On Wed, 21 Nov 2007 13:04:40 +0000, Mateus Interciso wrote: > On Mon, 19 Nov 2007 10:00:29 +0000, Gavin McCullagh wrote: > >> Hi, >> >> On Fri, 16 Nov 2007, Mateus Interciso wrote: >> >>> I currently using iptables NAT for routing the internet trough 2 >>> different sub-networks, and we are having some trouble with the NAT, >>> specially for VoIP, >> >> Is the problem that you can make calls out but you sometimes can't >> receive them? Actually, it's possible some VoIP calls wouldn't work >> the other way either, if the user at the far end is also behind NAT. >> >> http://en.wikipedia.org/wiki/ > Network_address_translation#Different_types_of_NAT >> http://www.it46.se/wsis/show_entry.php?id=12 >> >>> so I was thinking if it's possible to make a router (like a CISCO >>> IOS) using Zebra, that will, in other words, share the Internet trough >>> the sub-networks, without using NAT, or in a better way. >> >> No idea. Sounds vaguely similar to Full Cone NAT. >> >> I'd say a SIP proxy is probably on the edge of the network is probably >> what you want for this. >> >>> The question for this, is that we had a w2k3 server sharing the >>> internet, and the VoIP was fine, since we changed the w2k3 for a Linux >>> Box, the VoIP started acting very strangely, and I'm really running >>> out of options here to make it fix >> >> I wonder does the Win2K machine provide a looser type of NAT compared >> to your linux firewall? Full cone NAT and Restricted cone NAT can both >> be worked around by smart SIP clients using STUN and some other >> techniques. >> >> http://en.wikipedia.org/wiki/NAT_traversal >> http://ekiga.org/index.php?rub=3&pos=0&faqpage=x161.html >> >> I think iptables usually does "Port restricted cone NAT" which makes >> SIP difficult. If both ends are behind that sort of NAT, I don't >> think a TCP connection can be initiated between them. >> >> I suspect you can probably craft iptables rules to do varying types of >> NAT. An explicit port forward to each client would appear to be one >> way. >> >> http://lists.netfilter.org/pipermail/netfilter/2007-April/068463.html >> >> Gavin >> >> - >> To unsubscribe from this list: send the line "unsubscribe linux-net" in >> the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info >> at http://vger.kernel.org/majordomo-info.html > > I solved the problem using the windows 2k3 for routing (it uses RRAS), > and the Linux firewall as a Bridge, now I'm having trouble with the > bridge, of course. > I've setted up the bridge normally > > ifconfig eth0 down > ifconfig eth1 down > ifconfig eth0 0.0.0.0 up > ifconfig eth1 0.0.0.0 up > brctl addbr br0 > brctl addif br0 eth0 > brctl addif br0 eth1 > brctl stp br0 on > ifconfig br0 10.100.0.1 netmask 255.255.255.0 up > > but I can't ping 10.100.0.1. :O > Am I missing something? > > Let me recall that the network setup now is like this: > [Internet]--->[Bridge]---->[Windows 2k3]=====[switch]====>computers > > Thanks. > > Mateus > > - > To unsubscribe from this list: send the line "unsubscribe linux-net" in > the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info > at http://vger.kernel.org/majordomo-info.html Maybe, if I explain a little more about the fisical network we have, it may be easier to understand(or find the problem) The bridge works like this |---(eth0)---|---->|---(NIC1)--| |---BRIDGE---| |---W2k3----| Internet--->|---(eth1)---| |---(NIC2)--|--->[D-Link Switch]===>LAN where NIC1 has the internet IP assigned by the ISP, and NIC2 has the internal IP 10.100.0.2, I would like to put the ip 10.100.0.1 on the bridge, so that I can access via ssh, and use internet there, so I can download ebtables to make the firewall, as well as other monithoring tools (like SNMP for instance). But when I put ifconfig br0 10.100.0.1 netmask 255.255.255.0 up it doesn't ping 10.100.0.2 for instance, am I missing something here? Thanks Mateus - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
