11.2 acting as router firewall

switched recently to 11.2 and it works fine for me as workstation
I want to set up a router separating a part of the network and also acting as a firewall/proxy…
Configured 2 Ethernet Interfaces, checked Ip forwarding in Yast
but it does not forward the packets from the “internal” to the “external” network.
Hovewer after I set up my router as default for machines on internal network I can ping the external interface but no adress on external network (particularly the one of the default router) !!!
From the router I can reach both networks and the net via default gateway on external.
Tried to:
a) switch firewall completely off
b) iptables -P FORWARD ACCEPT
c) masquarading internal adresses to the external network

nothing helped

my interfaces configuration looks like:
eth0 Link encap:Ethernet HWaddr 00:13:D4:E3:A2:7B
inet addr:192.168.1.34 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::213:d4ff:fee3:a27b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6202 errors:0 dropped:0 overruns:0 frame:0
TX packets:3619 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4724715 (4.5 Mb) TX bytes:630785 (616.0 Kb)
Interrupt:16

eth1 Link encap:Ethernet HWaddr 00:13:D4:E3:A2:7C
inet addr:192.168.4.245 Bcast:192.168.4.255 Mask:255.255.255.0
inet6 addr: fe80::213:d4ff:fee3:a27c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1827 errors:0 dropped:0 overruns:0 frame:0
TX packets:101 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:191064 (186.5 Kb) TX bytes:38200 (37.3 Kb)
Interrupt:21

eth0 is on the external network DHCP from default gateway (.1.1 on external)
eth1 is static on internal

routing:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.4.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

??

Sorry I can’t really be of any help, but if it is something that you absolutely, positively have to get up and running immediately I would recommend IPCop.

The caveat is that I know practically nothing about networking and servers so I needed simplicity. It took me maybe 30 minutes to have IPCop up and running. I even added the DansGuardian content filter.

You can edit the /etc/sysconfig/sysctl file to change the IP forwarding.

For NAT/masquerading:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Not sure, this is what you want to achieve?

/etc/sysconfig/sysctl:
IP_FORWARD=“yes”

it forwards from internal to the external interface (i can ping routers external interface eth0/192.168.1.XX from the internal network & can reach routers services through external ifc)
but nothing comes out to the external network (exept for the connections initiated on the router itself)
my first suspicion was some “clever” filtering on my external gateway or maybe switch but even masquaraded packets do not go through

I wanted to have the most simple and stupid routing before I start with firewall configuration or setting up proxies
is there something wrong with 11.2 ? (kernel ?, ip stack ?, drivers ?)

eg:
C:\route add 192.168.1.0 mask 255.255.255.0 192.168.4.245
ping 192.168.4.245 //works
ping 192.168.1.34 //works !!!
ping 192.168.1.138 //does not work :frowning: