I have checkpoint firewall-1 running on a solaris 7 sparc box with two physical working networks interface cards hme0, qfe0,
(please note these are false addresses)
qfe0 = 195.111.222.178 internet ISP
hme0 = 172.19.12.58 /24 internal Lan which has a router to france on it
I want to add a route to a machine in france (194.222.222.222). It will need to go out of interface hme0 and be routed to france via a router which sits on the internal lan (172.19.12.4) So the packets I send out should have a source address of 172.19.12.58 (hme0), which the french network understands and can route back to. I used command
route add -host 194.222.222.222 172.19.12.4
but I get "not responding" error when I try to ping the destination machine
NoTE: I can get to this machine via this router from any other single nic box on the lan, so the box and router are fine
I then run a snoop on hme0 for anything with 194.222.222.222 in it
# snoop -t a -d hme0 194.222.222.222
Using device /dev/hme (promiscuous mode)
12:42:26.54446 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:27.54073 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:28.54070 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:29.54069 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:30.54097 195.111.222.178 -> 194.222.222.222 ICMP Echo request
12:42:31.54080 195.111.222.178 -> 194.222.222.222 ICMP Echo request
As you can see the request is going out of the correct interface (hme0) because I am snooping it, but for some reason the packets have assumed the source address that has been assigned to the qfe0 card. Subsequently, ICMP is making requests but there are no replies coming back because the source address of the request packet is the public internet address (external address of the firewall, qfe0) and the destination french network cannot route the packet back. I have printed an exerpt from netstat -rn below (address's have been changed)
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
194.222.222.222 172.19.12.4 UGH 0 1
195.111.222.176 195.111.222.178 U 2 5796 qfe0
172.19.8.0 172.19.12.58 U 3 42257 hme0
224.0.0.0 172.19.12.58 U 3 0 hme0
default 195.111.222.177 UG 01431154
127.0.0.1 127.0.0.1 UH 03366951 lo0
I was wondering whether or not the blank space on the interface column for the route I have added (1st line) has any impact on the source address used when I ping directly from the firewall/solaris box directly
I have been looking into the -interface switch of the route command but cannot see how to incorporate this into the route add command - I have tried
route add 194.222.222.222 -interface hme0 172.19.12.4
.....and various other combinations, but to no avail. The man page for route is very confusing when it comes to the -interface switch..
Does anybody know how I can resolve this issue. All I want is the source address to be 172.19.12.58 so that the packets can find their way back to the firewall
any help on this would be greatly appreciated
thanks
Gary