Shorewall users - Jan 2011 - Fwd: Multiple Aliasses

Sorry I haven''t subscribe to the group a my first send so juste
resending it to be in touch :)

Jean-Philippe Maret 
Directeur des systèmes d''information 

Idep Multimedia 
26, Rue Bellcordière 
69002 Lyon 
Tel. : +33 (0) 826.100.122 
Fax : +33 (0) 437.499.768 


----- Mail transféré -----
De: "Jean-Philippe Maret" <jp.maret@idep-multimedia.com>
À: shorewall-users@lists.sourceforge.net
Envoyé: Mardi 25 Janvier 2011 13:27:13
Objet: Multiple Aliasses

Hi,

I''ve got a running shorewall with a lan on eth0 and 3 providers plus a
vpn gateway.
Shorewall stats gracefully and traffic shapping works great.

On of my isp provide a /28 bloc wicj i''d like to use for DNAT purposes.
here''s a view of this insterface :
ip addr show eth3
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state
UNKNOWN qlen 1000
    link/ether 00:1e:58:df:ea:ae brd ff:ff:ff:ff:ff:ff
    inet 92.103.57.66/28 brd 92.103.57.79 scope global eth3
    inet 92.103.57.67/28 brd 92.103.57.79 scope global secondary eth3:67
    inet 92.103.57.68/28 brd 92.103.57.79 scope global secondary eth3:68
    inet 92.103.57.69/28 brd 92.103.57.79 scope global secondary eth3:69
    inet 92.103.57.70/28 brd 92.103.57.79 scope global secondary eth3:70
    inet 92.103.57.71/28 brd 92.103.57.79 scope global secondary eth3:71
    inet 92.103.57.72/28 brd 92.103.57.79 scope global secondary eth3:72
    inet 92.103.57.73/28 brd 92.103.57.79 scope global secondary eth3:73
    inet 92.103.57.74/28 brd 92.103.57.79 scope global secondary eth3:74
    inet 92.103.57.75/28 brd 92.103.57.79 scope global secondary eth3:75
    inet 92.103.57.76/28 brd 92.103.57.79 scope global secondary eth3:76
    inet 92.103.57.77/28 brd 92.103.57.79 scope global secondary eth3:77
    inet 92.103.57.78/28 brd 92.103.57.79 scope global secondary eth3:78
    inet6 fe80::21e:58ff:fedf:eaae/64 scope link 
       valid_lft forever preferred_lft forever

My only problem is that for strange reason only eth3 and eth3:71 respond to ping
or works with DNAT rules.

When shorewall is stopped all the range respond to ping.

here a view on ip route :
10.123.0.1 via 10.123.0.10 dev tun0 
10.123.0.10 dev tun0  proto kernel  scope link  src 10.123.0.9 
92.103.57.64/28 dev eth3  proto kernel  scope link  src 92.103.57.66 
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.100 
82.224.36.0/24 dev eth1  proto kernel  scope link  src 82.224.36.63 
10.71.2.0/24 dev eth0  proto kernel  scope link  src 10.71.2.2 
10.99.0.0/18 via 10.123.0.10 dev tun0 
10.75.0.0/18 via 10.123.0.10 dev tun0 
default via 92.103.57.65 dev eth3 
default via 192.168.1.1 dev eth2 
default via 82.224.36.254 dev eth1

Does anyone have an idea ?

Many thanks in advance.




Jean-Philippe Maret 
Directeur des systèmes d''information 

Idep Multimedia 
26, Rue Bellcordière 
69002 Lyon 
Tel. : +33 (0) 826.100.122 
Fax : +33 (0) 437.499.768 




------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/25/11 5:41 AM, Jean-Philippe Maret wrote:
> Sorry I haven''t subscribe to the group a my first send so juste
resending it to be in touch :)
> 
> Jean-Philippe Maret 
From the dump:

Shorewall 4.0.15 Dump at idep-rt-mainframe - mardi 25 janvier 2011,
13:20:45 (UTC+0100)

   Shorewall-shell 4.0.15

From the Shorewall Multi-ISP document:

   "We strongly recommend that you run Shorewall-perl 4.2 or later if
you are going to use this feature".

Note that Roberto Sanchez has Shorewall 4.4 packages available for
Lenny; I recommend highly that you use them.

That having been said, I see nothing in the dump that would explain the
behavior that you are seeing.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

On 1/25/11 9:06 AM, Tom Eastep wrote:
> On 1/25/11 5:41 AM, Jean-Philippe Maret wrote:
>> Sorry I haven''t subscribe to the group a my first send so
juste resending it to be in touch :)
>>
>> Jean-Philippe Maret 
> 
> From the dump:
> 
> Shorewall 4.0.15 Dump at idep-rt-mainframe - mardi 25 janvier 2011,
> 13:20:45 (UTC+0100)
> 
>    Shorewall-shell 4.0.15
> 
> From the Shorewall Multi-ISP document:
> 
>    "We strongly recommend that you run Shorewall-perl 4.2 or later if
> you are going to use this feature".
> 
> Note that Roberto Sanchez has Shorewall 4.4 packages available for
> Lenny; I recommend highly that you use them.
> 
> That having been said, I see nothing in the dump that would explain the
> behavior that you are seeing.
You might want to follow the debugging procedure outlined in the 1:1 NAT
article to be sure that the upstream router does not have stale arp
cache entries for these IP addresses.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d

> De: "Tom Eastep" <teastep@shorewall.net>
> À: shorewall-users@lists.sourceforge.net
> Envoyé: Mardi 25 Janvier 2011 20:06:32
> Objet: Re: [Shorewall-users] Fwd: Multiple Aliasses
> On 1/25/11 9:06 AM, Tom Eastep wrote:
> > On 1/25/11 5:41 AM, Jean-Philippe Maret wrote:
> >> Sorry I haven't subscribe to the group a my first send so
juste
> >> resending it to be in touch :)
> >>
> >> Jean-Philippe Maret
> >
> > From the dump:
> >
> > Shorewall 4.0.15 Dump at idep-rt-mainframe - mardi 25 janvier 2011,
> > 13:20:45 (UTC+0100)
> >
> >    Shorewall-shell 4.0.15
> >
> > From the Shorewall Multi-ISP document:
> >
> >    "We strongly recommend that you run Shorewall-perl 4.2 or
later
> >    if
> > you are going to use this feature".
> >
> > Note that Roberto Sanchez has Shorewall 4.4 packages available for
> > Lenny; I recommend highly that you use them.
> >
Yes we plan an upgrade asap, but this box handle a important traffic from
several places, we can't afford a downtime atm.
But thanks for the advice we will ;)
> > That having been said, I see nothing in the dump that would explain
> > the
> > behavior that you are seeing.
> 
> You might want to follow the debugging procedure outlined in the 1:1
> NAT
> article to be sure that the upstream router does not have stale arp
> cache entries for these IP addresses.
Exactly what we find out tonight, suprised to see our config work like a charm
without any action or restart !
The cisco 1812 provided by this provider, if only we add a hand on it 2 days
ago, we would have saved time...

Many thanks for your time and advices.

BR.

JP Maret
> 
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
> 
>
------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better
> price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires 
February 28th, so secure your free ArcSight Logger TODAY! 
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users