Shorewall users - Mar 2011 - Problem with VPN and multiISP configuration with old shorewall

Hi list.

I''m trying to modify our current shorewall configuration (based on
3.2.6) to
support an additional ISP *without* balancing and I have problems with the
VPN.

Here is the old, working, setup

Eth1:  LAN interface. Has 3 IPs (192.168.77.253/24, 192.168.78.254/24,
192.168.80.253/24).
Eth2: WAN interface. 

On the same firewall I run pptpd for external users to access LAN
192.168.77.0/24. The pptpd server assigns addresses in the 192.168.77.0/24
network.

What I''m trying to do is adding a second "ISP" on eth0:
Eth0: 10.17.48.2/23
The rule for routing is that shorewall should use eth0 *only* for traffic to
10.0.0.0/8. All the other traffic should go thru eth2.
I followed the directions for multiISP here
http://www.shorewall.net/MultiISP.html and  tried to disable balance with
this http://www.shorewall.net/FAQ.htm#faq58
The result is that the traffic from LAN is correctly routed to eth0 or eth2.
However the VPN is not working anymore: I can connect to the VPN server, but
I cannot ping any host in LAN 192.168.77.0/24 properly.
I''ve attached the output of shorewall dump.

I''m trying to ping 192.168.77.250 from 32.174.168.137 and
don''t see echo
reply.
If I sniff eth1, I see the echo replies from 192.168.77.250. If I look at
ppp0, I only see the echo requests.

Thanks in advance
GV



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/7/11 9:15 AM, Gianluca Varenni wrote:
> Hi list.
> 
> I''m trying to modify our current shorewall configuration (based on
3.2.6) to
> support an additional ISP *without* balancing and I have problems with the
> VPN.
> 
> Here is the old, working, setup
> 
> Eth1:  LAN interface. Has 3 IPs (192.168.77.253/24, 192.168.78.254/24,
> 192.168.80.253/24).
> Eth2: WAN interface. 
> 
> On the same firewall I run pptpd for external users to access LAN
> 192.168.77.0/24. The pptpd server assigns addresses in the 192.168.77.0/24
> network.
> 
> What I''m trying to do is adding a second "ISP" on eth0:
> Eth0: 10.17.48.2/23
> The rule for routing is that shorewall should use eth0 *only* for traffic
to
> 10.0.0.0/8.
If it is only for traffic to 10.0.0.0/8, then it doesn''t need to be a
provider at all.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Tom,

How do you suggest to configure shorewall, then?
Consider that the traffic between LAN and 10.0.0.0/8 will still need to be
NATted.

Have a nice day
GV

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Monday, March 07, 2011 10:18 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Problem with VPN and multiISP configuration
with old shorewall

On 3/7/11 9:15 AM, Gianluca Varenni wrote:
> Hi list.
> 
> I''m trying to modify our current shorewall configuration (based on
> 3.2.6) to support an additional ISP *without* balancing and I have 
> problems with the VPN.
> 
> Here is the old, working, setup
> 
> Eth1:  LAN interface. Has 3 IPs (192.168.77.253/24, 192.168.78.254/24, 
> 192.168.80.253/24).
> Eth2: WAN interface. 
> 
> On the same firewall I run pptpd for external users to access LAN 
> 192.168.77.0/24. The pptpd server assigns addresses in the 
> 192.168.77.0/24 network.
> 
> What I''m trying to do is adding a second "ISP" on eth0:
> Eth0: 10.17.48.2/23
> The rule for routing is that shorewall should use eth0 *only* for 
> traffic to 10.0.0.0/8.
If it is only for traffic to 10.0.0.0/8, then it doesn''t need to be a
provider at all.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/7/11 10:30 AM, Gianluca Varenni wrote:
> Tom,
> 
> How do you suggest to configure shorewall, then?
> Consider that the traffic between LAN and 10.0.0.0/8 will still need to be
> NATted.
> 
Then NAT it -- an interface doesn''t have to be associated with a
provider to use NAT. Simply route 10.0.0.0/8 via whatever gateway is
appropriate.

I would set up eth0 as a separate zone so you can use policies and rules
more conveniently to control access.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Thanks! I will try the new configuration tomorrow morning.

Can I put LAN and 10.0.0.0/8 in the same zone ("local") and then put
some
conditional NAT like this?

(masq file)
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth2                    eth1            173.166.226.234
eth0:10.0.0.0/24        eth1            10.17.48.2

Have a nice day
GV

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Monday, March 07, 2011 11:01 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Problem with VPN and multiISP configuration
with old shorewall

On 3/7/11 10:30 AM, Gianluca Varenni wrote:
> Tom,
> 
> How do you suggest to configure shorewall, then?
> Consider that the traffic between LAN and 10.0.0.0/8 will still need 
> to be NATted.
> 
Then NAT it -- an interface doesn''t have to be associated with a
provider to
use NAT. Simply route 10.0.0.0/8 via whatever gateway is appropriate.

I would set up eth0 as a separate zone so you can use policies and rules
more conveniently to control access.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/7/11 2:05 PM, Gianluca Varenni wrote:
> Thanks! I will try the new configuration tomorrow morning.
> 
> Can I put LAN and 10.0.0.0/8 in the same zone ("local") and then
put some
> conditional NAT like this?
> 
> (masq file)
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth2                    eth1            173.166.226.234
> eth0:10.0.0.0/24        eth1            10.17.48.2
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/7/11 4:16 PM, Tom Eastep wrote:
> On 3/7/11 2:05 PM, Gianluca Varenni wrote:
>> Thanks! I will try the new configuration tomorrow morning.
>>
>> Can I put LAN and 10.0.0.0/8 in the same zone ("local") and
then put some
>> conditional NAT like this?
>>
>> (masq file)
>> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
>> IPSEC
>> eth2                    eth1            173.166.226.234
>> eth0:10.0.0.0/24        eth1            10.17.48.2
> 
> Yes.
Although, I would replace ''eth1'' with the network attached to
eth1. This
is clearly an old configuration where the second column is called
SUBNET. It is now called SOURCE and specifying an interface name in that
column is deprecated with a warning.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

I tried adding eth0 to the local zone and the following masq file:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
IPSEC
eth0:10.0.0.0/8         192.168.77.0/24 	10.17.48.2
eth2                    192.168.77.0/24 		173.166.226.234

but it didn''t work. I was trying to ping from 192.168.77.110 to
10.17.48.1,
and what I was seeing on eth0 was non-masquerated packets.

Could it be because I''m trying to SNAT between two RFC1918 networks?

Have a nice day
GV



-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Monday, March 07, 2011 6:10 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Problem with VPN and multiISP configuration
with old shorewall

On 3/7/11 4:16 PM, Tom Eastep wrote:
> On 3/7/11 2:05 PM, Gianluca Varenni wrote:
>> Thanks! I will try the new configuration tomorrow morning.
>>
>> Can I put LAN and 10.0.0.0/8 in the same zone ("local") and
then put
>> some conditional NAT like this?
>>
>> (masq file)
>> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
>> IPSEC
>> eth2                    eth1            173.166.226.234
>> eth0:10.0.0.0/24        eth1            10.17.48.2
> 
> Yes.
Although, I would replace ''eth1'' with the network attached to
eth1. This is
clearly an old configuration where the second column is called SUBNET. It is
now called SOURCE and specifying an interface name in that column is
deprecated with a warning.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

PLEASE STOP TOP-POSTING!

On 3/8/11 2:03 PM, Gianluca Varenni wrote:
> I tried adding eth0 to the local zone and the following masq file:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC
> eth0:10.0.0.0/8         192.168.77.0/24 	10.17.48.2
> eth2                    192.168.77.0/24 		173.166.226.234
> 
> but it didn''t work. I was trying to ping from 192.168.77.110 to
10.17.48.1,
> and what I was seeing on eth0 was non-masquerated packets.
> 
Then there is something in your configuration that you are not telling us.
> Could it be because I''m trying to SNAT between two RFC1918
networks?
No. Please include the output of ''shorewall dump'' collected as
described
at http://www.shorewall.net/support.htm#Guidelines.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep <teastep@shorewall.net> wrote:
>
> PLEASE STOP TOP-POSTING!
>
> On 3/8/11 2:03 PM, Gianluca Varenni wrote:
> > I tried adding eth0 to the local zone and the following masq file:
> >
> > #INTERFACE              SUBNET          ADDRESS         PROTO  
PORT(S)
> > IPSEC
> > eth0:10.0.0.0/8         192.168.77.0/24       10.17.48.2
> > eth2                    192.168.77.0/24               173.166.226.234
> >
> > but it didn''t work. I was trying to ping from 192.168.77.110
to
> 10.17.48.1,
> > and what I was seeing on eth0 was non-masquerated packets.
> >
>
> Then there is something in your configuration that you are not telling us.
>
> > Could it be because I''m trying to SNAT between two RFC1918
networks?
>
> No. Please include the output of ''shorewall dump''
collected as described
> at http://www.shorewall.net/support.htm#Guidelines.
>
>
Attached.

Have a nice day
GV


> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> What You Don''t Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/8/11 3:24 PM, Gianluca Varenni wrote:
> 
> 
> On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep <teastep@shorewall.net
> <mailto:teastep@shorewall.net>> wrote:
> 
> 
>     PLEASE STOP TOP-POSTING!
> 
> 
>     On 3/8/11 2:03 PM, Gianluca Varenni wrote:
>     > I tried adding eth0 to the local zone and the following masq file:
>     >
>     > #INTERFACE              SUBNET          ADDRESS         PROTO  
>     PORT(S)
>     > IPSEC
>     > eth0:10.0.0.0/8 <http://10.0.0.0/8>         192.168.77.0/24
>     <http://192.168.77.0/24>       10.17.48.2
>     > eth2                    192.168.77.0/24
<http://192.168.77.0/24>
>                 173.166.226.234
>     >
>     > but it didn''t work. I was trying to ping from
192.168.77.110 to
>     10.17.48.1,
>     > and what I was seeing on eth0 was non-masquerated packets.
>     >
> 
>     Then there is something in your configuration that you are not
>     telling us.
> 
>     > Could it be because I''m trying to SNAT between two
RFC1918 networks?
> 
>     No. Please include the output of ''shorewall dump''
collected as described
>     at http://www.shorewall.net/support.htm#Guidelines.
> 
> 
> Attached. 
> 
Here is a connection that is properly natted:

tcp      6 190420 ESTABLISHED src=192.168.77.150 dst=10.38.10.1
sport=52923 dport=22 packets=20 bytes=2646 src=10.38.10.1 dst=10.17.48.2
sport=22 dport=52923 packets=28 bytes=4324 [ASSURED] mark=2 use=1

So the rule *is* working.

Here is a conntrack entry for an un-replied ping:


icmp     1 26 src=192.168.77.150 dst=10.17.48.1 type=8 code=0 id=1
packets=613 bytes=36780 [UNREPLIED] src=10.17.48.1 dst=192.168.77.150
type=0 code=0 id=1 packets=0 bytes=0 mark=0 use=1

But note this:

Chain POSTROUTING (policy ACCEPT 340 packets, 22236 bytes)
 pkts bytes target     prot opt in     out     source
destination
  632 47883 eth2_masq  0    --  *      eth2    0.0.0.0/0
0.0.0.0/0
    0     0 eth0_masq  0    --  *      eth0    0.0.0.0/0
0.0.0.0/0

So no new NAT requests were processed after you restarted/reset
Shorewall. So that entry is left over from before.

Please wait until ''shorewall show connections | grep ^icmp''
returns
nothing and then try to ping again; does it work then?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On Tue, Mar 8, 2011 at 3:49 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 3/8/11 3:24 PM, Gianluca Varenni wrote:
> >
> >
> > On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep <teastep@shorewall.net
> > <mailto:teastep@shorewall.net>> wrote:
> >
> >
> >     PLEASE STOP TOP-POSTING!
> >
> >
> >     On 3/8/11 2:03 PM, Gianluca Varenni wrote:
> >     > I tried adding eth0 to the local zone and the following masq
file:
> >     >
> >     > #INTERFACE              SUBNET          ADDRESS         PROTO
> >     PORT(S)
> >     > IPSEC
> >     > eth0:10.0.0.0/8 <http://10.0.0.0/8>        
192.168.77.0/24
> >     <http://192.168.77.0/24>       10.17.48.2
> >     > eth2                    192.168.77.0/24
<http://192.168.77.0/24>
> >                 173.166.226.234
> >     >
> >     > but it didn''t work. I was trying to ping from
192.168.77.110 to
> >     10.17.48.1,
> >     > and what I was seeing on eth0 was non-masquerated packets.
> >     >
> >
> >     Then there is something in your configuration that you are not
> >     telling us.
> >
> >     > Could it be because I''m trying to SNAT between two
RFC1918
> networks?
> >
> >     No. Please include the output of ''shorewall
dump'' collected as
> described
> >     at http://www.shorewall.net/support.htm#Guidelines.
> >
> >
> > Attached.
> >
>
> Here is a connection that is properly natted:
>
> tcp      6 190420 ESTABLISHED src=192.168.77.150 dst=10.38.10.1
> sport=52923 dport=22 packets=20 bytes=2646 src=10.38.10.1 dst=10.17.48.2
> sport=22 dport=52923 packets=28 bytes=4324 [ASSURED] mark=2 use=1
>
> So the rule *is* working.
>
> Here is a conntrack entry for an un-replied ping:
>
>
> icmp     1 26 src=192.168.77.150 dst=10.17.48.1 type=8 code=0 id=1
> packets=613 bytes=36780 [UNREPLIED] src=10.17.48.1 dst=192.168.77.150
> type=0 code=0 id=1 packets=0 bytes=0 mark=0 use=1
>
> But note this:
>
> Chain POSTROUTING (policy ACCEPT 340 packets, 22236 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>  632 47883 eth2_masq  0    --  *      eth2    0.0.0.0/0
> 0.0.0.0/0
>    0     0 eth0_masq  0    --  *      eth0    0.0.0.0/0
> 0.0.0.0/0
>
> So no new NAT requests were processed after you restarted/reset
> Shorewall. So that entry is left over from before.
>
> Please wait until ''shorewall show connections | grep
^icmp'' returns
> nothing and then try to ping again; does it work then?
>
It works only partially. I can now ping 10.17.48.1 (or any host on the
10.17.48.0/23 LAN), but I cannot ping any other host in 10.0.0.0/8. If IP
destination is not in 10.17.48.0/23, it gets sent out masquerated on eth2
(i.e. the WAN interface). shorewall dump attached.

Thanks
GV

> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On Tue, Mar 8, 2011 at 6:24 PM, Gianluca Varenni
<gianluca.varenni@gmail.com
> wrote:
>
>
> On Tue, Mar 8, 2011 at 3:49 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>
>> On 3/8/11 3:24 PM, Gianluca Varenni wrote:
>> >
>> >
>> > On Tue, Mar 8, 2011 at 3:12 PM, Tom Eastep
<teastep@shorewall.net
>> > <mailto:teastep@shorewall.net>> wrote:
>> >
>> >
>> >     PLEASE STOP TOP-POSTING!
>> >
>> >
>> >     On 3/8/11 2:03 PM, Gianluca Varenni wrote:
>> >     > I tried adding eth0 to the local zone and the following
masq file:
>> >     >
>> >     > #INTERFACE              SUBNET          ADDRESS        
PROTO
>> >     PORT(S)
>> >     > IPSEC
>> >     > eth0:10.0.0.0/8 <http://10.0.0.0/8>        
192.168.77.0/24
>> >     <http://192.168.77.0/24>       10.17.48.2
>> >     > eth2                    192.168.77.0/24
<http://192.168.77.0/24>
>> >                 173.166.226.234
>> >     >
>> >     > but it didn''t work. I was trying to ping from
192.168.77.110 to
>> >     10.17.48.1,
>> >     > and what I was seeing on eth0 was non-masquerated
packets.
>> >     >
>> >
>> >     Then there is something in your configuration that you are not
>> >     telling us.
>> >
>> >     > Could it be because I''m trying to SNAT between
two RFC1918
>> networks?
>> >
>> >     No. Please include the output of ''shorewall
dump'' collected as
>> described
>> >     at http://www.shorewall.net/support.htm#Guidelines.
>> >
>> >
>> > Attached.
>> >
>>
>> Here is a connection that is properly natted:
>>
>> tcp      6 190420 ESTABLISHED src=192.168.77.150 dst=10.38.10.1
>> sport=52923 dport=22 packets=20 bytes=2646 src=10.38.10.1
dst=10.17.48.2
>> sport=22 dport=52923 packets=28 bytes=4324 [ASSURED] mark=2 use=1
>>
>> So the rule *is* working.
>>
>> Here is a conntrack entry for an un-replied ping:
>>
>>
>> icmp     1 26 src=192.168.77.150 dst=10.17.48.1 type=8 code=0 id=1
>> packets=613 bytes=36780 [UNREPLIED] src=10.17.48.1 dst=192.168.77.150
>> type=0 code=0 id=1 packets=0 bytes=0 mark=0 use=1
>>
>> But note this:
>>
>> Chain POSTROUTING (policy ACCEPT 340 packets, 22236 bytes)
>>  pkts bytes target     prot opt in     out     source
>> destination
>>  632 47883 eth2_masq  0    --  *      eth2    0.0.0.0/0
>> 0.0.0.0/0
>>    0     0 eth0_masq  0    --  *      eth0    0.0.0.0/0
>> 0.0.0.0/0
>>
>> So no new NAT requests were processed after you restarted/reset
>> Shorewall. So that entry is left over from before.
>>
>> Please wait until ''shorewall show connections | grep
^icmp'' returns
>> nothing and then try to ping again; does it work then?
>>
>
> It works only partially. I can now ping 10.17.48.1 (or any host on the
> 10.17.48.0/23 LAN), but I cannot ping any other host in 10.0.0.0/8. If IP
> destination is not in 10.17.48.0/23, it gets sent out masquerated on eth2
> (i.e. the WAN interface). shorewall dump attached.
>
>
An update to this. Everything works if I add a static route with

route add -net 10.0.0.0/8 gw 10.17.48.1 dev eth0

Is it normal that I need to add a static route outside of the shorewall
configuration files?

Thanks
GV


> Thanks
> GV
>
>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Colocation vs. Managed Hosting
>> A question and answer guide to determining the best fit
>> for your organization - today and in the future.
>> http://p.sf.net/sfu/internap-sfd2d
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/8/11 7:05 PM, Gianluca Varenni wrote:
> An update to this. Everything works if I add a static route with
> 
> route add -net 10.0.0.0/8 <http://10.0.0.0/8> gw 10.17.48.1 dev eth0
> 
> Is it normal that I need to add a static route outside of the shorewall
> configuration files?
> 
Yes. Shorewall only affects routing if you use /etc/shorewall/providers.
Your routing configuration (outside of Shorewall) determines where
packets go. Shorewall determines if they are allowed to go there.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d