Hello all, I have are problem in a setup with two different routers, one goes to the Internet line (fix ip) the other goes to a company-intranet with "real" network addresses. Setup looks like: to intranet ------ . LAN 192.168.1.0/24 (central site) | | | ----|Cisco |--------------------| | |\ | 217.x.y.42/29 ------ \ | --------- / ------- 192.168.1.254 | eth0 | |/ | ISP | with |------|Shorewall|---------| Router|--Net routes to 192.168.2.0/24 | /| FW |eth1 /| leased| 192.168.3.0/24 | / | | / | line | .... | / --------- / ------- until 192.168.8.0/24 | 192.168.1.252 217.x.y.41/29 and to 21.11.36.10/32 | and to 51.1.17.47 /32 | and to 51.1.17.106/32 | here is my problem: when I use only the Shorewall-Firewall Machine as my one and only Gateway in my clients ip configuration, I cannot reach any of the other networks behind the cisco, whether privat addresses are used or not. If I add the direct routes through the .254 Gateway to a client, I can reach those nets/hosts, thus bypassing the Firewall as gateway completely. I added every route to the Firewall machine as well, I can reach these hosts from the firewall itself, so what is going on here? I would think that I see some DROPS or REJECTS with packets that are not allowed to go through eth0 and back to internal gateway at .1.254, but I don'' t see nothing there,nope. I definitely don''t want to put in those 10 routes into every clients routing table (225 stations), this must be solved at the shorewall-gateway ! I have no clue what I''m doing wrong here, any hints ? Regards from Germany, Philipp -- NEU: WLAN-Router fr 0,- EUR* - auch fr DSL-Wechsler! GMX DSL = supergnstig & kabellos http://www.gmx.net/de/go/dsl
Philipp Rusch wrote:> I definitely don''t want to put in those 10 routes into every clients routing > table (225 stations), this must be solved at the shorewall-gateway !The Shorewall gateway can only route traffic FROM the clients TO the hosts behind the Cicso -- If those hosts aren''t sending reverse traffic back through the Shorewall gateway there is not one thing you can do on the Shorewall gateway to make this work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-08-05 at 10:54, Philipp Rusch wrote:> Hello all,> > here is my problem: > > when I use only the Shorewall-Firewall Machine as my one and only Gateway in > my clients ip configuration, I cannot reach any of the other networks behind > the cisco, whether privat addresses are used or not. > If I add the direct routes through the .254 Gateway to a client, I can reach > those nets/hosts, thus bypassing the Firewall as gateway completely. > I added every route to the Firewall machine as well, I can reach these hosts > from the firewall itself, so what is going on here? > I would think that I see some DROPS or REJECTS with packets that are not > allowed to go through eth0 and back to internal gateway at .1.254, but I > don'' t see nothing there,nope. > I definitely don''t want to put in those 10 routes into every clients routing > table (225 stations), this must be solved at the shorewall-gateway ! > > I have no clue what I''m doing wrong here, any hints ? > > Regards from Germany, PhilippIf I understand the problem correctly, you have devices on a LAN segment that has two different routers that provide access to either the company intranet or the Internet. I believe what you need is a set of routes added to the shorewall device that point to the Cisco router for the intranet LANs. Your clients default routes should point to the shorewall firewall as their default route. When they send a packet to the intranet LANs it will be handed to the shorewall device which then hands it to the Cisco for delivery. Return packets are going to be sent to the Cisco and then the Cisco is going to arp for the workstation to deliver the packet directly since it has an interface on that LAN. Since you can reach the intranet from the shorewall device you must have the routes in place. What I think you need to check is that ipforwarding (not sure if that is right term here) is enabled and if it is, that it can send packets back out the same interface based on the routing table. I am wondering if you might be getting IP redirect packets, again I am not sure linux will do that. You might try running ethereal to capture a conversation on the LAN segment to see where the packets are going. One workaround you could implement is to add another interface on the shorewall device and configure a two host LAN segment (30 bit subnet) that has the Cisco router connected directly to the shorewall device. I am very confident that with the right routes configured on the shorewall and on the Cisco that this would work. One other question, what is the default route set on the Cisco router? -- Scot L. Harris <webid@cfl.rr.com>
Hi Scott, Tom, first, thank you for your fast replies. I always understood IP routing like Scott''s explanation: the router knows how to route the packets back, if he is part of that same network, as it is the case with the cisco here, even if the packets seemed to "come from the other gateway" at first hand. There must be something happening with the packets coming in from eth0, maybe because I need to NAT the private addresses that go outside to the internet. Does the translation of addresses happen before iptables decides whether to pass the packets on or not ? When does the routing layer get those packets to decide they should be passed over to the other gateway according to the routing table ? I don''t get it. Scott, to answer your question: I cannot tell about the ciscos default route, because this is undwer control of a deiffernet network provider, we don''t have access to the config at all. All I know is, the guy who setup it up initially was very proud of his design of that intranet, he told me that they do not need any default gateways at all in their net. I don''t know how they route their traffic between our sites. Philipp> On Thu, 2004-08-05 at 10:54, Philipp Rusch wrote: > > Hello all, > > > > > here is my problem: > > > > when I use only the Shorewall-Firewall Machine as my one and only > Gateway in > > my clients ip configuration, I cannot reach any of the other networks > behind > > the cisco, whether privat addresses are used or not. > > If I add the direct routes through the .254 Gateway to a client, I can > reach > > those nets/hosts, thus bypassing the Firewall as gateway completely. > > I added every route to the Firewall machine as well, I can reach these > hosts > > from the firewall itself, so what is going on here? > > I would think that I see some DROPS or REJECTS with packets that are not > > allowed to go through eth0 and back to internal gateway at .1.254, but I > > don'' t see nothing there,nope. > > I definitely don''t want to put in those 10 routes into every clients > routing > > table (225 stations), this must be solved at the shorewall-gateway ! > > > > I have no clue what I''m doing wrong here, any hints ? > > > > Regards from Germany, Philipp > > If I understand the problem correctly, you have devices on a LAN segment > that has two different routers that provide access to either the company > intranet or the Internet. > > I believe what you need is a set of routes added to the shorewall device > that point to the Cisco router for the intranet LANs. Your clients > default routes should point to the shorewall firewall as their default > route. > > When they send a packet to the intranet LANs it will be handed to the > shorewall device which then hands it to the Cisco for delivery. > > Return packets are going to be sent to the Cisco and then the Cisco is > going to arp for the workstation to deliver the packet directly since it > has an interface on that LAN. > > Since you can reach the intranet from the shorewall device you must have > the routes in place. What I think you need to check is that > ipforwarding (not sure if that is right term here) is enabled and if it > is, that it can send packets back out the same interface based on the > routing table. I am wondering if you might be getting IP redirect > packets, again I am not sure linux will do that. > > You might try running ethereal to capture a conversation on the LAN > segment to see where the packets are going. > > One workaround you could implement is to add another interface on the > shorewall device and configure a two host LAN segment (30 bit subnet) > that has the Cisco router connected directly to the shorewall device. I > am very confident that with the right routes configured on the shorewall > and on the Cisco that this would work. > > One other question, what is the default route set on the Cisco router? > > -- > Scot L. Harris <webid@cfl.rr.com> > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- NEU: WLAN-Router fr 0,- EUR* - auch fr DSL-Wechsler! GMX DSL = supergnstig & kabellos http://www.gmx.net/de/go/dsl
On Thu, 2004-08-05 at 13:55, Philipp Rusch wrote:> Hi Scott, Tom, > first, thank you for your fast replies. > I always understood IP routing like Scott''s explanation: the router knows > how to route the packets back, if he is part of that same network, as it is > the case with the cisco here, even if the packets seemed to "come from the > other gateway" at first hand. There must be something happening with the > packets coming in from eth0, maybe because I need to NAT the private > addresses that go outside to the internet. Does the translation of addresses > happen before iptables decides whether to pass the packets on or not ? When > does the routing layer get those packets to decide they should be passed > over to the other gateway according to the routing table ? > I don''t get it. > Scott, to answer your question: I cannot tell about the ciscos default > route, because this is undwer control of a deiffernet network provider, we > don''t have access to the config at all. All I know is, the guy who setup it > up initially was very proud of his design of that intranet, he told me that > they do not need any default gateways at all in their net. > I don''t know how they route their traffic between our sites. > > Philipp >Setup a system with ethereal or run it on the shorewall box if you can. Get a trace of a system on your LAN trying to talk to a system on the company intranet. If the shorewall box is NATing your workstations IP addresses then the machines on the intranet do not know how to get back. Double check your rules to see if you can verify if that is the case or not. ethereal should show this very quickly if you can get that running. About the only way to not have default gateway is to have a pure flat network with bridges instead of routers. But then you would not have any Internet access on such a network. A machine needs to know where to send packets that are not in the subnet on one of its interfaces. There has to be a default gateway somewhere. And based on the subnets you listed it does not look like a flat network. -- Scot L. Harris <webid@cfl.rr.com>
> On Thu, 2004-08-05 at 13:55, Philipp Rusch wrote: > > Hi Scott, Tom, > > first, thank you for your fast replies. > > I always understood IP routing like Scott''s explanation: the router knows > > how to route the packets back, if he is part of that same network, as it is > > the case with the cisco here, even if the packets seemed to "come from the > > other gateway" at first hand. There must be something happening with the > > packets coming in from eth0, maybe because I need to NAT the private > > addresses that go outside to the internet. Does the translation of addresses > > happen before iptables decides whether to pass the packets on or not ? When > > does the routing layer get those packets to decide they should be passed > > over to the other gateway according to the routing table ? > > I don''t get it. > > Scott, to answer your question: I cannot tell about the ciscos default > > route, because this is undwer control of a deiffernet network provider, we > > don''t have access to the config at all. All I know is, the guy who setup it > > up initially was very proud of his design of that intranet, he told me that > > they do not need any default gateways at all in their net. > > I don''t know how they route their traffic between our sites. > > > > Philipp > > > > > Setup a system with ethereal or run it on the shorewall box if you can. > Get a trace of a system on your LAN trying to talk to a system on the > company intranet. If the shorewall box is NATing your workstations IP > addresses then the machines on the intranet do not know how to get > back. Double check your rules to see if you can verify if that is the > case or not. ethereal should show this very quickly if you can get that > running. > > About the only way to not have default gateway is to have a pure flat > network with bridges instead of routers. But then you would not have > any Internet access on such a network. > > A machine needs to know where to send packets that are not in the subnet > on one of its interfaces. There has to be a default gateway somewhere. > > And based on the subnets you listed it does not look like a flat > network. >Philipp: Posting the routing tables could be most helpful... Just to get this straight in my head.... The cisco is on the same subnet as the internal interface of the shorewall box? You have set up the routes on the shorewall box to pass though the cisco to the LANs that are on the other side of the cisco? You can contact the remote lan from the shorewall box though the cisco? I''d take Scot''s advice and add a nic for the cisco. The remote lans maybe able to bypass the shorewall box as they have a route to the private lan. This makes firewalling the remote sites (do you trust them?) a bunch easier IMHO, you don''t have to mask the traffic, just route, filter and maybe proxyarp. This sounds like a variation of (FAQ 2a)... http://www.shorewall.net/FAQ.htm#faq2a Think you you need to mask the traffic from the LAN that is going though the cisco, while it passes though the box. However, this will make the traffic look like it''s coming from the firewall. In /etc/shorewall/interfaces add routeback to the internal interface. In /etc/shorewall/policy loc loc ACCEPT In /etc/shorewall/masq X = the internal interface. ethX 192.168.1.0/24 192.168.1.252 This is just off the top of my head, the entries for the masq file may need adjustment. You may also want to make a zone for the remote lan, and use the host file, but that is getting abit ahead of ourselves. http://www.shorewall.net/Multiple_Zones.html logging and tcpdump are your friends. Jerry Vonau