I have a multi-Isp setup with two Nics for net zone and one nic for loc for poptop to route on ISP one in this config I have used route_rules to ensure packets go out the correct net ISP, My poptop config is configured as if they where part of the loc zone as described in the Shorewall docs. Is it sufficient to use route_rules for this to work as follows, because I am having trouble with it. # # Shorewall version 4 - route_rules File # # For information about entries in this file, type "man shorewall-route_rules" #63.90.86.0 # For additional information, see http://www.shorewall.net/MultiISP.html ############################################################################ ## #SOURCE DEST PROVIDER PRIORITY - 10.19.227.0/24 main 1000 - 192.168.1.0/24 main 1000 - 63.87.74.0/24 main 1000 - 64.42.53.203 main 1000 - 10.5.198.191 main 1000--------------from here down are poptop assigned Ips - 10.5.198.192 main 1000 - 10.5.198.193 main 1000 - 10.5.198.194 main 1000 - 10.5.198.195 main 1000 If this becomes a double post I apologize, I have tried to send mail Using Thunderbird to no avail. This is sent from outlook which is Annoying, hopefull to resolve the T-bird issue soon. Btw I answered your last mail Tom from T-bird did you get that? Thanks Mike ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mike wrote:> Is it sufficient to use route_rules for this to work as follows, because > I am having trouble > with it.Mike, "I am having trouble with it" will get you sympathy but no help. What problem _exactly_ are you having?> > # > # Shorewall version 4 - route_rules File > # > # For information about entries in this file, type "man > shorewall-route_rules" > #63.90.86.0 > # For additional information, see http://www.shorewall.net/MultiISP.html > ############################################################################ > ## > #SOURCE DEST PROVIDER PRIORITY > - 10.19.227.0/24 main 1000 > - 192.168.1.0/24 main 1000 > - 63.87.74.0/24 main 1000 > - 64.42.53.203 main 1000 > - 10.5.198.191 main > 1000--------------from here down are poptop assigned Ips > - 10.5.198.192 main 1000 > - 10.5.198.193 main 1000 > - 10.5.198.194 main 1000 > - 10.5.198.195 main 1000 > >The above rules direct traffic to the PPTP clients to use the main routing table. That''s a good idea but without knowing what problem you are having, I really can''t comment. A Shorewall dump collected as described in the support doc would also be helpful.> Btw I answered your last mail Tom from T-bird did you get that?Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mike wrote:> I have a multi-Isp setup with two Nics for net zone and one nic for loc > for poptop to route on ISP one in this config I have used route_rules to > ensure packets go out the correct net ISP,I would use the "listenip" parameter in pptpd.conf to specify which interface to use. That way, pptpd won''t even listen for connections on the other net interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mike wrote:> Is it sufficient to use route_rules for this to work as follows, > because I am having trouble with it.Mike, "I am having trouble with it" will get you sympathy but no help. What problem _exactly_ are you having?> > # > # Shorewall version 4 - route_rules File # # For information about > entries in this file, type "man shorewall-route_rules" > #63.90.86.0 > # For additional information, see > http://www.shorewall.net/MultiISP.html > ###################################################################### > ###### > ## > #SOURCE DEST PROVIDER PRIORITY > - 10.19.227.0/24 main 1000 > - 192.168.1.0/24 main 1000 > - 63.87.74.0/24 main 1000 > - 64.42.53.203 main 1000 > - 10.5.198.191 main > 1000--------------from here down are poptop assigned Ips > - 10.5.198.192 main 1000 > - 10.5.198.193 main 1000 > - 10.5.198.194 main 1000 > - 10.5.198.195 main 1000 > >The above rules direct traffic to the PPTP clients to use the main routing table. That''s a good idea but without knowing what problem you are having, I really can''t comment. A Shorewall dump collected as described in the support doc would also be helpful.> Btw I answered your last mail Tom from T-bird did you get that?Yes. -Tom Sorry for non-verbosity, Here is some sniffs from eth1(loc) and ppp1(my current ppp connection) with me Pinging a client on this network remotely through poptop. And dump is attached. You can see there is no Reply from 10.5.198.1 Which I can ping successfully if I am ssh and pinging from The firewall itself. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 14:54:58.866717 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 4352, length 40 14:54:58.868088 arp who-has 10.5.198.192 tell 10.5.198.1 14:54:59.033032 arp reply 10.5.198.192 is-at 00:10:18:28:5a:d4 14:55:04.068423 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 4608, length 40 14:55:09.602038 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 4864, length 40 14:55:15.068727 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 5120, length 40 ns2:~ # tcpdump -ni ppp1 host 10.5.198.192 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp1, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 14:57:23.635652 IP 10.5.198.192.2018 > 75.149.172.84.3389: S 1284057838:1284057838(0) win 65535 <mss 1360,nop,nop,sackOK> 14:57:26.631680 IP 10.5.198.192.2018 > 75.149.172.84.3389: S 1284057838:1284057838(0) win 65535 <mss 1360,nop,nop,sackOK> 14:57:29.251083 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 5376, length 40 14:57:32.748469 IP 10.5.198.192.2018 > 75.149.172.84.3389: S 1284057838:1284057838(0) win 65535 <mss 1360,nop,nop,sackOK> 14:57:34.560336 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 5632, length 40 14:57:40.060884 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 5888, length 40 14:57:45.564074 IP 10.5.198.192 > 10.5.198.1: ICMP echo request, id 768, seq 6144, length 40 PS at times you can get replys from poptop as though it where loadbalancing Thanks Mike ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mike wrote:> I have a multi-Isp setup with two Nics for net zone and one nic for > loc for poptop to route on ISP one in this config I have used > route_rules to ensure packets go out the correct net ISP,I would use the "listenip" parameter in pptpd.conf to specify which interface to use. That way, pptpd won''t even listen for connections on the other net interface. -Tom I think this did it, out of 20 pings missed one but immediately seemed to have Improved this problem. I will let the list know after some testing Thank you Mike ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Mike wrote:> I have a multi-Isp setup with two Nics for net zone and one nic for > loc for poptop to route on ISP one in this config I have used > route_rules to ensure packets go out the correct net ISP,I would use the "listenip" parameter in pptpd.conf to specify which interface to use. That way, pptpd won''t even listen for connections on the other net interface. -Tom I think this did it, out of 20 pings missed one but immediately seemed to have Improved this problem. I will let the list know after some testing Thank you Mike I thought I would note this, it is a snip from pppd.conf A little confusing is the doc below says to enter local ip Which are you to assume local FQIP or your local network?? I entered the intended ISP1 IP for poptop to listen on. Anyway if someone else might get confused as I did. I took this as all local interfaces on the box. Mike # TAG: listen # # Defines the IP address of the local interface on which pptpd # should listen for connections. The default is to listen on all # local interfaces (even ones brought up by pptp connections, thus # permitting pptp tunnels inside the pptp tunnels). # listen 208.48.178.122 # TAG: pidfile ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php