Connectivity issues with my Linux firewall/gateway

[dave247]

I have a Debian 5 Linux Gateway/Firewall system that I've been configuring to replace my Linksys WRT54GL router. Currently, I have it fully working with internet access, though it is sitting behind my Linksys router at the moment.

Here is the network layout that allows Internet access:
Internet --- Cable modem --- Linksys router --- Linux gateway --- 24 port switch --- hosts


Here is the problematic layout:
Internet --- Cable modem --- Linux gateway --- 24 port switch --- hosts


Linux gateway details:

• eth0 - external wan device set as auto DHCP client (obtains 192.168.1.x from Linksys when connected, and obtains public IP from ISP when connected directly to modem).
• eth1 - internal network device with static IP of 172.16.0.1 and is my DHCP server nic.

The problem arises when I remove the Linksys from the equation and connect my Linux gateway system directly to my cable modem. I seem to lose partial connectivity... I am not able to access webpages as the browser endlessly hangs. However, I am able to ping remote hosts and get 100% replies. It's as if I have internet access but I can't make http requests.

On the Linux system, I have enabled ip_forwarding in the kernel and I have a basic iptables firewall script which enables ip masquerading/NAT. I know the firewall is functional since hosts can connect to the internet through the gateway as they should -- but only when the Linksys is in place.

I am trying to figure out what the reason is for this problem when all I am doing is connecting my Linux system directly to my cable modem. What is my Linksys doing that my Linux network card is not??

I have made sure to carefully reboot systems and services each time I make a change to the network or config files, ie: ifup, ifdown, /etc/init.d/networking restart, as well as rebooting computers, and the results are the same every time: Internet with the Linksys, no internet without. Furthermore, I have eliminated these possible causes of the problem through aggressive troubleshooting:

• Cable modem needs to be rebooted before connecting new network pc/other device: I do this every time and internet only works when Linksys is present
• ISP requires mac address of router or computer to be registered before it can access the internet: I checked with them and they said only a modem's mac address must be registered.
• Firewall improperly configured: 172.16.0.0 hosts can access Internet regardless of firewall, but only when Linksys is present.
• Bad Ethernet cables: I checked everything and they all work.

Peculiarities noticed:

• I can ping remote hosts and I get 100% replies, yet Firefox and IE hang endlessly upon startup.
• My little network status icon on windows tells me "internet access"
• I used two separate Windows machines and one other Linux system to ping google.com at the same time, and I noticed that I get a reply from the same IP on the Windows systems (something like 209.42.225.28) but on the Linux system I got a reply from something like 89.54.225.24. Not sure why.

Any input is appreciated!

 

[Jay_2]

It could be a NAT issue. Why dont you just use pfSense or another linux based firewall distro?

 

[dave247]

It could be a NAT issue. Why dont you just use pfSense or another linux based firewall distro?

I don't know how it could be a NAT issue (not ruling it out) because why would NAT work between eth0, eth1, and the Linksys but not between eth0 and eth1?

I eventually do plan to use something like pfSense, but what I am doing is part of a research project, and I am trying to better learn the inner workings of Linux and networking.

 

[Jay_2]

becuase the linksys is doing the NAT and the linux box is just doing the route to the linksys box. Still I am not sure the ping would work if this was the case.

 

[dave247]

becuase the linksys is doing the NAT and the linux box is just doing the route to the linksys box. Still I am not sure the ping would work if this was the case.

Actually I set up ip masquerade/NAT with my iptables firewall script.


I will check my script again for errors.

 

[serpretetsky]

i don't know the answer, but i would love to hear the answer when you figure it out.

Can you try anything besides port 80 http traffic? (can you attempt to connect to an ssh server, or ftp server?)

The reason i ask is because I believe most NAT systems i know handle ICMP packets (ping) and tcp/udp/ip (http, ftp, ssh, etc) traffic differently. So maybe there is something wonky going on with the tcp/udp/ip portion of your NAT system

However, maybe your linux system is just discriminating against port 80 traffic, in which case i dont know.

 

[dave247]

Edit: read my next messages

 

[YeOldeStonecat]

When you're pinging remote hosts when your *nix box is connected directly to the modem, are you pinging DNS names, or are you pinging IP addresses? And I take it you're getting 100% replies? (I know you said you can ping it..but it's the replies that count...you can ping something and not get replies).

Have you powered off your cable modem for a few minutes to flush its learned MAC address that it bound to? (your Linksys wan interface) If you have VoIP too...have to remove the battery from the modem also. After a few minutes...power on..allow to synch. Power up *nix router...once up, /renew IP of PC and see if any different Some cable ISPs won't give a proper public IP if the modem bind to the MAC of a new device yet. Killing power on the modem flushes that out and it'll bind to the next device it's powered up to.

 

[dave247]

When you're pinging remote hosts when your *nix box is connected directly to the modem, are you pinging DNS names, or are you pinging IP addresses? And I take it you're getting 100% replies? (I know you said you can ping it..but it's the replies that count...you can ping something and not get replies).

Have you powered off your cable modem for a few minutes to flush its learned MAC address that it bound to? (your Linksys wan interface) If you have VoIP too...have to remove the battery from the modem also. After a few minutes...power on..allow to synch. Power up *nix router...once up, /renew IP of PC and see if any different Some cable ISPs won't give a proper public IP if the modem bind to the MAC of a new device yet. Killing power on the modem flushes that out and it'll bind to the next device it's powered up to.

Not to be rude, but did you even read my post?

 

[dave247]

Can you try anything besides port 80 http traffic? (can you attempt to connect to an ssh server, or ftp server?)

I tried to ssh to a remote host at my college and I was able to successfully log in, yet http requests still hang (as expected). So this tells me that it's probably a problem with my NAT system regarding my http requests... any ideas?

 

[serpretetsky]

I wonder if you have issues with port 80, or http traffic specifically.
what if you try to telnet to a website?
windows example:

cmd
telnet
open www.google.com 80

if successful, you can start typing right away and you'll notice the cursor jumped back to the top of the cmd line and it's overwriting the text there. You've established a tcp/ip connection on port 80.

If unsuccessful, it wont let you type anywhere, and will after about a minute of attempting to connect will eventually say it failed. You have failed to connect on tcp/ip port 80

 

[obrith]

Not to be rude, but did you even read my post?

His questions were quite legitimate. He wants to ensure DNS is properly working, which your first post certainly does not prove. Sure, you pinged google.com, but it's almost certain that google.com is in your dns cache. Ping something you definitely do not have in your cache, or clear your cache and ensure it's working.

His second question relates to the learned MAC on the Cable network. Most people who work for your cable provider are totally clueless how this works and in my experience the cable networks are rather relentless about hanging on to your MAC for 5-15 minutes AFTER you power off your modem (and remove the battery if you have one), despite what the person on the phone tells you. It matters. They often block traffic except to a single learned MAC, that very well could be http and common traffic only.

 

[YeOldeStonecat]

Not to be rude, but did you even read my post?

Yes...what part of my reply is zooming over your head?
You said "rebooting" the modem...which is different from full power cycling and removing the battery if it has one.
You said you called the ISP and asked about registering MACs....the answer to which is totally irrelevant to modems binding with a MAC. Years ago some cable ISPs would have you register the MAC on their end...and this is compleeeeeeetely different from the modem identifying the MAC of the device attached to it.
You say you get a public IP on the WAN interface of your *nix device...but I'm not positive it's a true public IP and perhaps not a "walled garden" IP...just making you "think" you're on a public IP.

 

[dave247]

oh sorry guys. I didn't mean that I was asking about registering the modem's MAC address... I actually asked my ISP if I could freely connect other routers and computers directly to my modem without having to wait forever before the MAC binding "expires" or whatever. They were also not that clear about it, but they basically said it would not be an issue. However, I have been power-cycling my modem each time I make a change but maybe I need to be waiting longer than ten seconds.

The reason I know I have a true internet connection with my Linux system connected to the modem is because I attempted to ssh to a server at my school and I was able to log in. However, I was still unable to load any webpages.

obrith mentioned that my ISP may be blocking certain traffic to the learned MAC such as http and common traffic only... so maybe that is why I was able to ssh but unable to http.

With the next chance I get, I will unplug my modem and wait like 20 minutes so a possible MAC binding expires... that or I will spoof my Linksys router's MAC with my Linux box.

 

[obrith]

With the next chance I get, I will unplug my modem and wait like 20 minutes so a possible MAC binding expires... that or I will spoof my Linksys router's MAC with my Linux box.

That would be a good next couple steps. I actually just moved and couldn't get my router to work after using my Macbook to check the line. Even unplugging for 5-10 minutes wouldn't work. I ended up spoofing the Macbook MAC to the router and it's working fine now.