Hi you all guys/girls from this list, I almost never use email lists, but this problem is driving me crazy. I use shorewall for a long time ( since version 1.2.x) but now I use it where I work, and here we now have 4 different ISP for redundance and because it''s cheaper then 1 ISP and a bigger link. 3 of 4 ISP I have no problems, but on the 4th ISP here goes my problem : I have a ''client'' whom also uses this ISP ( Telemar), when I try to ping from my ''client'' I never reach my machines (the firewall and a NATed server). If I traceroute I almost never reach them too. Below there are outputs from both commands executed from my ''clients'' linux box. I attached ''shorewall dump'' as required. Other points I tested : - trying to ping/traceroute an IP from my others 3 ISP works - if I remove my shorewall-firewall and put an Windows machine connected to the router the problem disapear - some times during the start of shorewall the tests seams to work. - I use 1 interface (eth0) connected throw a switch to my 3 routers (one of them have 2 wan interfaces - but my problematic ISP is not connected here) - As you can see (throw my trace log) I use Shorewall-3.0.7 and is running on a Leaf-Bering distribution that I completely update to be sure the problem wasn''t an old version. Previous I used 2.2.x/2.4.x and the problem exists as well. - I also tested other pairs of ''my client'' <-> ''my NATed server'' using the same ISP where ISP != Telemar - my ''trace'' is huge and already gzipped took about 70kb so I wipe out the that says about the current connections except from the SRC IP of my ''client'' who I was trying ping/traceroute back. The guys from Telemar says the problem is my firewall or my router, I don''t see this way because it works with the others ISP and I already changed the router used for Telemar''s link. Please help...! Regards, Christian V R Lopes IT Manager - Polibras [polibras@localhost polibras]$ ping -c 5 200.164.106.140 PING 200.164.106.140 (200.164.106.140) 56(84) bytes of data. --- 200.164.106.140 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4014ms [polibras@localhost polibras]$ /usr/sbin/traceroute 200.164.106.140 traceroute to 200.164.106.140 (200.164.106.140), 30 hops max, 38 byte packets 1 192.168.200.1 (192.168.200.1) 0.242 ms 0.147 ms 0.090 ms 2 200.164.225.99 (200.164.225.99) 1.136 ms 1.046 ms 1.061 ms 3 200.164.230.13 (200.164.230.13) 28.184 ms 15.046 ms 50.394 ms 4 Fa1-0-0.VPT-PB-ROTD-01.telemar.net.br (200.164.205.130) 47.771 ms 15.670 ms 54.701 ms 5 200.164.197.133 (200.164.197.133) 54.496 ms 45.505 ms 32.174 ms 6 PO6-0.NBV-PE-ROTN-01.telemar.net.br (200.223.131.13) 57.197 ms 53.778 ms 49.041 ms 7 PO5-0-0.BDEA-BA-ROTB-01.telemar.net.br (200.223.131.66) 61.078 ms 58.177 ms 63.970 ms 8 PO10-0.CEN-CE-ROTD-02.telemar.net.br (200.223.131.46) 65.230 ms 55.026 ms 55.128 ms 9 200.164.188.198 (200.164.188.198) 49.459 ms 64.859 ms 53.088 ms 10 200.141.162.122 (200.141.162.122) 69.583 ms 58.646 ms 54.582 ms 11 * * * 12 * * polibr10.polibrasnet.com.br (200.164.106.140) 59.881 ms
Christian Villa Real Lopes wrote:> > Please help...! >I really don''t know what to tell you -- the simple-minded Shorewall multi-ISP feature requires a separate interface for each ISP so I have no idea what kind if weird problems will occur if you try to put more than one ISP on a single interface. I do know that ''track'' won''t work at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Christian Villa Real Lopes wrote:> Hi you all guys/girls from this list,Speaking of girls, there are actually some around here somewhere: http://www.shorewall.net/survey-200603.html#id2460164 :-) Paul
Hi All: If I have ppp0 and ppp1 on my machine, only one of which should ever be active, how can I define the zones for those? They''re both "net" or the internet. Can I just put ppp+ in the cones file? Cheers, John __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Christian Villa Real Lopes
2006-Jun-07 17:21 UTC
Re: Ping/Traceroute problem in 1 of 4 links
> I really don''t know what to tell you -- the simple-minded Shorewall > multi-ISP > feature requires a separate interface for each ISP so I have no idea what > kind > if weird problems will occur if you try to put more than one ISP on a > single > interface. I do know that ''track'' won''t work at all.I do really to get better when trying to explain something, but besides that ... The trace I sent was ''corrupted'' because I tried to use ''providers'' (my mistake) I use this setup of 4 links for quite a while. Luckily this is my first big problem. I sniff eth0 ( connected to the links) and found out there is indeed an ICMP packet replying my traceroute/ping but the mac address of it is wrong (doesn''t belong to the ethernet of the correct router). If I change my default route to only one ISP it works ( right now I use ''ip ro replace default equalize nexthop via 200.253.243.129 dev eth0 weight 2 nexthop via 201.12.23.129 dev eth0 weight 2 nexthop via 200.164.106.129 dev eth0 weight 1 nexthop via 200.190.192.129 dev eth0 weight 1'' ) I already understand somehow this is my mistake I just not sure how to fix it - maybe I have to mark every. Attached is a sniffed traceroute where on pair packts the dst_mac is wrong.
Christian Villa Real Lopes wrote:>> I really don''t know what to tell you -- the simple-minded Shorewall >> multi-ISP >> feature requires a separate interface for each ISP so I have no idea >> what kind >> if weird problems will occur if you try to put more than one ISP on a >> single >> interface. I do know that ''track'' won''t work at all. > > I do really to get better when trying to explain something, but besides > that ... > > The trace I sent was ''corrupted'' because I tried to use ''providers'' (my > mistake) I use this setup of 4 links for quite a while. Luckily this is > my first big problem. I sniff eth0 ( connected to the links) and found > out there is indeed an ICMP packet replying my traceroute/ping but the > mac address of it is wrong (doesn''t belong to the ethernet of the > correct router). If I change my default route to only one ISP it works ( > right now I use ''ip ro replace default equalize nexthop via > 200.253.243.129 dev eth0 weight 2 nexthop via 201.12.23.129 dev eth0 > weight 2 nexthop via 200.164.106.129 dev eth0 weight 1 nexthop via > 200.190.192.129 dev eth0 weight 1'' ) > > I already understand somehow this is my mistake I just not sure how to > fix it - maybe I have to mark every. > > Attached is a sniffed traceroute where on pair packts the dst_mac is wrong.That just means that a different gateway was selected for the reply. Again, I don''t know how to ever make this work with all of the links using the same network interface -- maybe someone else on the list can help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> >> >> Attached is a sniffed traceroute where on pair packts the dst_mac is wrong. > > That just means that a different gateway was selected for the reply. Again, I > don''t know how to ever make this work with all of the links using the same > network interface -- maybe someone else on the list can help you. >The only way that I can think of to try to fix this is to: a) Mark packets entering eth0 based on the source MAC. b) Mark connections based on the packet marks. c) Restore packet marks from connection marks on output. d) Use the packet marks to select the correct routing table. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key