Topic: IOLan +102/104 & e-smith 4.12

[Adserg]

Hello all

I have a puzzler here which i hope the gurus out there could possibly point me in the general direction. Our customer has a SME svr 4.12 he loves it and doesnt really want to upgrade to the latest. However he has just bought a IOLAN + 102/104 which he is going to have a number of serial devices hanging from it.

This IOLAN has 1 x RJ45 port.
http://www.perle.com/products/prod_family/serial_servers/iolan_102_104_topology.html

The E-smith server is his mail, file & print server and he uses his webmail when he's abroad all works fine and dandy.

 My question is he wants to put the IOLAN on his internal network and gain access to it from the outside world. I think abit of network translation is needed here and have been told that port forwarding might be the answer? If that were the case would not his mail server be jumping through hoops not knowing what to do with incomming mail especially if it's port address has been changed?

Is it possible to use routeadd commands here?  If so would this allow me to accept incomming connections to the IOLAN?  If i have to give the IOLAN an external address say 217.35.xxx.171 and nat it to 172.29.xxx.150 seeing as it has only one single rj45 port which is internal, Would the E-smith server accept connection for the 171 address? How are you going to get to 171 when you have no physical connection. I have been told that the mx record knows where your server is and would bounce it down to you. In fact would SME internal firewall even entertain the idea? My appologies for so many questions but hopefully this might be of intrest to someone else who wishes to try it.

Below is the general setup.

E-smith Box : 217.35.xxx.169
Router          :217.35.xxx.174

Internal network: 172.29.xxx.0
IOLAN ADD:      172.29.xxx.150

I have looked around but cant quite find the answer i am looking for.

Thanks in advance

Kind wishes to all

Ade

[Bill Talcott]

It sounds as if all the traffic is currently routed from the internet to the e-smith properly. If the IOLAN has a web interface, you can forward a port from the e-smith to the IOLAN. I'm not sure if the port forwarding contrib works on 4.x though... Then 217.35.xxx.169:9999 could be forwarded to 172.29.xxx.150:80. You could access the IOLAN's web interface via the e-smith's IP...

If you have an extra public IP that you want pointed at the IOLAN's internal address, http://www.tech-geeks.org/article.php?story=20020206234827402 might help you. It's for 5.0, but you may be able to work something out from that...

[Adserg]

Thank You Bill

I will check this out mate..

Ade

[Nathan Fowler]

I run 4.1.2, if port forwarding is an option you can simply use the command-line console and port foward using:

ipmasqadm portfw

I'd be more than happy to help you with the syntax if it is foreign to you.

[Adserg]

Hi Nathan

That would be great, I am setting up a 4.1.2 server so i can test both suggestions.

I will be adding a router on a static address basicaly for something to attach to, This will act as my IOLAN +.

If you could give me the correct syntax that would be appreciated as it will take me some time to get my head around it.

Cheers Nathan & Bill thank you for your help.

[Adserg]

Bills Reply:

It sounds as if all the traffic is currently routed from the internet to the e-smith properly. If the IOLAN has a web interface, you can forward a port from the e-smith to the IOLAN. I'm not sure if the port forwarding contrib works on 4.x though... Then 217.35.xxx.169:9999 could be forwarded to 172.29.xxx.150:80. You could access the IOLAN's web interface via the e-smith's IP...

Bill i have loaded Por forwarding on to the e-smith server 4.1.2 it seems to have loaded ok and is in the server manager. If 217.35.xxx.169:999 forwards to 172.29.xxx.11:80 what will happen to webmail and e-smith's webpage?


Nathan: Again i would love to know the syntax for ipmasqadm portfw. The Above question applies, what happens to webmail if i forward 217.35..xxx.169:999 to 172.29.xxx.150:80?

My customer uses webmail alot when away.

Thanks Guys

Ade

[Bill Talcott]

Adserg wrote:
>
> Bill i have loaded Por forwarding on to the e-smith server
> 4.1.2 it seems to have loaded ok and is in the server
> manager. If 217.35.xxx.169:999 forwards to 172.29.xxx.11:80
> what will happen to webmail and e-smith's webpage?

If you forward 217.35.xxx.169:999 to 172.29.xxx.11:80, accessing 217.35.xxx.169:999 from the internet will give you exactly the same thing as accessing 172.29.xxx.11:80 from the LAN. The e-smith (217.35.xxx.169) listens on port 999 (random number used for example) and forwards any incoming traffic to port 80 (default web port, might need something else) of the IOLAN (172.29.xxx.11). Everything else on the e-smith is unaffected. Any connections to that one specified port are simply forwarded to the specified LAN IP:port.

[Nathan Fowler]

Bill is correct.

It's simply listening on TCP 999 and redirecting to 172.29.xxx.11 on port 80 TCP.

Basically, to access the IOLAN web interface you would use the URL:

http://217.35.xxx.169:999

The :999 says connect using HTTP on port 999 TCP, which as we know is then transparently redirected to 172.29.xxx.11 on port 80 TCP.

[root@inet01 /root]# ipmasqadm portfw
Usage: portfw -a -P PROTO -L LADDR LPORT -R RADDR RPORT [-p PREF] add entry
       portfw -d -P PROTO -L LADDR LPORT [-R RADDR RPORT]         delete entry
       portfw -f                                                  clear table
       portfw -l                                                  list table
       portfw -n                                           no names

PROTO is the protocol, can be "tcp" or "udp"
LADDR is the local interface receiving packets to be forwarded.
LPORT is the port being redirected.
RADDR is the remote address.
RPORT is the port being redirected to.
PREF  is the preference level (load balancing, default=10)


The rule for your example would be:
ipmasqadm portfw -a -P tcp -L 217.35.xxx.169 999 -R 172.29.xxx.11 80

If you want these rules to remain on reboot, simply add them to the bottom of /etc/rc.d/rc.local

Thanks,
Nathan

[Adserg]

Bill / Nathan

I am going to check this out, Ive built a test enviroment which is accessable from the outside world and am going to see how i get on.

I will let you know of any problems.

Thanks Lads .

Ade

[Adserg]

Bill/ Nathan wrote:

The rule for your example would be:
ipmasqadm portfw -a -P tcp -L 217.35.xxx.169 999 -R 172.29.xxx.11 80

Ok at the moment i have setup up my test enviroment which i can get to from the outside world, i have my false internal network with 1 cisco router attached basicaly something to telnet to seeing i dont have anything else to test with.

So this is what i am using at the moment:
ipmasqadm portfw -a -P tcp -L 217.35.xxx.169 1494 -R 172.29.xxx.150 23 i can telnet directly so my test sme 4.1.2 box ok but doesnt get through to the router on .150 internal. I have pulled down the port forwarder from myezserver.com but have the same result. The only thing i can think of is that port 1494 is closed and wont allow access. Yup i even tried port 999.

I think it's almost there.

Cheers all

Ade

[Nathan Fowler]

Is the box that you are testing it from on the same subnet/segment as 217.35.xxx.169?  If you're trying to test internall you won't be able to because the ipportfw command has bound itself to your external interface so it won't forward on an internal interface.

If you want to test it internally, replace 217.35.xxx.169 with your local LAN address, probably 192.168.1.x

[Adserg]

Guys

Just to let you know, all appears to be working fine...

Again thank you for your efforts

Best Wishes

ADSERG