Network with 2 routers: TCP RST problem
Hello everyone,
I have a problem of communication between machines on a DMZ in router R1 and the machines using a router R2 as gateway. The configuration of my network is as follows:
DMZ (192.168.20.0) <----> R1 (DMZ: 192.168.20.1/24; LAN: 192.168.1.1/24; ALIAS IP: 192.168.0.1/24) <----> switch <--- -> R2 (LAN: 192.168.0.2/24)
For machines with the R2 gateway to access the DMZ from R1, I added a static route on R2 which redirects to 192.168.20 .* 192.168.0.1 (R1).
Unfortunately, the firewall blocks R2 me (no problem when it is off). The firewall I R2 generates TCP RST appears indicating that he did not receive the TCP SYNC (as if he used a triangular route). I do not like this is possible ...
Has anybody an idea?
Thank you
PS:I wish to state that all machines using R2 as a gateway are connected to the switch and the LAN ports of R2 and R1
Re: Network with 2 routers: TCP RST problem
hi,
as you can sniff the feed?
as I see it: if your pc meet the dmz -> Routeur2 bridge, then routing table 1 bridge router, routing table as he reached the DMZ. On the return, it reaches R1, which forwards directly to your PC
So it does not back the 2nd router therefore interpretation of an attack
can you check if that's going on?
Re: Network with 2 routers: TCP RST problem
I think that is indeed what happens. To verify this, I installed Wireshark (ethereal) on the PC on the LAN with R2 as gateway (IP: 192.168.0.4), here is the flow obtained when attempting to access a shared directory (Windows) from the machine in DMZ:
192.168.0.4 -> 192.168.20.6:445 TCP [SYN] (Destination: ZyxelCom_bb ... (R2))
192.168.0.4 -> 192.168.20.6:339 TCP [SYN] (Destination: ZyxelCom_bb ... (R2))
192.168.20.6 -> 192.168.0.4 TCP [SYN, ACK] (Source: ZyxelCom_7c ... (R1))
...
Thus, as seems to indicate the article ZyXel, R2 did not receive the SYN, ACK (as sent directly by R1) will trigger the TCP RST
Thus, a few milliseconds after the previous frame:
192.168.0.4 -> 192.168.20.6 TCP [RST]
However, with IP 192.168.1.1/24 assigned to the LAN of R1 I thought it does not transfer directly to PC with the same destination IP alias 192.168.0.1/24 (see article)
I admit that I do not know how ... Cybher an idea?
Re: Network with 2 routers: TCP RST problem
hi,
I think you put the alias on the wrong router
If you put 192.168.1.2 for example, R2
your PC is seeking to join DMZ ta, ta is the gateway router with the road he arrives on R1 to reach the machine in your DMZ R1 back on, I think we should add a route on R1 to say that to reach 192.168.0.0 you have to go through the gateway 192.168.1.2
I never used the aliases but I will do something more in this genre
A test (there may be a mistake in my reasoning) in your present case, since you can leave your router with 192.168.0.1, it's normal that does not pass through R2.