Comunicating (privates lans) with MT532

Gusty · April 5, 2007, 1:09am

Hello, I need help to intercomunicate 5 private lans, 4 (wireless) and 1 wired with de Router MT. Router can see all, but the station not...

Configuration Router MT532+WLSR2:

[admin@MG3] ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf

DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 192.168.1.0/24 192.168.1.254 ether1
1 ADC 192.168.2.0/24 192.168.2.254 wlan1
2 ADC 192.168.3.0/24 192.168.3.254 wlan1
3 ADC 192.168.4.0/24 192.168.4.254 wlan1
4 ADC 192.168.5.0/24 192.168.5.254 wlan1
5 A S 0.0.0.0/0 r 192.168.1.7 ether1
[admin@MG3] ip route>

From Router ping all host from subnets OK:

[admin@MG3] ip route> /ping 192.168.1.7
192.168.1.7 64 byte ping: ttl=64 time=2 ms
192.168.1.7 64 byte ping: ttl=64 time=1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/2 ms
[admin@MG3] ip route> /ping 192.168.5.1
192.168.5.1 64 byte ping: ttl=255 time=26 ms
192.168.5.1 64 byte ping: ttl=255 time=27 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 26/26.5/27 ms
[admin@MG3] ip route> /ping 192.168.2.1
192.168.2.1 64 byte ping: ttl=255 time=11 ms
192.168.2.1 64 byte ping: ttl=255 time=3 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 3/7.0/11 ms
[admin@MG3] ip route>

But from host (example 192.168.1.22) not ping to subnets:
Host: ip=192.168.1.22 mask=255.255.255.0 gw=192.168.1.254

C:\Documents and Settings\Gustavo>ping 192.168.1.254

Haciendo ping a 192.168.1.254 con 32 bytes de datos:
Respuesta desde 192.168.1.254: bytes=32 tiempo<1m TTL=64
Respuesta desde 192.168.1.254: bytes=32 tiempo<1m TTL=64
Estadísticas de ping para 192.168.1.254:
Paquetes: enviados = 2, recibidos = 2, perdidos = 0
(0% perdidos),

C:\Documents and Settings\Gustavo>ping 192.168.2.1

Haciendo ping a 192.168.2.1 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Estadísticas de ping para 192.168.2.1:
Paquetes: enviados = 3, recibidos = 0, perdidos = 3
(100% perdidos),

Thanks for your Help.

jorj · April 5, 2007, 2:37pm

On the wireless side, does the interfaces have “default forward” activated ?
Or, in access list, is “default forward” activated ?

Gusty · April 7, 2007, 3:07pm

Yes, I set a forward=yes:
[admin@MG3] interface wireless> print
…
default-forwarding=yes default-ap-tx-limit=1000000 default-client-tx-
…
[admin@MG3] interface wireless>

I can comunicate, but with masquerade rules:
/ ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.3.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.5.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.2.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.4.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat out-interface=ether1 src-address=192.168.4.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat out-interface=ether1 src-address=192.168.3.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat out-interface=ether1 src-address=192.168.5.0/24 action=masquerade comment=“” disabled=no
add chain=srcnat out-interface=ether1 src-address=192.168.2.0/24 action=masquerade comment=“” disabled=no

Now comunicate, this lans not with route rules directly, but with masquerade. I don’t like this method…
Better aideas?

jorj · April 9, 2007, 9:20am

What device is on 192.168.1.7, wich seems to be default gateway on rb ?
And do you have DNS set on clients ?
To wich IP ?
and, second, what masquerade rules do you have there ? Did you specified out interface ?
I use mine, with 2 to 4 interfaces, but the router itself is the gateway, and responds to dns querries. The router itself does the nat, using one interface for out traffic.
Why don’t you use the router for the defualt gateway ?
It shoul work. This way, you have masquerade between all networks. You shoul masquerade only external IP address wich should be put on a router interface, by itself.
Cheers.

Gusty · April 10, 2007, 12:20pm

Hello.
192.168.1.7 is mi server, with 2 interfaces, one local and other to internet.
This server is a web server public, and dns-server for local an public.
The clients have a MK ip as gateway and 192.168.1.7 as dns.
The MK have a defaul route to 192.168.1.7 this ip is a gateway to internet for all localnets.

Clients ->gw: MK ->gw: 192.168.1.7:gw → Inet

I need manipulate cominication inter localnets (restrict or not) and all localnets access to 192.168.1.7 to Internet, but within Masquerade.

jorj · April 10, 2007, 5:43pm

I would change the MT to be gateway, and have a public IP of your server, 192.168.1.7, put mt as dns server also, (DNS - accept-remote-requests=yes).
I would do port forward for the ports used by the web server to it, having only private address.
For the traffic between clients to be activated/unactivated, do firewall rules wich drop the traffic from local interface - not being to outer interface, or permit it for specific in interface/out interface. (each one representing a network.)
If you have another gateway than mt, then it’s simply much complicated than it sould be.
So:

MT as gateway - public interface
dns - remote request activated in mt
web server in internal network
port forward for ports used by web server
(you can do the mt dns server in place of your 192.168.1.7 even for internet, even if this implies some risc.
drop/allow traffic from specific in/out interface in firewall for network interconnect.

If mt is gateway, than it is possible to allow/deny acces to the net to every specific ip or mac with tries to connect.

But, again, this is just how i would do it. Yo do not have to do it.