Ok, here you go:

here is a brief rundown on my setup:

External IP to Firewall Appliance 192.168.1.1

Internal network is 192.168.1.*

Laser Printer is 192.168.1.250 and works great.

All computers on hybrid network can use the printer no problem.

Now, here is the new stuff:

Built Linux Nat (iptables)/Router/iSCSI/Samba box for second network.

it is at 192.168.1.200 (external) and gets it's inet from the above network.

it serves 10.10.0.0 network and keeps it isolated from the above network.

Now, how do I get the 10.10.0.0 network to use the 192.168.1.250 printer above? I can do Samba or Cups or whatever, just need it to work.

Thanks in advance...

In what sense is 10.10.* isolated from 192.168.1.* ?

If your linux box is really doing NAT every ip in 10.10.* should be able to connect to 192.168.1.250

In what sense is 10.10.* isolated from 192.168.1.* ?

If your linux box is really doing NAT every ip in 10.10.* should be able to connect to 192.168.1.250

That is not the case.

192.168 and 10.10 are both not routable IP's.

From the Server I can ping 192.168. because it's on eth0
From the Server I can ping 10.10. because it's on eth1
From a Client I can ping 10.10. because it's on eth0 of the client
From the Client I CANNOT ping 192.168 because there is no route
From the Client I CAN ping google.com because the DNS and GATEWAY are 10.10.

I am no expert but 10. and 192.168 IP's are not routable, so perhaps "NAT" is not what I'm doing?

Here is "HOW" I get the 10.10. guys to be able to see the internet:

I run these:

iptables -F
iptables -t nat -F
iptables -D
iptables -t nat -D
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -j DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

Let me post my firewall info:


bill@mini-mint ~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
bill@mini-mint ~ $

If I'm understanding correctly, then you have a router to the www at internal ip 192.168.1.1, you also have a 192.168.1.0/24 subnet there. Plus a 10.10.0.0/24 subnet on eth1 and 192.168.1.X assigned to eth0.


www
|
|
router (192.168.1.1)
|
(192.168.1.0/24)
|
| -- Linux Box (eth0, 192.168.1.X)
Linux Box (eth1, 10.10.0.1)
|
(10.10.0.0/24)

Easiest to drop nat and make your router aware of the the route to 10.10.0.0/24 or map your NAT'd network up to the 192.168.1.0/24 subnet.

Easiest to drop nat and make your router aware of the the route to 10.10.0.0/24 or map your NAT'd network up to the 192.168.1.0/24 subnet.

Yes exactly ... but I don't know how and I don't want 192.168 and 10.10 to lose isolation EXCEPT for the Printer...

How do I do that???

Depending on what level of isolation you're talking about then. You want both subnets to access a printer on 10.8.0.0/24, you also want both subnets www access so both will need to reach 192.168.1.1 (your router to the www) but neither to reach each other. So you have some thinking to do.


Off the top of my head, the easiest way I see is to make your router aware of a route to your 10.10.0.0/24 subnet. Set your in & out policies to accept but forward to drop. Then add a line to accept forwarded packes from 192.168.1.0/24 to 10.10.0.55 (printer ip). Related & established should take care of the reply but add a line to accept packets from 10.10.0.55 to 192.168.1.0/24. Ping it from both sides to besure it works as expected. Once that's working, allow packets to be forwarded from 10.10.0.0/24 to your router 192.168.0.1 (your gateway, troubleshooting purposes in the future) and also specify the reverse. So now your router & your printer should be able to reach anybody. 10.10.0.0/24 also needs to be allowed access to the www. Then go back and tighten any screws these blanket statements may have missed.

Note NAT occurs at your router to the www only.

Ok, I'm gonna call this one solved... but not how I expected. One question remains...

1. Having read on how routes work, it seems that I can make a route from one subnet to another, but not to/from a specific IP so that doesn't solve my problem.

2. I just created a samba share of the printer and share it that way.

3. I will play around and see if I can cups/ipp share the printer instead, but does it make a difference, performance wise when compared to SMB share?

Thanks.