Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Routing a /29 over an AM300 in Half-Bridge?

mjb



923 posts

Ultimate Geek

Trusted

# 31233 9-Mar-2009 20:06
Send private message

So, I was under the mistaken impression that routing a /29 over my AM300-in-half-bridge would be easy... apparently not, unless It'll actually work but I'm doing something stupid on my linux firewall.

tcpdump is certainly not showing any incoming traffic on the firewall, but a traceroute on a remote host is getting to my DSL IP, just not to the host after that. Of course with half bridge my DSL IP appears twice, once on the AM300, and second on the NIC on the firewall, and it'll be hitting the first. I'm assuming that the AM300 is not very clever with anything other than the IP it gets from the connection.

I've tried various configurations - with and w/o half-bridge, with and w/o a static route on the AM300, etc etc.

Anyone got any ideas?




contentsofsignaturemaysettleduringshipping

Create new topic
8034 posts

Uber Geek

Trusted

  # 200249 9-Mar-2009 21:52
Send private message

You can test whether it's the configuration on the AM300 or on the firewall by bypassing the firewall and plugging any PC straight into the AM300 with dhcp/obtain ip address automatically enabled on the PC.  If the PC is able to send and recieve traffic when un-firewalled like this then it points to a problem in the configuration of your firewall.

mjb



923 posts

Ultimate Geek

Trusted

  # 200256 9-Mar-2009 22:08
Send private message

Maybe, but the problem is not with the general operation of the modem and the IP for the PPPoA link, it's the routing of a /29.

PInging one of the /29 from a remote host, I get ICMP redirects with a next hop of the IP I'm pinging. If I add a static route to the AM300 that routes the subnet to the firewall on the internal private network, I no longer get redirects, but I also get no traffic at all on the NIC of the firewall.

Maybe I need to re-adjust the LAN segment between the modem and firewall to use that /29 range? Maybe it's just time for a Cisco 877 which I know can do this :) Just expensive :(




contentsofsignaturemaysettleduringshipping

 
 
 
 


mjb



923 posts

Ultimate Geek

Trusted

  # 200263 9-Mar-2009 23:41
Send private message

Nasty, but it does work....

You need to turn off NAT, and disable half-bridge mode. The modem needs to use one of the IP addresses in the /29 range, and then things just suddenly start working. I'm currently experimenting with adjusting the IP range to a /28 so that I can have the modem on a non-routed IP because it's accessible externally otherwise...




contentsofsignaturemaysettleduringshipping

8034 posts

Uber Geek

Trusted

  # 200302 10-Mar-2009 10:02
Send private message

mjb:  ...Maybe I need to re-adjust the LAN segment between the modem and firewall to use that /29 range...(


Having the AM300 and Firewall LAN IP's in the /29 range would make sense.  However I wouldn't expect too much from the AM300.  I found the half bridging on the Dynalink RTA1320 to simply work better.  The AM300 struggled when the Gateway was on a different subnet to the WAN IP address then they released firmware to fix that and broke being able to get to the AM300 via LAN ip address when the half bridging is up and running.

mjb



923 posts

Ultimate Geek

Trusted

  # 200308 10-Mar-2009 10:23
Send private message

Ragnor:

Having the AM300 and Firewall LAN IP's in the /29 range would make sense.? However I wouldn't expect too much from the AM300.? I found the half bridging on the Dynalink RTA1320 to simply work better.


Seems to be performing OK at this stage, I am aware that its NAT/SPI implementations leave a lot to be desired, but fortunately in the configuration I have at the moment, they're both off.

Turns out that I can indeed use a /28 between the firewall and the AM300, which now means that the AM300 isn't consuming a 'public' IP on it's LAN side (well, one that's not routed to me at least). The only downside now is that to get full (ab)use of all 8 IPs, I'd need to extend right back to a /26 on that segment, meaning I can't reach a much larger number of potentially legitimate IPs.

Ragnor:

The AM300 struggled when the Gateway was on a different subnet to the WAN IP address then they released firmware to fix that and broke being able to get to the AM300 via LAN ip address when the half bridging is up and running.


Hmm, that wasn't a problem for me - I did have to add an interface alias on the firewall to reach the AM300 on the private net though. What I had was:

LAN(10.0.0.0/24)---(10.0.0.254)Firewall(public IP)---(halfbridge)AM300------Internet

And: Firewall(10.0.1.1)---(10.0.1.254)AM300




contentsofsignaturemaysettleduringshipping

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27

New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18

Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36

MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28

Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.