Hi-
My box has two dsl lines coming into it on eth1 and eth2. eth0 is
the internal interface that goes to the severs and such. The problem
I''m having is that if I set the default gateway to eth1''s
gateway only
the ip''s for that line are routed correctly. The same thing happens if
I set the default gateway as eth2''s gateway (only eth2 ip''s
route
correctly). Using tcpdump I found that the failed requests come in on
the correct line and then an attemp is made to respond over the other line.
For example, lets say the default gateway on the box is set to
eth1''s gateway and I ping an address on eth2. The request comes in on
eth2, goes to eth0 then to the server. The server responds and the
reply is received on eth0 and then sent to eth1 because it''s gateway is
the default gateway on the firewall box. The ping response then simply
gets lost and never makes it back.
I''m trying to do this all with proxy arp. Here are parts of some
output:
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2. eth0: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast
qlen 100
link/ether [my mac address] brd ff:ff:ff:ff:ff:ff
inet 192.1.1.1/24 scope global eth0
3. eth1: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast
qlen 100
link/ether [my mac address] brd ff:ff:ff:ff:ff:ff
inet 208.x.x.130/27 scope global eth1
4. eth2: <BROADCAST,MULTICAST,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast
qlen 100
link/ether [my mac address] brd ff:ff:ff:ff:ff:ff
inet 66.x.x.18/28 scope global eth2
ip route show
208.x.x.156 dev eth0 scope link
208.x.x.157 dev eth0 scope link
. . (then all the rest of the 208.x.x.x addresses).
66.x.x.29 dev eth0 scope link
66.x.x.28 dev eth0 scope link
.....(then all the res of the 66.x.x.x addresses)
66.x.x.16/28 dev eth2 proto kernel scope link src 66.x.x.18
208.x.x.128/27 dev eth1 proto kernel scope link src 208.x.x.130
192.1.1.0/24 dev eth0 proto kernel scope link src 192.1.1.1
127.0.0.0/8 via 127.0.0.1 dev lo
default via 208.186.180.129 dev eth1
thanks
On Thu, 2003-11-20 at 04:42, Dave King wrote:> Hi- > My box has two dsl lines coming into it on eth1 and eth2. eth0 is > the internal interface that goes to the severs and such. The problem > I''m having is that if I set the default gateway to eth1''s gateway only > the ip''s for that line are routed correctly. The same thing happens if > I set the default gateway as eth2''s gateway (only eth2 ip''s route > correctly). Using tcpdump I found that the failed requests come in on > the correct line and then an attemp is made to respond over the other line. > For example, lets say the default gateway on the box is set to > eth1''s gateway and I ping an address on eth2. The request comes in on > eth2, goes to eth0 then to the server. The server responds and the > reply is received on eth0 and then sent to eth1 because it''s gateway is > the default gateway on the firewall box. The ping response then simply > gets lost and never makes it back. >Sounds like you need to investigate the multiple routing table capabilities of iproute2. When traffic that is ''tied'' to eth2 tries to go out eth1, the upstream ISP is not able to route those subnets because they aren''t theirs. You could get into a whole bit about them being able to advertise them via BGP etc but that is probably a lot more than you really need. With iproute2, you can configure multiple routing tables and set up rules to determine which table is used. I forget the notation the Linux Advanced Routing & Traffic Control site (http://www.lartc.org/) has some good info on it.
On Thu, 2003-11-20 at 04:05, David T Hollis wrote:> > Sounds like you need to investigate the multiple routing table > capabilities of iproute2. When traffic that is ''tied'' to eth2 tries to > go out eth1, the upstream ISP is not able to route those subnets because > they aren''t theirs. You could get into a whole bit about them being > able to advertise them via BGP etc but that is probably a lot more than > you really need. With iproute2, you can configure multiple routing > tables and set up rules to determine which table is used. I forget the > notation the Linux Advanced Routing & Traffic Control site > (http://www.lartc.org/) has some good info on it.This gets asked enough that I''ve added it as a FAQ (http://shorewall.net/FAQ.htm#faq32) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi- One thing that I forgot to metion last night (it was about 3:00 am local time when I sent the email), is that this system worked perfectly a week ago with another line. Before our ip''s were the 208.x.x.x line and a 216.x.x.x line both from different providers. The default gateway for the firewall was the 216.x.x.x line''s gateway. On Monday we switched providers and that''s when these routing problems started happening. For some reason just after setting up the proxy arp entries and the rules it was able to route correctly before, but now it does not. I was thinking there was some setting I was forgetting since the last time I did it, I''ve looked through the docs and couldn''t find anything. I guess it''s just plain weird that it worked before and now it''s doing this. It was kind of nice that it worked with just shorewall before, but I guess if I have to set up the routing rules myself that''s fine. Thanks for answer. By the way, if anyone else has any ideas, I realized I forgot to include the version of shorewall, it''s 1.4.7c. Thanks Dave David T Hollis writes:> On Thu, 2003-11-20 at 04:42, Dave King wrote: >> Hi- >> My box has two dsl lines coming into it on eth1 and eth2. eth0 is >> the internal interface that goes to the severs and such. The problem >> I''m having is that if I set the default gateway to eth1''s gateway only >> the ip''s for that line are routed correctly. The same thing happens if >> I set the default gateway as eth2''s gateway (only eth2 ip''s route >> correctly). Using tcpdump I found that the failed requests come in on >> the correct line and then an attemp is made to respond over the other line. >> For example, lets say the default gateway on the box is set to >> eth1''s gateway and I ping an address on eth2. The request comes in on >> eth2, goes to eth0 then to the server. The server responds and the >> reply is received on eth0 and then sent to eth1 because it''s gateway is >> the default gateway on the firewall box. The ping response then simply >> gets lost and never makes it back. >> > > Sounds like you need to investigate the multiple routing table > capabilities of iproute2. When traffic that is ''tied'' to eth2 tries to > go out eth1, the upstream ISP is not able to route those subnets because > they aren''t theirs. You could get into a whole bit about them being > able to advertise them via BGP etc but that is probably a lot more than > you really need. With iproute2, you can configure multiple routing > tables and set up rules to determine which table is used. I forget the > notation the Linux Advanced Routing & Traffic Control site > (http://www.lartc.org/) has some good info on it. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-11-20 at 06:58, Dave King wrote:> On Monday we switched providers and > that''s when these routing problems started happening. For some reason just > after setting up the proxy arp entries and the rules it was able to route > correctly before, but now it does not.Your new ISP is probably doing source address filtering of outbound traffic whereas your old one wasn''t. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net