IPCop multiple green networks... PLEASE HELP

[vince]

Hi,

I've got a working ipcop machine with just red and green interfaces. However internally I've got a few VLANs and I would like machines on all of them to use this ipcop server as an Internet gateway / firewall.

I've managed to get the web proxy, etc. working for them by adding static routes back to the VLANS but I cannot get ipcop to work as a gateway for multiple internal networks.

I've searched the forums but haven't found a solution yet. One suggestion was to add rules like:

/sbin/iptables -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.20.0/24 -o $RED_DEV -j ACCEPT

to the rc.local file but this doesn't cut it.

anybody know how to do this?

[vince]

I have a very similar problem. Please help. I have a CISCO VPN concentrator that lets our employees access the network from home. The internal network ip and subnet are different from given to users who come through the VPN concentrator from home. The VPN concentrator is directly connected to the internal switch of our green network.

Green Network = 192.168.1.0/24
VPN concentrator users = 192.168.2.0/24

The VPN users can see the entire internal network/access email/RDP to their computers with the old Firewall/Gateway. But as soon as I replaced it with the replaced IPCOP firewall VPN users could only ping the the gateway and the mailhost. They could not access any shared drives or remote control their computers. I have duplicated the persistant routes that were on the original Firewall/Gateway in the rc.local file but it still doesn't work. The entire network is working flawlessly except for VPN access, PLEASE HELP. IPCOP is somehow blocking the VPN users with IPs of 192.168.2.0/24 from accessing the GREEN network (192.168.1.0/24) and vice cersa. I really love IPCOP. Their must by a way to allow complete access to the green network from an IP address other then that set for the GREEN Network.

192.168.1.0/24 green interface and green network
192.168.2.0/24 also green interface but VPN network
Both subnet are plugged into the same switch but they cannot talk to each other. PLEASE HELP, thank you very much for any help you can offer.

[vince]

www
|
|
|
|RED = xxx.xxx.xxx.xxx
IPCOP
|GREEN = 192.168.1.1
|
|
|
SWITCH----VPN Concentrator = 192.168.2.0/24
|
|
|
|
INTERNAL LAN
192.168.1.0/24


The Internal LAN works perfectly exactly as it should. But the VPN users cannot access the internal LAN. The 192,168.2.0/24 LAN must works just as the GREEN Network. They must be able to access each other completely. Thank you for any help

[vince]

There must be a way to make this happen by adding rules to the firewall file. Please help. Anyone who has experience altering the firewall rules of ipcop please help.

Ipcop also alows you to add your own iptables rules, the problem is that I don't know what I have to add to make this work. Any help is much appreciated. I have told my boss that IPCOP is the way to go and now I cannot continue because of this very small speed bump. Thank you.

P.S. I cannot use the orange or blue network as a substitute for a second green network because I will aso need those networks.

[falko]

Please have a look here: http://www.howtoforge.com/perfect_xe...bian_ubuntu_p6

At the end of that page there are some firewall rules that could do what you want.

[vince]

Thank you so much for responding so quickly.
Can you please explain further... If possible.

[falko]

On your IPCop system you could use

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

I think your 192.168.2.0 network should then have internet access.

If you use something like

Code:

iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.2.2:80

you can forward requests to certain ports (here: 80) to certain other ports on a destination machine (here: port 80 on 192.168.2.2). So people can access certain ports on certain machines from the outside. It's the same as port forwarding on a normal router.

[vince]

Thank you very much falko... I will give that a try.
I do not care if the VPN users have internet access through IPCop all I care about is to make sure that the VPN users from the Cisco VPN concentrator can completely access the green network.
Thank you so much for taking the time to help me, I will give it a try and let you know what happens.