Hi,
I want to start with a words of gratitude to Tom for work he has put in
Shorewall - which makes life easier for us.
I''m having some problems with multi-ISP (it''s really one ISP,
but two different IPs from the same ISP).
So my shorewall-providers looks like this (ips are masked):
net_GEN 1 256 default ppp0 GW.GW.GW.GW
track
net_PUB 2 512 default ppp1 GW.GW.GW.GW
track
shorewall-policy:
ethDOWN.v4001 - net_PUB 26000
lan.DOZYNKOWA - net_PUB 26000
shorewall-masq:
ppp1 172.21.0.0/24
On VM connected to lan.DOZYNKOWA:
# ping 8.8.8.8
Shorewall reports:
Nov 09 12:57:37 [kernel] [ 1851.993368] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19584 PROTO=ICMP
TYPE=0 CODE=0 ID=23140 SEQ=1796
Nov 09 12:57:38 [kernel] [ 1852.993622] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19585 PROTO=ICMP
TYPE=0 CODE=0 ID=23140 SEQ=1797
Nov 09 12:57:39 [kernel] [ 1853.992969] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19586 PROTO=ICMP
TYPE=0 CODE=0 ID=23140 SEQ=1798
Nov 09 12:57:40 [kernel] [ 1854.999723] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19587 PROTO=ICMP
TYPE=0 CODE=0 ID=23140 SEQ=1799
Nov 09 12:57:41 [kernel] [ 1855.993072] FW:FORWARD:DROP:IN=ppp1 OUT=ppp1 MAC=
SRC=8.8.8.8 DST=172.21.0.11 LEN=84 TOS=0x00 PREC=0x00 TTL=54 ID=19588 PROTO=ICMP
TYPE=0 CODE=0 ID=23140 SEQ=1800
I tried mixed settings, but:
1.
USE_DEFAULT_RT=No
&&
shorewall-providers
net_GEN 1 256 main ppp0 GW.GW.GW.GW
track
net_PUB 2 512 main ppp1 GW.GW.GW.GW
track
/etc/init.d/shorewall start
* Starting firewall ...
RTNETLINK answers: File exists
ERROR: Command "ip -4 route add table 1 GW.GW.GWGW dev ppp1 proto kernel
scope link src PPP1.PPP1.PPP1.PPP1" Failed
/usr/share/shorewall/lib.common: line 68: 6500 Terminated
$SHOREWALL_SHELL $script $options $@
2.
USE_DEFAULT_RT=Yes
&&
shorewall-providers
net_GEN 1 256 - ppp0 GW.GW.GW.GW
track
net_PUB 2 512 - ppp1 GW.GW.GW.GW
track
/etc/init.d/shorewall start
* Starting firewall ...
RTNETLINK answers: No such process
ERROR: Command "ip -4 route replace default scope global table 250
nexthop via GW.GW.GW.GW dev ppp0 weight 1 nexthop via GW.GW.GW.GW dev ppp1
weight 1" Failed
/usr/share/shorewall/lib.common: line 68: 6502 Terminated
$SHOREWALL_SHELL $script $options $@
but i fixed it by editing /usr/share/shorewall/Shorewall/Providers.pm
sub finish_providers() {
....
if ( $family == F_IPV4 ) {
# (line 981) emit ( " run_ip route replace default scope
global table $table \$DEFAULT_ROU$
After rebooting the route table looks like:
# ip route
127.0.0.0/8 via 127.0.0.1 dev lo
172.20.0.0/29 dev ethUP.v4000 proto kernel scope link src 172.20.0.1
172.20.0.16/29 dev ethDOWN.v4001 proto kernel scope link src 172.20.0.17
172.20.1.0/29 dev ethDOWN.v500 proto kernel scope link src 172.20.1.1
172.20.255.0/25 via 172.20.0.19 dev ethDOWN.v4001
172.21.0.0/24 dev lan.DOZYNKOWA proto kernel scope link src 172.21.0.1
GW.GW.GW.GW dev ppp1 scope link src PPP1.PPP1.PPP1.PPP1
GW.GW.GW.GW dev ppp1 proto kernel scope link src PPP1.PPP1.PPP1.PPP1
# ip route list table 1
default via GW.GW.GW.GW dev ppp0 src PPP0.PPP0.PPP0.PPP0
GW.GW.GW.GW dev ppp0 scope link src PPP0.PPP0.PPP0.PPP0
# ip route list table 2
default via GW.GW.GW.GW dev ppp1 src PPP1.PPP1.PPP1.PPP1
GW.GW.GW.GW dev ppp1 scope link src PPP1.PPP1.PPP1.PPP1
With this route table i can ping both ppp interfaces, but i can only use DNAT on
PPP1.
So i executed commands:
route del GW.GW.GW.GW
route del GW.GW.GW.GW
route add default dev ppp0
And it works, but only for ppp0. Adding route add default dev ppp1. Worked for
ppp1, but not for ppp0
Regards
tom
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
On Sun, 2011-01-09 at 15:54 +0000, tom@unreal.pl wrote:> Hi, > I want to start with a words of gratitude to Tom for work he has put in Shorewall - which makes life easier for us. > > I''m having some problems with multi-ISP (it''s really one ISP, but two different IPs from the same ISP). > So my shorewall-providers looks like this (ips are masked): > net_GEN 1 256 default ppp0 GW.GW.GW.GW track > net_PUB 2 512 default ppp1 GW.GW.GW.GW trackYour problem has nothing to do with masq. It instead has to do with the above entries. Rather than ''default'' in the DUPLICATE column, you want ''main'' and you must list your other interfaces in the COPY column. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
>On Sun, 2011-01-09 at 15:54 +0000, tom@unreal.pl wrote: >Your problem has nothing to do with masq. It instead has to do with the >above entries. Rather than ''default'' in the DUPLICATE column, you want >''main'' and you must list your other interfaces in the COPY column. > >Regards, >-Tom >-- >Tom Eastep \ When I die, I want to go like my Grandfather who >Shoreline, \ died peacefully in his sleep. Not screaming like >Washington, USA \ all of the passengers in his car >http://shorewall.net \________________________________________________Yeah that''s right. It looks like i have never understood how providers work, thanks again ! ------------------- Wys³ano ze strony unreal.pl (http://unreal.pl) ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1