routing problem

Mon Sep 1 04:03:34 BST 2003

I believe I have experienced a similar, equally perplexing problem. =
wracking my brains as to what the problem could be, I decided to try
updating my router firmware, and the problem was cured. Fsck knows what =
router was doing!

BTW, my router was a Conexant AMX-CA61E (dabsvalue). Do you have the =

Hope this helps,
Edmund Craske

Sent: 19 August 2003 13:00
routing problem

Hi fbsd-users,

Got a quick routing question here, first of all i'll explain roughly how =
network is setup and hopefully if anyone can spot any obvious school boy
errors that would be greatly appreciated.

Block of 8 ip addresses assigned to ADSL.

(Using 10.0.0.x instead of the real external ip addresses)

ADSL ROUTER ( - on both interfaces)
     SWITCH --- WEB_SERVER( (other 3 ip's are to be assigned to
other servers shortly)
     closedbsd (freebsd w/ipfw) firewall doing nat (outside:,
     workstaions (192.168.0.x)

The ipfw rules are quite (in fact VERY basic - once its working properly
i'll tweak these)

divert natd ip from any to any via outside_iface
allow ip from any to any

- Note that there are currently no packets being blocked on this box.

Thats the basic network design, we also have ids etc, but thats =
for this problem.

Ok now for some unknown reason, from the workstations I can not connect =
certain servers (e.g. my box on my dsl at home), however the web_server =

If I perform a traceroute from the web_server goes through each hop =
fine. If
i perform a traceroute from one of the workstations, it gets to the =
hop fine (ipfw box), then times out on the rest, dns is all working =
There aren't any rules on the adsl router that blocks anything from the =
box and isn't blocking outbound icmp/udp/tcp.

Now the bit that puzzels me, is that its only some ip ranges it doesn't =
for.. I can connect to a friends box then on to mine at home fine. Can
connect to mine from the web_server, just not to mine behind the nat'd

I would of thought if there were a problem with our setup then surely it
wouldn't do traceroutes/ssh etc.. wouldn't work at all, rather than just =
some ip ranges? The only thing I could think of could be the TTL's?

Anyone got any ideas why this is happening? And/or how I can fix this?



