Hi list, since is the first time i work with this kind of configuration i''ll explain so you can tell me if im wrong: eth0: isp1 (1mbps/1mbps, 1 public ip address reserved by DHCP) eth1: isp2 (2mbps/256kbps, 1 private ip address) eth2: telephone network (VoIP phones) eth3: local computer network the idea is then that the IP-PBX located on the phone network uses only ISP1 (ONE-TO-ONE NAT). also receiving connections from outside. and the computer network should only use ISP2 (regular masquerading) so i want to use providers file (and i guess i have to use tcrules file according to the documentation) #providers ISP1 1 1 main eth0 detect track,balance eth2 ISP2 2 2 main eth1 10.35.0.1 balance,loose eth3 i am using balance since the documentation recommends it, but, i don''t want any balance #tcrules 1:p 192.168.1.0/24 0.0.0.0/0 all 2:p 192.168.0.0/24 0.0.0.0/0 all then i read i had to put something on the masq files even if i don''t masquerade, this is the part i don''t understand, specially because it''s a dynamic interface. this is currently my masq file: #masq eth1 eth3 #nat ext-ip-isp1 eth0 192.168.1.10 no no is there anything else i should add to the configuration?? im using shorewall 3.0.5 if you need any other information please ask. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Monday 27 March 2006 08:03, Alberto Sierra wrote:> > then i read i had to put something on the masq files > even if i don''t masquerade, this is the part i don''t > understand, specially because it''s a dynamic > interface. > this is currently my masq file: > > #masq > eth1 eth3 > > #nat > ext-ip-isp1 eth0 192.168.1.10 no no > > is there anything else i should add to the > configuration?? im using shorewall 3.0.5Given that this question has already been asked and answered twice in the last week on this list, I''ve updated the Example in the multi-ISP doc to include instructions for dynamic IP addresses. http://www1.shorewall.net/MultiISP.html#id2460005 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Alberto Sierra wrote:> Hi list, since is the first time i work with this kind > of configuration i''ll explain so you can tell me if im > wrong: > > eth0: isp1 (1mbps/1mbps, 1 public ip address reserved > by DHCP) > > eth1: isp2 (2mbps/256kbps, 1 private ip address) > > eth2: telephone network (VoIP phones) > > eth3: local computer network > > the idea is then that the IP-PBX located on the phone > network uses only ISP1 (ONE-TO-ONE NAT). also > receiving connections from outside. >Where are these outside connections going? To the telephone network? Or the computer lan? That is from which isp?> and the computer network should only use ISP2 (regular > masquerading) > > so i want to use providers file (and i guess i have to > use tcrules file according to the documentation) > > #providers > ISP1 1 1 main eth0 detect track,balance > eth2 > ISP2 2 2 main eth1 10.35.0.1 balance,loose > eth3 >Don''t think ''loose'' is needed here, I''d set the rest up the same. Maybe add track to isp2, is all I''d do.> i am using balance since the documentation recommends > it, but, i don''t want any balance > > #tcrules > 1:p 192.168.1.0/24 0.0.0.0/0 all > 2:p 192.168.0.0/24 0.0.0.0/0 all >That should be OK if 1.0/24 is the phone network, and 0.0/24 are the computers.> then i read i had to put something on the masq files > even if i don''t masquerade, this is the part i don''t > understand, specially because it''s a dynamic > interface. > this is currently my masq file: > > #masq > eth1 eth3 >I''d suggest that you use the third column and use snat here. eth1 eth3 <ipofeth1> Maybe there should be a bigger warning in the howto about using snat in the masq file.> #nat > ext-ip-isp1 eth0 192.168.1.10 no no >Sorry, I don''t use the nat file, not sure.> is there anything else i should add to the > configuration?? im using shorewall 3.0.5 > > if you need any other information please ask. > >Looks like your off to a good start, good luck. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Jerry im just a bit confused with the masq file. My local computer network is 192.168.0.0 and my telephone network is 192.168.1.0 the incoming connections will be to a host on the telephone network (thats''s why the nat file) but if im not going to masquerade any connection thru ISP1, (only on ISP2) do i have to put only the masquerading on ISP2 or i must set up the masq file as shown in the documentation and add the entry for real masquerading? something like this: masquerading local computer network thru ISP2 and setting defaults from documentation for ISP1: #masq eth0 $ext-ip-net-isp1 $ext-ip-addr-isp1 eth1 eth3 $ext-ip-addr-isp2 and set up nat for ISP1 #nat $ext-ip-net-isp1 eth0 $loc-srv-ip no no in a few words, how do i masquerade only one ISP, NAT the other, and use providers file (without load bal the isp''s)?> > Date: Mon, 27 Mar 2006 10:49:57 -0600 > From: Jerry Vonau <jvonau@shaw.ca> > Subject: Re: [Shorewall-users] providers and shaping > To: shorewall-users@lists.sourceforge.net > > Alberto Sierra wrote: > > Hi list, since is the first time i work with this > kind > > of configuration i''ll explain so you can tell me > if im > > wrong: > > > > eth0: isp1 (1mbps/1mbps, 1 public ip address > reserved > > by DHCP) > > > > eth1: isp2 (2mbps/256kbps, 1 private ip address) > > > > eth2: telephone network (VoIP phones) > > > > eth3: local computer network > > > > the idea is then that the IP-PBX located on the > phone > > network uses only ISP1 (ONE-TO-ONE NAT). also > > receiving connections from outside. > > > > Where are these outside connections going? To the > telephone network? > Or the computer lan? That is from which isp? > > > > and the computer network should only use ISP2 > (regular > > masquerading) > > > > so i want to use providers file (and i guess i > have to > > use tcrules file according to the documentation) > > > > #providers > > ISP1 1 1 main eth0 detect track,balance > > eth2 > > ISP2 2 2 main eth1 10.35.0.1 balance,loose > > eth3 > > > Don''t think ''loose'' is needed here, I''d set the rest > up the same. > Maybe add track to isp2, is all I''d do. > > > i am using balance since the documentation > recommends > > it, but, i don''t want any balance > > > > #tcrules > > 1:p 192.168.1.0/24 0.0.0.0/0 all > > 2:p 192.168.0.0/24 0.0.0.0/0 all > > > That should be OK if 1.0/24 is the phone network, > and 0.0/24 are the > computers. > > > then i read i had to put something on the masq > files > > even if i don''t masquerade, this is the part i > don''t > > understand, specially because it''s a dynamic > > interface. > > this is currently my masq file: > > > > #masq > > eth1 eth3 > > > > I''d suggest that you use the third column and use > snat here. > > eth1 eth3 <ipofeth1> > > > Maybe there should be a bigger warning in the howto > about using snat in > the masq file. > > > #nat > > ext-ip-isp1 eth0 192.168.1.10 no no > > > Sorry, I don''t use the nat file, not sure. > > > is there anything else i should add to the > > configuration?? im using shorewall 3.0.5 > > > > if you need any other information please ask. > > > > > > Looks like your off to a good start, good luck. > > Jerry------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Alberto Sierra wrote:> Jerry im just a bit confused with the masq file. > My local computer network is 192.168.0.0 > and my telephone network is 192.168.1.0 > > the incoming connections will be to a host on the > telephone network (thats''s why the nat file) >That is clearer to me now.> but if im not going to masquerade any connection thru > ISP1, (only on ISP2) do i have to put only the > masquerading on ISP2 or i must set up the masq file as > shown in the documentation and add the entry for real > masquerading? > > something like this: > masquerading local computer network thru ISP2 and > setting defaults from documentation for ISP1: > > #masq > eth0 $ext-ip-net-isp1 $ext-ip-addr-isp1 > eth1 eth3 $ext-ip-addr-isp2 >think you''ll want: eth0 $ext-ip-net-isp2 $ext-ip-net-isp1 eth1 $ext-ip-net-isp1 $ext-ip-net-isp2 eth1 eth3 $ext-ip-addr-isp2 The first 2 only handle outbound from the firewall itself, that may leave on an outbound interface with the wrong source ip address. More on that below. The third takes care of traffic from eth3.> and set up nat for ISP1 > > #nat > $ext-ip-net-isp1 eth0 $loc-srv-ip no no > >I''m not sure here, I''d need to see a shorewall dump to be sure. Like I said, I don''t use the nat file, so off the top of my head I''m unsure.> in a few words, how do i masquerade only one ISP, NAT > the other, and use providers file (without load bal > the isp''s)? >You''ll need ''balance'', for traffic from the firewall itself. Some of the client apps, on the firewall, might get confused about what source address is to be used with more than one gateway present, if you don''t(can''t) specify a source address. Those entries are there to cover those types of situations. As long as the "copy" column, in the providers file, has only the interface that you want to masq (like you had posted), then only that traffic will use that provider''s routing table. The same should hold true for the nat file entry, I just can''t test that right now. Hope this helps, Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642