This ones for you network gurus. As you know, Routers don't let you ping your external IP address from your internal one. For instance, say your ISP provides you an IP of 60.60.60.60. And you have a router and your internal network assigns your PC an IP of 192.168.0.10. From that PC, if you try to ping 60.60.60.60, it wont work. A router can't route to itself.

This has caused me problems in the past with setting up webservers, because often times, people in the building would need to access the webservers via domain name. Domain names point to the external IP addresses, not internal ones. Often times I would have to set up a seperate DNS server with falsified DNS records for websites inside the building so people could access them. Confused yet?

I've set up a new webserver here at work for www.sogear.com, one of the new site's im launching soon. Our ISP will only give us one IP address for now (which sucks big time), so we've had to do some clever routing here at work. We have two Netgear SPI routers. The first router is set up pretty standard, it sits right after the DSL line, and converts our external IPs in to internal IPs. It handles a couple port routing to the downstairs FTP boxes. There is a DMZ set up on that router which points to a second router upstairs. The second router has its own IP range, and other port mappings. It's clumsy, but it works for now.

The issue? I'm sitting at work, with no special DNS stuff going on, and I can ping my external address from inside the building. I can even browse to my own websites.

How does this work? It has very cool applications, and makes my life much easier if this does indeed work! But I have no idea how the routing actually happens so that I can ping myself??

Thoughts?

Just taking a WAG here but I would think it has something to do with a double NAT that would fool the first router into thinking that workstation is outside the lan.

weird you have that problem i think its the way the router uses the external IP as its own gateway FWIW my DMZ IP is 192.168.1.0 (no pc's here have that address) and i can ping myself!
of course after posting this i must reboot my router to get a new IP so I'm not hacked:D

Yeah, at home I have a similar situation with a Win2K server that acts as a NAT router, and also runs IIS. I have a DynDNS registration and have no trouble browsing my webserver by domain name (mapped to external IP) from inside the network... TBH, I don't understand how it all works at the wire level, but it seems to work. :) Though it's possible that Win2k NAT is doing something clever that I don't know about...

Synth, weird it works for you too. Are you in bridged mode or routing mode?

The problem is widespread. I had many conversations with Cisco techs over a year ago with their PIX firewalls, and we couldnt figgure out away to get around this problem.

With just one router invovled, I *cant* ping to myself. These are Netgear FVS318 routers. But put two of them together and...boom, magic.

It could be something to do with the DMZ really. Turning DMZ on with the router is probably doing something funny with the routing tables that makes this work. I still cant see it in my head though.

its the standard befsr41 linksys, when i used a sonicwall tele f/w \router i could never ping my public ip from lan. i guess it depends on the equiptment:confused:
does one of your routers use the other router as a gateway? that would explain it. it just loops around in a circle back to your ported ip's. is only one router acting as NAT?

I might be stating the obvious to you but here it goes...

A ping is a simple ICMP echo message. It shouldnt be stopped by anything, unless otherwise asked to by an access list or other security added.

(ping someone outside of your router)
The single router will get your ping requesst, change the source address on the packet to its own, and forward the packet on. When it gets it back it changes the dest back from its outside address back to the internal address for your box.

(ping someone inside of your router)
Ping goes from your box to the router. Checks the tables and sees the address, or alias, is in your network sends it to the box. No address change is needed. It comes back the same way without any changing of the address to the outside ips. Everything is kept as an inside address.

These are simple cases and shouldnt cause any probs. The only problem I can see with the multiple routers is duplicates of a 192.168.x.x address since you essentially have two of the same subnets setup on the same internal network. Most of those little linksys and netgear routers/switches come preset to send out 192.168.x.x addresses starting at 192.168.0.2, and if you have two address with 192.168.0.3 then you could have some problems. If I am understanding correctly your having problems from pinging from inside the 2nd router, have you tried from behind the first router to otherside of the 2nd router or is this what you are trying to do?

If the addressing is your problem you could solve this by changing the 2nd router to lease ips starting at a different range say 192.168.10.x giving you plenty of addresses unless you work at a place as large as mine. A simple change of the 2nd router to a nice Layer 2 switch would be a good substitute if you can, and the added bonus of access list would be a good treat.

You have also mentioned dns being setup. If it is you could try pinging the boxen around your work by ip names not numbers and see if that helps.

I hope this rambling helps and isnt just stating the obvious.

And remember, If you dont wanna be penetrated, you gotta be segmented. -Trevor R.

Hi, welcome to the boards.

I'm not actually experiencing a problem. I am experiencing something that works, that shouldnt hehe. Pinging is not an issue, not sure why you are mentioning that. I have the routers set up to usually discard external ICMP echo requests.

I only have one router assigning internal DHCP addresses, since I only need one DHCP server inside. Both routers sit on the 192.168.x.x internal network, same subnet, but each has a different gateway IP (they are functioning as gateways). One gateway points to my first DSL IP address, the other gateway connects to my second DSL IP address. It works very well like this.

Again, not having an actual problem, I was trying to understand how the routing tables were behaving, because again, with most single routers not running DMZ, you can't access your server from it's external address. The router can't relay the packets back.

In an amazing twist of technology, two routers will bounce the packets off eachother in a external multicast behavior, and this makes it possible to access your external IP address from inside.

So its not magic, its multicasting :)

Looks like I got way ahead of myself while reading the post then :) Bet its not the last time it happens either. Twas nice to get all that off my chest though, I had been looking through our DB for about 4 hours and had seen enough IPs to drive an insane man crazy.

No worries, it was some good info, just wasnt sure why you were bringing it up :)