Shorewall users - Mar 2005 - Problem with multiple ISP''s

I have a setup with two Internet providers.  One circuit (net0 == eth1) is 
used primarily for employees and tunnels to other sites.   The other (net1 == 
eth2) is for the production machines that customers access.  Everythung works 
in teh sense that packets get to where they are sent (mostly) but I recently 
I had a sniffer on the system and noticed a problem I cannot solve.  traffic 
coming in on eth2 goes back out on eth1

For examle in rules I have the line:

DNAT    net1    loc:192.168.124.18     tcp     smtp      -     65.223.121.227

If I connect to 65.223.121.227 on port 25 from a remote site I see inbound 
packets arriving on eth2 (net1) as they should but outbound packets in the 
same conversation go out on eth1 (net0).

I''ve tried adding to masq: (tho I don''t think it should matter
in this case)

eth2        192.168.124.18       65.223.121.227  tcp     25

with the same results.

I read the FAQ on setting up for two ISP''s and as far as I can tell
I;ve done
everything right.  Obviously I haven''t btu I cannot se where the error
is.
Can any here see my mistake(s)?

$ Shorewall version:	
2.0.12

$ ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
    link/ether 00:0f:1f:64:44:4e brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0f:1f:64:44:4f brd ff:ff:ff:ff:ff:ff
    inet 209.189.103.196/27 brd 209.189.103.223 scope global eth1
    inet 209.189.103.202/27 brd 209.189.102.223 scope global secondary eth1:1
    inet 209.189.103.208/27 brd 209.189.103.223 scope global secondary eth1:2
    inet 209.189.103.207/27 brd 209.189.103.223 scope global secondary eth1:3
    inet 209.189.103.203/27 brd 209.189.103.223 scope global secondary eth1:4
    inet 209.189.103.198/27 brd 209.189.103.223 scope global secondary eth1:5
    inet 209.189.103.200/27 brd 209.189.103.223 scope global secondary eth1:6
    inet 209.189.103.197/27 brd 209.189.103.223 scope global secondary eth1:7
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:ab:46:4c brd ff:ff:ff:ff:ff:ff
    inet 65.223.121.237/28 brd 65.223.121.239 scope global eth2
    inet 65.223.121.227/28 brd 65.223.121.239 scope global secondary eth2:1
    inet 65.223.121.230/28 brd 65.223.121.239 scope global secondary eth2:2
    inet 65.223.121.228/28 brd 65.223.121.239 scope global secondary eth2:3
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:ab:46:4d brd ff:ff:ff:ff:ff:ff
    inet 192.168.150.11/24 brd 192.168.150.255 scope global eth3
6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:ab:44:ca brd ff:ff:ff:ff:ff:ff
    inet 192.168.170.1/24 brd 192.168.170.255 scope global eth4
7: eth5: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:23:ab:44:cb brd ff:ff:ff:ff:ff:ff
    inet 192.168.124.249/24 brd 192.168.124.255 scope global eth5
8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ppp
    inet 192.168.254.5 peer 192.168.254.6/32 scope global tun1
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/ppp
    inet 192.168.254.1 peer 192.168.254.2/32 scope global tun0

$ ip route show
192.168.254.6 dev tun1  proto kernel  scope link  src 192.168.254.5
192.168.254.2 dev tun0  proto kernel  scope link  src 192.168.254.1
65.223.121.224/28 dev eth2  scope link
209.189.103.192/27 dev eth1  scope link
192.168.160.0/24 via 192.168.124.28 dev eth5
192.168.150.0/24 dev eth3  scope link
192.168.1.0/24 via 192.168.254.2 dev tun0
192.168.124.0/24 dev eth5  scope link
192.168.170.0/24 dev eth4  scope link
192.168.111.0/24 via 192.168.124.28 dev eth5
172.16.10.0/24 via 192.168.254.6 dev tun1
192.168.120.0/24 via 192.168.124.28 dev eth5
172.16.11.0/24 via 192.168.254.6 dev tun1
192.168.26.0/24 via 192.168.124.28 dev eth5
169.254.0.0/16 dev eth5  scope link
127.0.0.0/8 dev lo  scope link
default via 209.189.103.222 dev eth1
default via 209.189.103.222 dev eth1  src 209.189.103.197  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.200  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.198  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.203  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.207  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.208  metric 1
default via 209.189.103.222 dev eth1  src 209.189.103.202  metric 1

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602

Stephen Carville wrote:
> Can any here see my mistake(s)?
> 
Yes -- you are confusing routing and firewalling. See
http://shorewall.net/Shorewall_and_Routing.html.

-Tom
-- 
Tom Eastep    \ Off-list replies are cheerfully ignored
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

This is off topic, but....
> I have a setup with two Internet providers.  One circuit (net0 == eth1) is
> used primarily for employees and tunnels to other sites.   The other (net1
=> eth2) is for the production machines that customers access.  Everythung
works
> in teh sense that packets get to where they are sent (mostly) but I
recently
> I had a sniffer on the system and noticed a problem I cannot solve. 
traffic
> coming in on eth2 goes back out on eth1
>
> For examle in rules I have the line:
>
> DNAT    net1    loc:192.168.124.18     tcp     smtp      -    
65.223.121.227
>
> If I connect to 65.223.121.227 on port 25 from a remote site I see inbound
> packets arriving on eth2 (net1) as they should but outbound packets in the
> same conversation go out on eth1 (net0).
>
> I''ve tried adding to masq: (tho I don''t think it should
matter in this case)
>
> eth2        192.168.124.18       65.223.121.227  tcp     25
>
> with the same results.
>
> I read the FAQ on setting up for two ISP''s and as far as I can
tell I;ve done
> everything right.  Obviously I haven''t btu I cannot se where the
error is.
> Can any here see my mistake(s)?
>
> $ Shorewall version:
> 2.0.12
>
> $ ip addr show
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
>     link/ether 00:0f:1f:64:44:4e brd ff:ff:ff:ff:ff:ff
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:0f:1f:64:44:4f brd ff:ff:ff:ff:ff:ff
>     inet 209.189.103.196/27 brd 209.189.103.223 scope global eth1
>     inet 209.189.103.202/27 brd 209.189.102.223 scope global secondary
eth1:1
>     inet 209.189.103.208/27 brd 209.189.103.223 scope global secondary
eth1:2
>     inet 209.189.103.207/27 brd 209.189.103.223 scope global secondary
eth1:3
>     inet 209.189.103.203/27 brd 209.189.103.223 scope global secondary
eth1:4
>     inet 209.189.103.198/27 brd 209.189.103.223 scope global secondary
eth1:5
>     inet 209.189.103.200/27 brd 209.189.103.223 scope global secondary
eth1:6
>     inet 209.189.103.197/27 brd 209.189.103.223 scope global secondary
eth1:7
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:04:23:ab:46:4c brd ff:ff:ff:ff:ff:ff
>     inet 65.223.121.237/28 brd 65.223.121.239 scope global eth2
>     inet 65.223.121.227/28 brd 65.223.121.239 scope global secondary eth2:1
>     inet 65.223.121.230/28 brd 65.223.121.239 scope global secondary eth2:2
>     inet 65.223.121.228/28 brd 65.223.121.239 scope global secondary eth2:3
> 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:04:23:ab:46:4d brd ff:ff:ff:ff:ff:ff
>     inet 192.168.150.11/24 brd 192.168.150.255 scope global eth3
> 6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:04:23:ab:44:ca brd ff:ff:ff:ff:ff:ff
>     inet 192.168.170.1/24 brd 192.168.170.255 scope global eth4
> 7: eth5: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:04:23:ab:44:cb brd ff:ff:ff:ff:ff:ff
>     inet 192.168.124.249/24 brd 192.168.124.255 scope global eth5
> 8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast
qlen 100
>     link/ppp
>     inet 192.168.254.5 peer 192.168.254.6/32 scope global tun1
> 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast
qlen 100
>     link/ppp
>     inet 192.168.254.1 peer 192.168.254.2/32 scope global tun0
>
> $ ip route show
> 192.168.254.6 dev tun1  proto kernel  scope link  src 192.168.254.5
> 192.168.254.2 dev tun0  proto kernel  scope link  src 192.168.254.1
> 65.223.121.224/28 dev eth2  scope link
> 209.189.103.192/27 dev eth1  scope link
> 192.168.160.0/24 via 192.168.124.28 dev eth5
> 192.168.150.0/24 dev eth3  scope link
> 192.168.1.0/24 via 192.168.254.2 dev tun0
> 192.168.124.0/24 dev eth5  scope link
> 192.168.170.0/24 dev eth4  scope link
> 192.168.111.0/24 via 192.168.124.28 dev eth5
> 172.16.10.0/24 via 192.168.254.6 dev tun1
> 192.168.120.0/24 via 192.168.124.28 dev eth5
> 172.16.11.0/24 via 192.168.254.6 dev tun1
> 192.168.26.0/24 via 192.168.124.28 dev eth5
> 169.254.0.0/16 dev eth5  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 209.189.103.222 dev eth1
> default via 209.189.103.222 dev eth1  src 209.189.103.197  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.200  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.198  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.203  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.207  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.208  metric 1
> default via 209.189.103.222 dev eth1  src 209.189.103.202  metric 1
>
well, 65.223.121.224/28 dev eth2  scope link
I don''t see how this network could use any other gateway but
209.189.103.222
I have this:
/sbin/ip route ls
~~snip~~
default
        nexthop via zzz.zzz.0.1 dev eth0 weight 1
        nexthop via yyy.yyy.28.28  dev ppp0 weight 1

Have you setup "routing rules" for use with "routing
tables"?
What does "/sbin/ip rule ls" show?

Jerry Vonau

On Tue March 1 2005 4:40 pm, Jerry Vonau wrote:
> This is off topic, but....
So Tom has reminded me :-)
> > I have a setup with two Internet providers.  One circuit (net0 ==
eth1)
> > is used primarily for employees and tunnels to other sites.   The
other
> > (net1 == eth2) is for the production machines that customers access. 
> > Everythung works in teh sense that packets get to where they are sent
> > (mostly) but I recently I had a sniffer on the system and noticed a
> > problem I cannot solve.  traffic coming in on eth2 goes back out on
eth1
> >
> > For examle in rules I have the line:
> >
> > DNAT    net1    loc:192.168.124.18     tcp     smtp      -    
> > 65.223.121.227
> >
> > If I connect to 65.223.121.227 on port 25 from a remote site I see
> > inbound packets arriving on eth2 (net1) as they should but outbound
> > packets in the same conversation go out on eth1 (net0).
> >
> > I''ve tried adding to masq: (tho I don''t think it
should matter in this
> > case)
> >
> > eth2        192.168.124.18       65.223.121.227  tcp     25
> >
> > with the same results.
> >
> > I read the FAQ on setting up for two ISP''s and as far as I
can tell I;ve
> > done everything right.  Obviously I haven''t btu I cannot se
where the
> > error is. Can any here see my mistake(s)?
> >
> > $ Shorewall version:
> > 2.0.12
> >
> > $ ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
> >     link/ether 00:0f:1f:64:44:4e brd ff:ff:ff:ff:ff:ff
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:0f:1f:64:44:4f brd ff:ff:ff:ff:ff:ff
> >     inet 209.189.103.196/27 brd 209.189.103.223 scope global eth1
> >     inet 209.189.103.202/27 brd 209.189.102.223 scope global secondary
> > eth1:1 inet 209.189.103.208/27 brd 209.189.103.223 scope global
secondary
> > eth1:2 inet 209.189.103.207/27 brd 209.189.103.223 scope global
secondary
> > eth1:3 inet 209.189.103.203/27 brd 209.189.103.223 scope global
secondary
> > eth1:4 inet 209.189.103.198/27 brd 209.189.103.223 scope global
secondary
> > eth1:5 inet 209.189.103.200/27 brd 209.189.103.223 scope global
secondary
> > eth1:6 inet 209.189.103.197/27 brd 209.189.103.223 scope global
secondary
> > eth1:7 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen
> > 100 link/ether 00:04:23:ab:46:4c brd ff:ff:ff:ff:ff:ff
> >     inet 65.223.121.237/28 brd 65.223.121.239 scope global eth2
> >     inet 65.223.121.227/28 brd 65.223.121.239 scope global secondary
> > eth2:1 inet 65.223.121.230/28 brd 65.223.121.239 scope global
secondary
> > eth2:2 inet 65.223.121.228/28 brd 65.223.121.239 scope global
secondary
> > eth2:3 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen
> > 100 link/ether 00:04:23:ab:46:4d brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.150.11/24 brd 192.168.150.255 scope global eth3
> > 6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:04:23:ab:44:ca brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.170.1/24 brd 192.168.170.255 scope global eth4
> > 7: eth5: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:04:23:ab:44:cb brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.124.249/24 brd 192.168.124.255 scope global eth5
> > 8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc
pfifo_fast qlen
> > 100 link/ppp
> >     inet 192.168.254.5 peer 192.168.254.6/32 scope global tun1
> > 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc
pfifo_fast qlen
> > 100 link/ppp
> >     inet 192.168.254.1 peer 192.168.254.2/32 scope global tun0
> >
> > $ ip route show
> > 192.168.254.6 dev tun1  proto kernel  scope link  src 192.168.254.5
> > 192.168.254.2 dev tun0  proto kernel  scope link  src 192.168.254.1
> > 65.223.121.224/28 dev eth2  scope link
> > 209.189.103.192/27 dev eth1  scope link
> > 192.168.160.0/24 via 192.168.124.28 dev eth5
> > 192.168.150.0/24 dev eth3  scope link
> > 192.168.1.0/24 via 192.168.254.2 dev tun0
> > 192.168.124.0/24 dev eth5  scope link
> > 192.168.170.0/24 dev eth4  scope link
> > 192.168.111.0/24 via 192.168.124.28 dev eth5
> > 172.16.10.0/24 via 192.168.254.6 dev tun1
> > 192.168.120.0/24 via 192.168.124.28 dev eth5
> > 172.16.11.0/24 via 192.168.254.6 dev tun1
> > 192.168.26.0/24 via 192.168.124.28 dev eth5
> > 169.254.0.0/16 dev eth5  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 209.189.103.222 dev eth1
> > default via 209.189.103.222 dev eth1  src 209.189.103.197  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.200  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.198  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.203  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.207  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.208  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.202  metric 1
>
> well, 65.223.121.224/28 dev eth2  scope link
> I don''t see how this network could use any other gateway but
> 209.189.103.222 I have this:
> /sbin/ip route ls
> ~~snip~~
> default
>         nexthop via zzz.zzz.0.1 dev eth0 weight 1
>         nexthop via yyy.yyy.28.28  dev ppp0 weight 1
>
> Have you setup "routing rules" for use with "routing
tables"?
> What does "/sbin/ip rule ls" show?
$ ip rule ls
0:      from all lookup local
32764:  from 65.223.121.237 lookup T2
32765:  from 209.189.103.196 lookup T1
32766:  from all lookup main
32767:  from all lookup 253

$ ip route list table T1
209.189.103.192/27 dev eth1  scope link  src 209.189.103.196
192.168.124.0/24 dev eth5  scope link
127.0.0.0/8 dev lo  scope link
default via 209.189.103.222 dev eth1

$ ip route list table T2
65.223.121.224/28 dev eth2  scope link  src 65.223.121.237
192.168.124.0/24 dev eth5  scope link
127.0.0.0/8 dev lo  scope link
default via 65.223.121.225 dev eth2
> Jerry Vonau
>
>
>
>
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602