> I am using IP Tunneling, and have experienced the same crashes that
> someone else has commented about - I am just abouts to do away with the
> 'pointopoint' paramater, and use the alternate GW option on the route
> command to see if this prevents crashes (I am using 2.0.27). In the
> documentation I got with IPIP, it clearly shows the use of 'pointopoint',
> and makes no mention of using the GW option on the route command - so
> hopefully the bug is in the documentation, and not the code :-)
The original IPIP tunnel driver allowed only one encap destination per
device and this was configured using the pointopoint parameter.
This was enhanced sometime in the late 1.3.* kernels, and augmented
with the 'gw' parameter method. Both should still work as far as I'm
aware. That being said, I use the 'gw' method with 2.0.* kernels
with a pretty much full routing table completely uneventfully.
> I used to configure my firewall to do masq. on all forwarding, but have
> since found this to cause problems when playing with ipip tunnels - i want
> the machines on my subnet 192.168.2.* to be accessible on g7szb's network
> 10.0.0.*. I have tinkered with my firewall to make it only masq packets
> forwarded from my ethernet, but ran into a problem...
>
> This works:
> /sbin/ipfwadm -F -a accept -S 192.168.2.0/24 -D 192.168.2.0/24
>
> BUT THIS ONE DOESNT (although it is accepted):
> /sbin/ipfwadm -F -a accept -S 192.168.2.0/24 -D 10.0.0.0/24
I'm a litte confused Giles. These aren't masquerade rules.
The are firewall Forwarding rules. If you want masquerade
you need -M, not -F.
The first rule does little of any use, it says to forward and datagrams
with a source and destination address on the 192.168.2.*, in a typcical
configuration these wouldn't be forwarded (because they'd be passed
directly between the two hosts) and so this rule would never get used.
The second rule is what you would use if you wanted to specifically
allow
datagrams with a source of 192.168.2.* and destination of 10.0.0.*
to pass, this doesn't allow datagrams in the other direction though.
A diagram illustrating how the respective networks are interconnected
and what you want to achieve would be useful.
> When I do an ipfwadm -F -l', the program dies when it tries to list
> anything to do with 10.0.0.0 (source or dest). I can sort of understand
> why - basically if you replace all the zeros with 1-9, the problem goes
> away - so is this a bug, or a conflict between what is a real address and
> what is a broadcast address or summut? G7SZB's subnet has addresses in
> the range 10.0.0.1 (linux) thru 10.0.0.9. -- So how do I tell ipfwadm not
> to masq packets going from 192->10, without getting SZB to change all his
> IP addresses?
Expand on 'dies'. Do you mean it terminates with a seg fault, it freezes
with no console output and needs to be killed with a ^C, it silently
exits ?
> Kernel : 2.0.27
> ipfwadm: 2.3.0
At the bare minimum you should probably be running 2.0.29. But I don't
think there were any firewall/masq fixes in the .28 and .29 patches.
Send me a diagram of what you want to do and I'll see if I can help.
regards
Terry