Hi, I have been running Shorewall (v 2.0.15 nowadays) for some time to act as a firewall between my LAN and my ISP where I have a fixed IP WAN address. Recently, I got an allocation of a /28 range of public IPs to do a DMZ. The ISP tells me that they are routing the /28 range via the existing WAN address. The WAN address is not part of the /28 range. This setup should be fairly simple, from reading the setup guide and mailing list archives where Tom describes this setup as even easier than the example in the guide. It''s not working, though, and having read and read and tried lots of things, I''m wondering if it''s a problem with my ISP''s routing. I would appreciate a sanity check from anyone who is familiar with routed IP. I am logged into a machine that is co-located in another ISP and watching the log on my FW machine. Test 1: Ping WAN IP I can see the FW dropping the ICMP traffic, as I would expect. Test 2: Ping DMZ IP Can''t see any traffic from the co-located host hitting the FW That looks to me like the IPs are not being routed properly or am I missing some nuance/side-effect of this kind of routing. Thanks, Liam
Hi, I have been running Shorewall (v 2.0.15 nowadays) for some time to act as a firewall between my LAN and my ISP where I have a fixed IP WAN address. Recently, I got an allocation of a /28 range of public IPs to do a DMZ. The ISP tells me that they are routing the /28 range via the existing WAN address. The WAN address is not part of the /28 range. This setup should be fairly simple, from reading the setup guide and mailing list archives where Tom describes this setup as even easier than the example in the guide. It''s not working, though, and having read and read and tried lots of things, I''m wondering if it''s a problem with my ISP''s routing. I would appreciate a sanity check from anyone who is familiar with routed IP. I am logged into a machine that is co-located in another ISP and watching the log on my FW machine. Test 1: Ping WAN IP I can see the FW dropping the ICMP traffic, as I would expect. Test 2: Ping DMZ IP Can''t see any traffic from the co-located host hitting the FW That looks to me like the IPs are not being routed properly or am I missing some nuance/side-effect of this kind of routing. Thanks, Liam
Liam Ward wrote:> I am logged into a machine that is co-located in another ISP and > watching the log on my FW machine. > > Test 1: Ping WAN IP > I can see the FW dropping the ICMP traffic, as I would expect. > > Test 2: Ping DMZ IP > Can''t see any traffic from the co-located host hitting the FW > > That looks to me like the IPs are not being routed properly or am I > missing some nuance/side-effect of this kind of routing.I think you''re ISP isn''t actually routing the packets. To verify, sniff the WAN interface on your FW and see if you get the ICMP requests. If so, it''s your fault. If not, it''s their fault. :-) A.
Liam Ward wrote:> > I am logged into a machine that is co-located in another ISP and > watching the log on my FW machine. > > Test 1: Ping WAN IP > I can see the FW dropping the ICMP traffic, as I would expect. > > Test 2: Ping DMZ IP > Can''t see any traffic from the co-located host hitting the FW > > That looks to me like the IPs are not being routed properly or am I > missing some nuance/side-effect of this kind of routing.Sounds to me like the routing is wrong. Another test would be to run the following on your firewall: tcpdump -ni <external ip> host <dmz ip> then try to access the DMZ server. Tcpdump should display the packets destined for your DMZ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key