I can indeed use a /28 between the firewall and the AM300, which now means that the AM300 isn't consuming a 'public' IP on it's LAN side (well, one that's not routed to me at least). The only downside now is that to get full (ab)use of all 8 IPs, I'd need to extend right back to a /26 on that segment, meaning I can't reach a much larger number of potentially legitimate IPs.

Ragnor:

The AM300 struggled when the Gateway was on a different subnet to the WAN IP address then they released firmware to fix that and broke being able to get to the AM300 via LAN ip address when the half bridging is up and running.


Hmm, that wasn't a problem for me - I did have to add an interface alias on the firewall to reach the AM300 on the private net though. What I had was:

LAN(10.0.0.0/24)---(10.0.0.254)Firewall(public IP)---(halfbridge)AM300------Internet

And: Firewall(10.0.1.1)---(10.0.1.254)AM300




contentsofsignaturemaysettleduringshipping


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.