Shorewall users - Feb 2004 - ADSL - PPOE - Multiple Static IP''s on Diferent subnets

Guys,

 

Sorry to bother you but I''ve lost direction, I recently signed up with
Dart after moving from Flow. With flow the connection was a bridged connection
and the setup was almost idiot proof. (therefore even I could set it up)



With Dart I have my default IP x.x.x.25/255.255.255.255, gateway 203.194.30.200
assigned via pppoe. Again All good. Firewall works fine, dnat, snat all work,
speeds good.

 

Now the part that stops me like a tonne of bricks. I just cant seem to get my
head around the next part..

 

Below is a break up of my static ips that have also been assigned.

 

CIDR=220.240.227.28/30

NETMASK=255.255.255.252

NETWORK=220.240.227.28

BROADCAST=220.240.227.31



 

My Gateway IP is x.x.x..29 followed by x.x.x..30 as my first usable IP. (For
awhile there I also thought 29 was part of my subnet)

 

Broadcast 220.240.227.31

 

I don''t understand how I can route this back through 220.240.227.25 as
220.240.227.25 is out of the network range. The host in the DMZ just wont even
try.

 

I am using proxy arp to accomplish the passthrough of this address to the DMZ.

 

The dmz server has the following route table.

 

Kernel IP routing table

Destination     Gateway              Genmask                      Flags Metric
Ref    Use Iface

dmz.thequinnson *                     255.255.255.255               UH     0    
0        0 eth0

x.x.x..28  *                          255.255.255.252               U     0     
0        0 eth0

127.0.0.0          *                  255.0.0.0                     U     0     
0        0 lo

default         dsl-29.x.x.       0.0.0.0                        UG    0      0 
0 eth0

 

The firewall has 

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

rns01-kent-syd. *               255.255.255.255 UH    0      0        0 ppp0

dsl-30.x.x.     *               255.255.255.255 UH    0      0        0 eth1

192.168.3.0     *               255.255.255.0   U     0      0        0 eth1

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

0.168.3.0       *               255.255.255.0   U     0      0        0 eth1

169.254.0.0     *               255.255.0.0     U     0      0        0 eth1

127.0.0.0       *               255.0.0.0       U     0      0        0 lo

default         rns01-kent-syd. 0.0.0.0         UG    0      0        0 ppp0

 
>From the dmz I can ping external ips but with no reply. The server I ping
receives the request but doesn''t/cant send back a response. The
firewall isn''t blocking this. It just cant route it back through.
 

On further investigation I found this, the output from the dialup interface.
These settings are allassigned to this interface upon dial up (Using the rp-ppoe
from the roaring penguin website and not the RH version).

 

ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3

    link/ppp

    inet x.x.x.25 peer 203.194.30.200/32 scope global ppp0

 

The noarp function listed above. Is this what is killing the route?  If not what
is?

 

Firewall is running RedHat 9 with latest kernel and updates. Firewall is
Shorewall 1.4.9.



Proxy arp has been set with no in the have route colum.



The interface file has been setup with both broadcast address''s.



[root@sam root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:76:ce:28:f3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:ac:93:5f:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.3.254/24 brd 192.168.3.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:04:ac:25:be:31 brd ff:ff:ff:ff:ff:ff
5: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
    link/ppp
    inet x.x.x.25 peer 203.194.30.200/32 scope global ppp0


[root@sam root]# ip route show
203.194.30.200 dev ppp0  proto kernel  scope link  src x.x.x.25
192.168.3.0/24 dev eth1  scope link
192.168.0.0/24 dev eth0  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 203.194.30.200 dev ppp0

Ive read through and applied all I can see from the setup guides. My arp ping is
coming back from the correct mac address when done from the server in the DMZ.
Arp replies from the gateway respond with the firewalls ppp0(eth2) mac.



Ive read through the news groups also but have found little to do with this
scenrio. ;-(....



Thanks in advance for any light that can be shed on this as I am in a dark place
with sunglases at present.



On a sidenote, shorewall kicks ar##. I use many 3rd party firewalls including
Cisco and Watchguard and find shorewall more flexable all round. Keep up the
good work and let me know if there is a beer and pizza fund that could do with a
contribution. Gotta keep the techs alive.



Jeff Quinn

On Friday 13 February 2004 07:35, Jeff Quinn wrote:
> Below is a break up of my static ips that have also been assigned.
> CIDR=220.240.227.28/30
> My Gateway IP is x.x.x..29 followed by x.x.x..30 as my first usable IP.
> (For awhile there I also thought 29 was part of my subnet)
It is. Your subnet consists of just two addresses, 29 and 30 the other two (28 
and 31) are used for the networks address and the broadcast address. Gateways 
IP means this is what your provider told you to use as gateway or is that 
your own machine?
> I don''t understand how I can route this back through
220.240.227.25 as
> 220.240.227.25 is out of the network range. The host in the DMZ just wont
> even try.
Well you can just have a default route on the .30 machine that tells it to 
send everything not in its own subnet through that IP address. Then this 
should work as long as that machine knows what to do with the packets. But 
that doesn''t seem to fit to your previous statement that .29 is your
gateway.
Please clarify.
> x.x.x..28  *   255.255.255.252               U     0   0        0 eth0
> default         dsl-29.x.x.       0.0.0.0     UG    0   0        0 eth0
> From the dmz I can ping external ips but with no reply. The server I ping
> receives the request but doesn''t/cant send back a response. The
firewall
> isn''t blocking this. It just cant route it back through.
So you already have set it up to route this through your own machine. Does the 
server really get the request? (You see the ping going out on your ppp0 
interface?) and a ping arrives, which your firewall then does not know where 
to deliver to?
> ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
>     link/ppp
>     inet x.x.x.25 peer 203.194.30.200/32 scope global ppp0
> The noarp function listed above. Is this what is killing the route?  If not
> what is?
The proxyarp howto says it only works with two ethernet interfaces not with 
PPP, SLIP etc. I have never used or needed proxy arp but maybe this is the 
problem. Or maybe your proxy arp setup is wrong.
> Ive read through and applied all I can see from the setup guides. My arp
> ping is coming back from the correct mac address when done from the server
> in the DMZ. Arp replies from the gateway respond with the firewalls
> ppp0(eth2) mac.
I have found a network analyser such as ethereal to be a very good source of 
information. That way you know excactly, which packets are coming in or going 
out on which interface so you can check where in the chain the problem lies 
or at least begins.

Hope to help although I''m just guessing :)


Alex

----- Original Message ----- 
From: "Alexander Gretencord" <arutha@gmx.de>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, February 14, 2004 6:56 AM
Subject: Re: [Shorewall-users] ADSL - PPOE - Multiple Static IP''s on
Diferentsubnets

> On Friday 13 February 2004 07:35, Jeff Quinn wrote:
> > Below is a break up of my static ips that have also been assigned.
> > CIDR=220.240.227.28/30
> > My Gateway IP is x.x.x..29 followed by x.x.x..30 as my first usable
IP.
> > (For awhile there I also thought 29 was part of my subnet)
>
> It is. Your subnet consists of just two addresses, 29 and 30 the other two
(28
> and 31) are used for the networks address and the broadcast address.
Gateways
> IP means this is what your provider told you to use as gateway or is that
> your own machine?
My provider told me the gateway was 29 but from what I understand I need the
29 on the firewall so the firewall will forward through to 30 on incoming
data. Out should go directly vie the ISP''s gateway using the proxy arp.
>
> > I don''t understand how I can route this back through
220.240.227.25 as
> > 220.240.227.25 is out of the network range. The host in the DMZ just
wont
> > even try.
>
> Well you can just have a default route on the .30 machine that tells it to
> send everything not in its own subnet through that IP address. Then this
> should work as long as that machine knows what to do with the packets. But
> that doesn''t seem to fit to your previous statement that .29 is
your
gateway.
> Please clarify.
>
> > x.x.x..28  *   255.255.255.252               U     0   0        0 eth0
> > default         dsl-29.x.x.       0.0.0.0     UG    0   0        0
eth0
> > From the dmz I can ping external ips but with no reply. The server I
ping
> > receives the request but doesn''t/cant send back a response.
The firewall
> > isn''t blocking this. It just cant route it back through.
>
> So you already have set it up to route this through your own machine. Does
the
> server really get the request? (You see the ping going out on your ppp0
> interface?) and a ping arrives, which your firewall then does not know
where
> to deliver to?
I can see the ping leave via ppp0 with src of .30 and arrive at the
Watchguard Firewall at with with a src of .30. You just cant see back to it.
I use GFI''s lannetscan to scan my ports but only .25 comes back with
any
results (all logged in the log file) but .30 comes back with just udp ports,
(open because udp doesnt need a reply)((Not a sqeak in the log files
regarding any activity on the interface))
>
> > ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast
qlen 3
> >     link/ppp
> >     inet x.x.x.25 peer 203.194.30.200/32 scope global ppp0
> > The noarp function listed above. Is this what is killing the route? 
If
not
> > what is?
>
> The proxyarp howto says it only works with two ethernet interfaces not
with
> PPP, SLIP etc. I have never used or needed proxy arp but maybe this is the
> problem. Or maybe your proxy arp setup is wrong.
Could be, Allthough looking at Snat and MASQ, these are not the answers
either. In Toms config he explains his setup and it comes very close to waht
I want. I have it all going fine excpet the DMZ. The only diference I can
see is his ISP has given a block of IP''s that have the firewalls
external
within the range. I have to blocks and the DMZ  range cant comunicate with
the firewalls without routing taking place before going out. Therefore proxy
arp seems to fit. It should make it appear so that 29 is on the external
ppp0 connection also.

Then again, I could just be missing the wood for the trees... Ive been
looking at it to long now.
>
> > Ive read through and applied all I can see from the setup guides. My
arp
> > ping is coming back from the correct mac address when done from the
server
> > in the DMZ. Arp replies from the gateway respond with the firewalls
> > ppp0(eth2) mac.
>
> I have found a network analyser such as ethereal to be a very good source
of
> information. That way you know excactly, which packets are coming in or
going
> out on which interface so you can check where in the chain the problem
lies
> or at least begins.
>
> Hope to help although I''m just guessing :)
>
>
> Alex
>
>
Thanks for your time though Alex.

Jeff

On Thursday 12 February 2004 10:35 pm, Jeff Quinn wrote:
> Guys,
>
>
>
> Sorry to bother you but I''ve lost direction, I recently signed up
with Dart
> after moving from Flow. With flow the connection was a bridged connection
> and the setup was almost idiot proof. (therefore even I could set it up)
>
>
>
> With Dart I have my default IP x.x.x.25/255.255.255.255, gateway
> 203.194.30.200 assigned via pppoe. Again All good. Firewall works fine,
> dnat, snat all work, speeds good.
>
>
>
> Now the part that stops me like a tonne of bricks. I just cant seem to get
> my head around the next part..
>
>
>
> Below is a break up of my static ips that have also been assigned.
>
>
>
> CIDR=220.240.227.28/30
>
> NETMASK=255.255.255.252
>
> NETWORK=220.240.227.28
>
> BROADCAST=220.240.227.31
>
>
>
>
>
> My Gateway IP is x.x.x..29 followed by x.x.x..30 as my first usable IP.
> (For awhile there I also thought 29 was part of my subnet)
>
>
>
> Broadcast 220.240.227.31
>
>
>
> I don''t understand how I can route this back through
220.240.227.25 as
> 220.240.227.25 is out of the network range. The host in the DMZ just wont
> even try.
>
>
>
> I am using proxy arp to accomplish the passthrough of this address to the
> DMZ.
>
>
>
The DMZ server should have .29 as its default gateway. On the Shorewall box, 
add a host route to .25 then make that route the default. Using
''ip'':

ip route add 220.240.227.25 dev ppp0
ip route add default via 220.240.227.25

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Sorry Tom No Go.

I will supply as much info as possible below including my rules etc. I have
no problem doing this with a bridged conection but Im pretty sure this is a
routed setup ( http://adsl.cutw.net/dsl.html#typec ) from what I have read.
In short,

SHOREWALL SERVER - 3 INTERFACE
ETH0    -    INTERNAL
ETH1    -    DMZ    192.168.4.X
ETH2    -    NILL    USED FOR PPOE DIALUP
PPP0    -    PPPOE DIALUP
Files not listed have no entries and use the template from the fresh
install. (Blank basically)

I must use ppoe to auth. and I end up with
ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen 3
link/ppp
    inet 220.240.227.25 peer 203.194.30.200/32 scope global ppp0

Here is the other interfaces (Macs removed.)
eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether
    inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether
    inet 192.168.4.254/24 brd 192.168.4.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether

My /etc/syscoonfig/network-scripts/ifcfg-ppp0
GATEWAY=220.240.227.25
LCP_INTERVAL=20
FIREWALL=NONE
PEERDNS=yes
PROVIDER=provider
LCP_FAILURE=3
BROADCAST=""
ETH=eth2
CLAMPMSS=1452
DEMAND=no
USERCTL=yes
USER=Someauth@here.helps.conncet
CONNECT_TIMEOUT=0
CONNECT_POLL=6
BOOTPROTO=none
NAME=DSLppp0
TYPE=xDSL
DEVICE=ppp0
SYNCHRONOUS=no
NETMASK=""
MTU=1452
DEFROUTE=Yes
IPADDR=""
NETWORK=""
PING=.
PPPOE_TIMEOUT=80
ONBOOT=yes
PIDFILE=/var/run/pppoe-adsl.pid

ZONE FILE
#ZONE DISPLAY  COMMENTS
net Net  Internet
loc Local  Local networks
dmz DMZ  Demilitarized zone

TOS FILE
#SOURCE DEST  PROTOCOL SOURCE PORTS DEST PORTS TOS
all all  tcp  -  3389  16
all all  udp  -  27900:28000 16
all all  tcp  -  ssh  16
all all  tcp  ssh  -  16
all all  tcp  -  ftp  16
all all  tcp  ftp  -  16
all all  tcp  -  ftp-data 8
all all  tcp  ftp-data -  8

SHOREWALL CONF
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=$LOG
BLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
MODULE_SUFFIXBLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP

RULES FILE - (Yes they could do with some work -> I have neglected these as
far as dbl ups on ports etc)
##Incoming Services from Net to Loc
#
#Service''s directed to NEO
DNAT:info       net     loc:192.168.0.x tcp pptp
DNAT:info net loc:192.168.0.x 47
DNAT:info       net     loc:192.168.0.x tcp ftp
#
##Incoming Services from DMZ to Loc
#VPN
#ACCEPT:info     dmz     loc     tcp     pptp
#ACCEPT:info     dmz     loc     47
#ACCEPT:info dmz net tcp pptp
#ACCEPT:info dmz net 47
#
##Incoming from DMZ to FW
#ACCEPT:info dmz fw tcp 137,138,139
#ACCEPT:info dmz fw tcp ssh
#
##Incoming Services to Firewall
ACCEPT:info     net     fw      tcp     smtp,www,pop3,ftp
ACCEPT:info     net     fw      udp     smtp,www,pop3,ftp
ACCEPT:info net fw  tcp https
ACCEPT:info     net     fw      tcp     auth
ACCEPT:info     net     fw      udp     auth
#
##DMZ rules
ACCEPT:info net  dmz tcp smtp,www,pop3,https,ftp
ACCEPT:info dmz net tcp smtp,www,pop3,ftp,domain
ACCEPT:info     dmz     net     udp     domain
ACCEPT:info     dmz     fw      tcp     smtp,domain,www
ACCEPT:info     dmz     fw      udp     domain
ACCEPT:info     fw dmz     udp     domain
#Delow is for tesing only remove afer setup is complete
ACCEPT:info     loc dmz     tcp     telnet
ACCEPT:info     net     dmz     tcp     telnet
ACCEPT:info     fw     dmz      tcp     telnet
#
#Outgoing from Loc to DMZ
#WWW
ACCEPT:info     loc     dmz     tcp www,pop3,ssh,ftp,smtp,telnet
#
##Outgoing Services
#
#DNS - Working
ACCEPT:info     fw      net     tcp     53
ACCEPT:info     fw      net     udp     53
ACCEPT:info     loc     net     tcp     53
ACCEPT:info     loc     net     udp     53
ACCEPT  loc fw tcp 53
ACCEPT  loc fw udp 53
#
#Gaming Rules
ACCEPT:info     loc     net     tcp     27900:30000
ACCEPT:info     loc     net     udp     27900:30000
ACCEPT:info loc net udp 13139
ACCEPT:info     loc     net udp 6515
ACCEPT:info     loc     net tcp 6500
ACCEPT:info loc net tcp 15425  #Vietcong
ACCEPT:info     loc     net     udp 15425  #Vietcong
ACCEPT:info loc net tcp 5425  #Vietcong
ACCEPT:info     loc     net     udp     5425  #Vietcong
#
#Standard Rules
ACCEPT:info     loc     net     tcp    smtp,www,pop3,ssh,https,ftp,auth
ACCEPT:info     fw      net     tcp    smtp,www,pop3,ssh,https,ftp,auth
#
#MIRC Rules
ACCEPT:info loc net tcp ircd,irc,ircs
ACCEPT:info     loc     net     udp     ircd,irc,ircs
ACCEPT:info     loc     net     tcp     4000:9000
ACCEPT:info     loc     net     udp     4000:9000
ACCEPT:info     net loc     tcp     ircd,irc,ircs
ACCEPT:info     net     loc udp     ircd,irc,ircs
ACCEPT:info     net     loc tcp     4000:9000
ACCEPT:info     net     loc udp     4000:9000
#
#PPTP
ACCEPT:info     loc     net tcp    pptp
ACCEPT:info     loc     net     47
#
#MSN
#ACCEPT:info     loc     net     tcp    6901,6891
ACCEPT:info     loc     net     udp 6901,6801,6901,2001:2120
#
#SMTP
ACCEPT:info     loc     net     tcp  smtp,pop3
ACCEPT:info fw net tcp smtp,pop3
ACCEPT:info dmz net tcp smtp,pop3
#
#RDP
ACCEPT:info loc net tcp rdp
ACCEPT:info loc net udp rdp
#
#Ping
ACCEPT  loc net icmp 8
ACCEPT   loc     dmz     icmp    8
ACCEPT   loc     fw icmp    8
ACCEPT:info   dmz     fw      icmp    8
ACCEPT:info  dmz loc icmp 8
ACCEPT:info dmz net icmp 8
ACCEPT:info   fw      net     icmp    8
ACCEPT:info   fw      dmz     icmp    8
ACCEPT  fw loc icmp 8
ACCEPT:info     net     fw      icmp    8
ACCEPT:info     net     dmz     icmp    8
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

PROXY ARP
#ADDRESS  INTERFACE EXTERNAL        HAVEROUTE
220.240.227.30  eth1  ppp0  No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

POLICY FILE
#SOURCE  DEST  POLICY  LOG  LIMIT:BURST
#      LEVEL
loc $FW ACCEPT -
$FW loc ACCEPT -
loc loc ACCEPT -
dmz dmz ACCEPT info
dmz     net     ACCEPT  info
net     dmz     ACCEPT  info
net     all     DROP    info
loc net DROP info
#
# THE FOLLOWING POLICY MUST BE LAST
#
all  all  REJECT  info

MASQ FILE
#INTERFACE         SUBNET  ADDRESS
ppp0   192.168.0.0/24  220.240.227.25
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

INTERFACES
#ZONE  INTERFACE BROADCAST OPTIONS
loc eth0  -  dhcp,newnotsyn
dmz eth1  -  newnotsyn
net ppp0  -  dhcp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

COMMON
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 135   -j DROP
run_iptables -A common -p udp --dport 137:139     -j DROP
run_iptables -A common -p udp --dport 445         -j DROP
run_iptables -A common -p tcp --dport 139         -j DROP
run_iptables -A common -p tcp --dport 445         -j DROP
run_iptables -A common -p tcp --dport 135   -j DROP
############################################################################
# UPnP
#
run_iptables -A common -p udp --dport 1900   -j DROP
############################################################################
# BROADCASTS
#
run_iptables -A common -d 255.255.255.255 -j DROP
run_iptables -A common -d 224.0.0.0/4     -j DROP
############################################################################
# AUTH -- Silently reject it so that connections don''t get delayed.
#
run_iptables -A common -p tcp --dport 113 -j reject
############################################################################
# DNS -- Silenty drop late replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
############################################################################
# ICMP -- Silently drop null-address ICMPs
#
run_iptables -A common -p icmp -s 0.0.0.0 -j DROP
run_iptables -A common -p icmp -d 0.0.0.0 -j DROP

ROUTE TABLE ON SHOREWALL BOX
[root@sam shorewall]# ip route
203.194.30.200 dev ppp0  proto kernel  scope link  src 220.240.227.25
192.168.4.0/24 dev eth1  scope link
192.168.0.0/24 dev eth0  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 203.194.30.200 dev ppp0

HOST FILE ON SHOREWALL
127.0.0.1               localhost.localdomain localhost
192.168.0.254           sam             sam.jeffsplace.com
192.168.4.254           sam             sam.jeffsplace.com
220.240.227.25          tourch-25               tourch.thequinnsonline.com
220.240.227.30          armada-30               armada.thequinnsonline.com
203.194.30.200          gate200
203.134.64.67           primus
202.129.64.194          flow


ROUTE TABLE ON DMZ SERVER
[root@armada root]# ip route
220.240.227.28/30 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 220.240.227.29 dev eth0

HOSTS FILE ON DMZ SERVER
127.0.0.1               armada          localhost.localdomain localhost
220.240.227.29          gate29
220.240.227.30          armada-30       armada.thequinnsonline.com
203.194.30.200          gate200
220.240.227.25          tourch-25       tourch.thequinnsonline.com
203.134.64.67           primus
202.129.64.194          flow


- Things to note.

I have never ever seen anything in the log file stating it was destined for
my .30 addy unless it was internal

Internal routeing works fine. Internal network masq''d out .25 works
fine,
internal to dmz and back again, fw to any where is fine.

I''ve tried so many diferent scenrios from scratch and Ive found the
following. With the above config I cant access the DMZ unless the ppp0 link
is up. I think this is due to the proxyarp and the NO in the Has Route
colomn. I have setup a route to the dmz and selected yes here and it works
all the time.

The DMZ can ping gate200 which is my ISPs gateway. Pings to external sources
arrive at the destination but dont make it back. Pinging from an external
location times out with no entries in the local log file.

I have tried this without proxyarp setting the DMZ up with .29 as the dmz
nic on the shorewall machine and .30 on the DMZ server. Same affect. I could
ping the ISP gateway but nothing else. Everything internal worked.

- What I think may be worng

I have no interface answering to .30

I somehow need to route everything out through gate200 (see host files) so
that returning packets can get back.

I have somehow triggered and acient curse upon the box Im using as a
firewall.

I am somehow making this all to hard and the reason I cant find bugger all
documentation on this type of setup anywhere is because it is so simple to
setup I should be stood in the corner for being silly.


Once I figure this out my plan is to implement a load balanced DSL link at
work using 2 firewalls and 2 seperate DSL suppliers, Both will have
different task to perform but in the situation of a dead link the other dsl
gateway will take over the load (automagically or even manually).

On a sidenote though. I would like to mention what many others have already
mentioned (probably with style then I) but Shorewall is one of the most
stable, reliable, and human operable firewall''s Ive seen. The
flexability
and easy of implementation (Minus the grief with the second IP i''ve
had) is
awsome. Tom.... you are a legend. Is three a corperate version of shorewall
or a paid support program If so I would like to sign up simply because I
believe this package is worth its weight in
gold/plastic/paper/poulrty-depending on local currency-

Again thanks in advance

Jeff


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mailing List for Experienced Shorewall Users"
<shorewall-users@lists.shorewall.net>; "Jeff Quinn"
<jeff@thequinnsonline.com>
Sent: Sunday, February 15, 2004 3:00 AM
Subject: Re: [Shorewall-users] ADSL - PPOE - Multiple Static IP''s on
Diferentsubnets

> On Thursday 12 February 2004 10:35 pm, Jeff Quinn wrote:
> > Guys,
> >
> >
> >
> > Sorry to bother you but I''ve lost direction, I recently
signed up with
Dart
> > after moving from Flow. With flow the connection was a bridged
connection
> > and the setup was almost idiot proof. (therefore even I could set it
up)
> >
> >
> >
> > With Dart I have my default IP x.x.x.25/255.255.255.255, gateway
> > 203.194.30.200 assigned via pppoe. Again All good. Firewall works
fine,
> > dnat, snat all work, speeds good.
> >
> >
> >
> > Now the part that stops me like a tonne of bricks. I just cant seem to
get
> > my head around the next part..
> >
> >
> >
> > Below is a break up of my static ips that have also been assigned.
> >
> >
> >
> > CIDR=220.240.227.28/30
> >
> > NETMASK=255.255.255.252
> >
> > NETWORK=220.240.227.28
> >
> > BROADCAST=220.240.227.31
> >
> >
> >
> >
> >
> > My Gateway IP is x.x.x..29 followed by x.x.x..30 as my first usable
IP.
> > (For awhile there I also thought 29 was part of my subnet)
> >
> >
> >
> > Broadcast 220.240.227.31
> >
> >
> >
> > I don''t understand how I can route this back through
220.240.227.25 as
> > 220.240.227.25 is out of the network range. The host in the DMZ just
wont
> > even try.
> >
> >
> >
> > I am using proxy arp to accomplish the passthrough of this address to
the
> > DMZ.
> >
> >
> >
>
> The DMZ server should have .29 as its default gateway. On the Shorewall
box,
> add a host route to .25 then make that route the default. Using
''ip'':
>
> ip route add 220.240.227.25 dev ppp0
> ip route add default via 220.240.227.25
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
>
>

On Monday 16 February 2004 05:17 am, Jeff Quinn wrote:
> Sorry Tom No Go.
>
> I will supply as much info as possible below including my rules etc. I have
> no problem doing this with a bridged conection but Im pretty sure this is a
> routed setup ( http://adsl.cutw.net/dsl.html#typec ) from what I have read.
> In short,
>
> SHOREWALL SERVER - 3 INTERFACE
The Shorewall box is a gateway/router -- not a server (it may also be a server 
but in the context of Shorewall discussions, that is almost always 
irrelevant).
> ETH0    -    INTERNAL
> ETH1    -    DMZ    192.168.4.X
> ETH2    -    NILL    USED FOR PPOE DIALUP
> PPP0    -    PPPOE DIALUP
> Files not listed have no entries and use the template from the fresh
> install. (Blank basically)
>
> I must use ppoe to auth. and I end up with
> ppp0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1492 qdisc pfifo_fast qlen
3
> link/ppp
>     inet 220.240.227.25 peer 203.194.30.200/32 scope global ppp0
>
> Here is the other interfaces (Macs removed.)
> eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether
>     inet 192.168.0.254/24 brd 192.168.0.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether
>     inet 192.168.4.254/24 brd 192.168.4.255 scope global eth1
While it is inelegant, you can always make 192.168.4.254 the default gateway 
for your DMZ hosts. If they are running Linux, you will have to add a host 
route to that IP address *on the server*. But of course, you could have done 
the same thing with 220.240.227.25.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net