Shorewall users - Nov 2004 - 2 external Interfaces and dozens of tunnels to MASQ

I have a firewall with 2 connections to the internet (eth1 and eth2) and
one LAN interface. on the LAN interface, the users can connect via PPTP.
those authenticating via pptp shall be masqueraded over eth2, those not
authenticating should be ordinary masqueraded over eth1. as from the
archives I took the configuration like in FAQ32, but this doesn''t work
with the ppp+ interfaces. I tried:

* masquerading the subnets:
the LAN has 10.1.x.x, the tunnels have 192.168.x.x, so I tried:

eth1	10.1.0.0/16 [IP of interface eth1]
eth2	10.2.0.0/16 [IP of interface eth2]

-> just did not work, everything was still running over eth1

* doing the routing by firewall mark:
I marked the packets from the lan with 1, those from the tunnels with 2,
and added the specific routes: worked, but now the traffic was not
masqueraded!

* other way:
eth1	eth0
eth2 	ppp+
(tried with or without the external IP)
-> shorewall quits with "Error: Unable to determine the routes through
interface", same happens if I add every ppp interface manually (ppp0,
ppp1, ... )

I''m getting a little desperate here, since the one connection is full
up
to 80% on the average on the last 24 hours ...

Can someone please tell me what I missed out? 

Thanks in advance

Martin Schipany

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Schipany wrote:
> I have a firewall with 2 connections to the internet (eth1 and eth2) and
> one LAN interface. on the LAN interface, the users can connect via PPTP.
> those authenticating via pptp shall be masqueraded over eth2, those not
> authenticating should be ordinary masqueraded over eth1. as from the
> archives I took the configuration like in FAQ32, but this doesn''t
work
> with the ppp+ interfaces. I tried:
> 
> * masquerading the subnets:
> the LAN has 10.1.x.x, the tunnels have 192.168.x.x, so I tried:
> 
> eth1	10.1.0.0/16 [IP of interface eth1]
> eth2	10.2.0.0/16 [IP of interface eth2]
> 
> -> just did not work, everything was still running over eth1
> 
> * doing the routing by firewall mark:
> I marked the packets from the lan with 1, those from the tunnels with 2,
> and added the specific routes: worked, but now the traffic was not
> masqueraded!
If:

a) the PPTP clients are assigned IP addresses in 10.2.0.0/16; and
b) You have the masquerade entries shown above; and
c) You correctly implement routing by firewall mark such that the
traffic from 10.2.0.0/16 is routed out of eth2

then it will work.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBhsDBO/MAbZfjDLIRAmltAJ96KeWYJ53hXitmiqBEJUDiZJiZWgCfQqxq
oF4NkPCllJT1WhbU0gzw4Zo=2/XN
-----END PGP SIGNATURE-----