Hi, I have two Internet connections from two different ISPs. Connection "A" is ADSL, connection "B" is another kind of broadband connection (LMDS). In the ADSL link I have 1 public ip which changes dynamically, and in the "B" connection I have 28 fixed public IP''s that I can use. Each of them come into my network through a standard Ethernet 10BaseT connection. I like: 1. A few users with public IPs. 2. The rest of the users with private IPs, and their traffic will go out using NAT 3. Route some traffic by the connection "B" and other traffic by conection "A" I configured Shorewall(Leaf Bering uClibc 2.3 with Shorewall 2.4.2), but this configuration don`t work, I can''t access Internet(http, msn, smtp, pop3, etc). I try acces from a public IP. Please, can you check the configuration? I had to split the file in three parts, because it was too big and the server rejected it, and if I zip, the server reject too. Thanks and happy new year, Andrés ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Monday 26 December 2005 04:57, Charrua wrote:> Hi, > > I have two Internet connections from two different ISPs. Connection "A" is > ADSL, connection "B" is another kind of broadband connection (LMDS). In > the ADSL link I have 1 public ip which changes dynamically, and in the "B" > connection I have 28 fixed public IP''s that I can use. Each of them come > into my network through a standard Ethernet 10BaseT connection. > > I like: > > 1. A few users with public IPs. > 2. The rest of the users with private IPs, and their traffic will go out > using NAT > 3. Route some traffic by the connection "B" and other traffic by conection > "A" > > I configured Shorewall(Leaf Bering uClibc 2.3 with Shorewall 2.4.2), but > this configuration don`t work, I can''t access Internet(http, msn, smtp, > pop3, etc). I try acces from a public IP. > > Please, can you check the configuration? >Here''s what I see in the "status" output (in no particular order): a) I think that you will have continuous problems with the way that you have configured your local network (public /27 and many private networks on the same LAN). You can already see hints of the problems in this log message: Dec 23 07:25:40 FORWARD:REJECT: IN=eth2 OUT=eth2 SRC=200.58.129.2 DST=192.168.107.2 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=62326 SEQ=0 Check Shorewall FAQ 17 to understand what this message means. I personally advocate using 1-1 NAT for those users that you want to give a public IP address. I think that you and your users will be happier in the long run. b) Your configuration files seem to have MANY duplicate entries in them. Both /etc/shorewall/masq and /etc/shorewall/tcrules have 192.168.100.0/25 and 192.168.108.0/25. c) I find the use of /25''s rather than /24''s curious -- any reason for that? d) You didn''t say which "public IP address" you were using, but I would guess that it is 200.58.129.12. There are lots of entries in the conntrack table like this: tcp 6 13 SYN_SENT src=200.58.129.12 dst=83.45.219.45 sport=29249 dport=7922 [UNREPLIED] src=83.45.219.45 dst=200.58.129.12 sport=7922 dport=29249 use=1 mark=0 I can''t look at the traffic with tcpdump (have you? If not, you should) but if the firewall picked the route through ppp0 for this connection, you would see this type of behavior. You need a rule in /etc/shorewall/tcrules such as: 2:P 200.68.129.0/27 0.0.0.0/0 The traffic from the public IPs MUST BE SENT FROM eth1!!!!!!!!!! If tcpdump shows that the traffic IS being sent from eth1 then the problem is that your ISP is apparantly not routing 200.68.129.0/27 through 200.68.129.34 which is what your configuration assumes. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 26 December 2005 07:51, Tom Eastep wrote:> > Here''s what I see in the "status" output (in no particular order): >e) There have been important updates to multi-ISP support since 2.4.2 (notably in 2.4.5). You should consider upgrading. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 26 December 2005 11:28, Charrua wrote:> Thanks Tom, > > >a) I think that you will have continuous problems with the way that you > >have configured your local network (public /27 and many private >networks > >on the same LAN). You can already see hints of the problems in this log > >message: > > > >Dec 23 07:25:40 FORWARD:REJECT: IN=eth2 OUT=eth2 SRC=200.58.129.2 > >DST=192.168.107.2 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF >PROTO=ICMP > > TYPE=8 CODE=0 ID=62326 SEQ=0 > > > >Check Shorewall FAQ 17 to understand what this message means. > > I don´t understand, I need "routeback" option in eth2?Yes.> > >b) Your configuration files seem to have MANY duplicate entries in them. > >Both /etc/shorewall/masq and /etc/shorewall/tcrules have 192.168.100.0/25 > >and 192.168.108.0/25. > > I understood from the documentation that in "masq" file I had to put the > subnets with which I want to make SNAT. What I did was add for each IP one > line for eth1 and another identical one for ppp0. In this way, when I want > to route by the ADSL, the SNAT is already configured. > Is this wrong? or am I right?Your configuration is silly. While you seem uninterested in showing us the actual file contents the rules that are generated suggest that you have: ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 ppp0 192.168.100.0/25 What possible reason would you have for doing that????> > In the tcrules file I add one line for each IP that I want to route. > I configured both files this way because what I want to do in this moment > is to route the public and private IPs'' traffic > by the provider connected to ETH1, but I don''t want to make dyanamic > balancing. > If at some moment I need to route one of these subnets by th ADSL, all I > have to do is change just one line in the tcrules file. > Again, Is this wrong? or am I right?It''s right (other than the missing entry for your public IP addresses) but it''s silly to have multiple identical entries!> > >c) I find the use of /25''s rather than /24''s curious -- any reason for > >that? > > Some time ago, somebody recommended me that for doing load balancing it was > necessary to split in two subnets, one by the ADSL and the other by the > second connection. > Today I understand that this is not really necessaryI''m lost.> > >d) You didn''t say which "public IP address" you were using, > > I connect from: 200.58.129.2There are a lot of UNREPLIED entries from that IP as well. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Monday 26 December 2005 12:16, Charrua wrote: These are duplicates: 2:P 192.168.100.2/25 0.0.0.0/0 2:P 192.168.100.3/25 0.0.0.0/0 2:P 192.168.100.4/25 0.0.0.0/0 2:P 192.168.100.11/25 0.0.0.0/0 2:P 192.168.100.97/25 0.0.0.0/0 2:P 192.168.100.98/25 0.0.0.0/0 2:P 192.168.100.99/25 0.0.0.0/0 2:P 192.168.100.100/25 0.0.0.0/0 2:P 192.168.100.101/25 0.0.0.0/0 They are all equivalent to: 2:P 192.168.100.0/25 0.0.0.0/0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks Tom,>a) I think that you will have continuous problems with the way that you >have configured your local network (public /27 and many private >networks >on the same LAN). You can already see hints of the problems in this log >message:>Dec 23 07:25:40 FORWARD:REJECT: IN=eth2 OUT=eth2 SRC=200.58.129.2 >DST=192.168.107.2 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF >PROTO=ICMP TYPE=8 >CODE=0 ID=62326 SEQ=0>Check Shorewall FAQ 17 to understand what this message means.I don´t understand, I need "routeback" option in eth2?>b) Your configuration files seem to have MANY duplicate entries in them. >Both /etc/shorewall/masq and /etc/shorewall/tcrules have 192.168.100.0/25 >and 192.168.108.0/25.I understood from the documentation that in "masq" file I had to put the subnets with which I want to make SNAT. What I did was add for each IP one line for eth1 and another identical one for ppp0. In this way, when I want to route by the ADSL, the SNAT is already configured. Is this wrong? or am I right? In the tcrules file I add one line for each IP that I want to route. I configured both files this way because what I want to do in this moment is to route the public and private IPs'' traffic by the provider connected to ETH1, but I don''t want to make dyanamic balancing. If at some moment I need to route one of these subnets by th ADSL, all I have to do is change just one line in the tcrules file. Again, Is this wrong? or am I right?>c) I find the use of /25''s rather than /24''s curious -- any reason for >that?Some time ago, somebody recommended me that for doing load balancing it was necessary to split in two subnets, one by the ADSL and the other by the second connection. Today I understand that this is not really necessary>d) You didn''t say which "public IP address" you were using,I connect from: 200.58.129.2 ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Charrua" <charrua@kernel.net.uy> Sent: Monday, December 26, 2005 12:51 PM Subject: Re: [Shorewall-users] 2 ISP problem 1 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
On Monday 26 December 2005 12:36, Charrua wrote:> Ok, If I need to give permission only to IP 192.168.100.4, not the whole > subnet. > Is it correct to specify this in the rules file instead of masq file?Yes -- /etc/shorewall/masq is NOT for access control. It rather describes the rules for rewriting the source IP address in certain packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks, I attach the "tcrules", "masq" and "providers" files. I think the problem is the missing missing entry for mi public IP addresses. But, I don´t understand because the multiple identical entries. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Charrua" <charrua@kernel.net.uy> Sent: Monday, December 26, 2005 4:03 PM Subject: Re: [Shorewall-users] 2 ISP problem 1
Ok, If I need to give permission only to IP 192.168.100.4, not the whole subnet. Is it correct to specify this in the rules file instead of masq file? ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: <shorewall-users@lists.sourceforge.net> Cc: "Charrua" <charrua@kernel.net.uy> Sent: Monday, December 26, 2005 4:27 PM Subject: Re: [Shorewall-users] 2 ISP problem 1 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click