Hello list I try this in the configuration: DNAT inet1 dmz2:10.0.1.16-10.0.1.17 tcp PORT - PUBIP The connection keeps going to the last IP address (10.0.1.17) Using shorewall 4.0.4 (perl) and it does not result in round-robin, will it help to upgrade or is the syntax wrong? Thanks. Lars ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Lars Erik Dangvard Jensen wrote:> Hello list > > I try this in the configuration: > > DNAT inet1 dmz2:10.0.1.16-10.0.1.17 > tcp PORT - PUBIP > > The connection keeps going to the last IP address (10.0.1.17) > > Using shorewall 4.0.4 (perl) and it does not result in round-robin, > will it help to upgrade or is the syntax wrong?The syntax is correct and it won''t help to upgrade; in looking at this, I discovered that round-robin is completely broken beginning with 4.0.5 (patch for 4.0.5-4.0.7 attached). I took a quick look at the Netfilter and Netfilter-devel lists and didn''t see where anyone has reported this being broken in the kernel. So the only thing I can suggest is to check the output of "shorewall show nat" to be sure that the DNAT rule is being generated correctly. You should see something like ''..... to:10.0.1.16-10.0.1.17:PORT''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> Lars Erik Dangvard Jensen wrote: >> Hello list >> >> I try this in the configuration: >> >> DNAT inet1 dmz2:10.0.1.16-10.0.1.17 >> tcp PORT - PUBIP >> >> The connection keeps going to the last IP address (10.0.1.17) >> >> Using shorewall 4.0.4 (perl) and it does not result in round-robin, >> will it help to upgrade or is the syntax wrong? > > The syntax is correct and it won''t help to upgrade; in looking at this, > I discovered that round-robin is completely broken beginning with 4.0.5 > (patch for 4.0.5-4.0.7 attached). > > I took a quick look at the Netfilter and Netfilter-devel lists and > didn''t see where anyone has reported this being broken in the kernel. So > the only thing I can suggest is to check the output of "shorewall show > nat" to be sure that the DNAT rule is being generated correctly. You > should see something like ''..... to:10.0.1.16-10.0.1.17:PORT''.Just tried it -- here is an actual (folded) example: 0 0 DNAT tcp -- * * 0.0.0.0/0 192.168.1.254 tcp dpt:80 to:206.124.146.177-206.124.146.178 ---------------------------------- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Tom Eastep wrote:> Tom Eastep wrote: >> Lars Erik Dangvard Jensen wrote: >>> Hello list >>> >>> I try this in the configuration: >>> >>> DNAT inet1 dmz2:10.0.1.16-10.0.1.17 >>> tcp PORT - PUBIP >>> >>> The connection keeps going to the last IP address (10.0.1.17) >>> >>> Using shorewall 4.0.4 (perl) and it does not result in round-robin, >>> will it help to upgrade or is the syntax wrong? >> The syntax is correct and it won''t help to upgrade; in looking at this, >> I discovered that round-robin is completely broken beginning with 4.0.5 >> (patch for 4.0.5-4.0.7 attached). >> >> I took a quick look at the Netfilter and Netfilter-devel lists and >> didn''t see where anyone has reported this being broken in the kernel. So >> the only thing I can suggest is to check the output of "shorewall show >> nat" to be sure that the DNAT rule is being generated correctly. You >> should see something like ''..... to:10.0.1.16-10.0.1.17:PORT''. > > Just tried it -- here is an actual (folded) example: > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.254 tcp dpt:80 to:206.124.146.177-206.124.146.178 > ----------------------------------One question -- how are you testing this? From a single IP address? Because, all connections from a single IP address will use the same destination IP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace