Shorewall users - Aug 2003 - 2 hosts same interface, same zone can''t reach each other

Hi-
    My setup looks like this

DSL 1 (eth0)   DSL 2 (eth1)
   \           /
    \         /
 Shorewall Firewall
        |(eth2)
        |
 Zone Full of Hosts

    I decided to use proxy arp for this.  It works great!  Most hosts 
are set up on both lines for redundancy.  The lines are from different 
ISP''s so they''re on different subnets.  There is a set of
clients behind
a only have an IP on one line (DSL 1).  I''m able to get to servers on 
the same dsl line and everything outside my network, but am unable to 
get any kind of response from servers on an IP from the other line (DSL 
2).  I thought about putting in another network card, but all the slots 
are taken.  I did a tcpdump on the icmp packets and I can find the 
request on eth2, but can''t find anything on any other interface.  I 
guess I figured it would probably follow the default gateway, like any 
other packet and go out, then come back down the other line.  Anyone 
have an idea on how I might set up a rule to allow taffic between the 
networks?

Thanks
Dave

On Tue, 2003-08-26 at 00:04, Dave King wrote:
> Hi-
>     My setup looks like this
> 
> DSL 1 (eth0)   DSL 2 (eth1)
>    \           /
>     \         /
>  Shorewall Firewall
>         |(eth2)
>         |
>  Zone Full of Hosts
> 
>     I decided to use proxy arp for this.  It works great!  Most hosts 
> are set up on both lines for redundancy.  The lines are from different 
> ISP''s so they''re on different subnets.  There is a set of
clients behind
> a only have an IP on one line (DSL 1).  I''m able to get to servers
on
> the same dsl line and everything outside my network, but am unable to 
> get any kind of response from servers on an IP from the other line (DSL 
> 2).  I thought about putting in another network card, but all the slots 
> are taken.  I did a tcpdump on the icmp packets and I can find the 
> request on eth2, but can''t find anything on any other interface. 
I
> guess I figured it would probably follow the default gateway, like any 
> other packet and go out, then come back down the other line.  Anyone 
> have an idea on how I might set up a rule to allow taffic between the 
> networks?
> 
Dave -- I''ve read your report 3 or 4 times and I still haven''t
a clue
what problem you are reporting.

For connections that fail:

a) Where is the client system?
b) Where is the server system?

Additionally, how is routing set up on your firewall (LARTC section
4.2.1 maybe)?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I''m sorry, I''ll try this again now that I''ve gotten a
good night''s sleep
;-).  Ok so the client and the server are connected to eth1, but as I 
said they are on different subnets.  The client is on IP 216.150.213.x 
(from DSL 1) while the server is on 208.186.180.x (from DSL 2). 

Here''s some other info that might be useful:

Shoerewall Version: 1.4.6a

ip addr show output:
lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8
2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc 
pfifo_fast qlen 100
link/ether 00:4c:69:6e:75:79 brd ff:ff:ff:ff:ff:ff
inet 216.150.213.98/28 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc qfifo_fast qlen 100
link/ether 00:04:5a:68:1e:67 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 scope global eth1
4: eth2 <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link /ether 00:a0:cc:e6:a5:4e brd ff:ff:ff:ff:ff:ff
inet 208.186.180.130/27 scope global eth2

ip route show
216.150.213.x dev eth1 scope link (the x stands for each of my ip''s)
. . . .
208.186.180.x dev eth1 scope link (the x stands for each of my ip''s)
. . . .
192.168.1.0/24 eth1 proto kernel scope link src 192.168.1.1
127.0.0.0/8 via 127.0.0.1 dev lo
default via 216.150.213.97 dev eth0

There is nothing in the logs about this being dropped.  When pinging I 
get "Destination host unreachable."

So basically all I''m trying to do is somehow allow traffic from the 208
address to the 216 address which both are behind the firewall (again
I''m
using proxy arp) connected to a switch connected to eth1.  Thanks.

Tom Eastep wrote:
>On Tue, 2003-08-26 at 00:04, Dave King wrote:
>  
>
>>Hi-
>>    My setup looks like this
>>
>>DSL 1 (eth0)   DSL 2 (eth2)
>>   \           /
>>    \         /
>> Shorewall Firewall
>>        |(eth1)
>>        |
>> Zone Full of Hosts
>>
>>    I decided to use proxy arp for this.  It works great!  Most hosts 
>>are set up on both lines for redundancy.  The lines are from different 
>>ISP''s so they''re on different subnets.  There is a set
of clients behind
>>a only have an IP on one line (DSL 1).  I''m able to get to
servers on
>>the same dsl line and everything outside my network, but am unable to 
>>get any kind of response from servers on an IP from the other line (DSL 
>>2).  I thought about putting in another network card, but all the slots 
>>are taken.  I did a tcpdump on the icmp packets and I can find the 
>>request on eth2, but can''t find anything on any other
interface.  I
>>guess I figured it would probably follow the default gateway, like any 
>>other packet and go out, then come back down the other line.  Anyone 
>>have an idea on how I might set up a rule to allow taffic between the 
>>networks?
>>
>>    
>>
>
>Dave -- I''ve read your report 3 or 4 times and I still
haven''t a clue
>what problem you are reporting.
>
>For connections that fail:
>
>a) Where is the client system?
>b) Where is the server system?
>
>Additionally, how is routing set up on your firewall (LARTC section
>4.2.1 maybe)?
>
>-Tom
>  
>

On Tue, 2003-08-26 at 11:15, Dave King wrote:
> I''m sorry, I''ll try this again now that I''ve
gotten a good night''s sleep
> ;-).
:-)
> Ok so the client and the server are connected to eth1, but as I 
> said they are on different subnets.  The client is on IP 216.150.213.x 
> (from DSL 1) while the server is on 208.186.180.x (from DSL 2).
> 
> Here''s some other info that might be useful:
> 
> Shoerewall Version: 1.4.6a
> 
> ip addr show output:
> lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8
> 2: eth0: <BROADCAST,MULTICAST,ALLMULTI,PROMISC,UP> mtu 1500 qdisc 
> pfifo_fast qlen 100
> link/ether 00:4c:69:6e:75:79 brd ff:ff:ff:ff:ff:ff
> inet 216.150.213.98/28 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc qfifo_fast qlen 100
> link/ether 00:04:5a:68:1e:67 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 scope global eth1
> 4: eth2 <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> link /ether 00:a0:cc:e6:a5:4e brd ff:ff:ff:ff:ff:ff
> inet 208.186.180.130/27 scope global eth2
> 
> ip route show
> 216.150.213.x dev eth1 scope link (the x stands for each of my
ip''s)
> . . . .
> 208.186.180.x dev eth1 scope link (the x stands for each of my
ip''s)
> . . . .
> 192.168.1.0/24 eth1 proto kernel scope link src 192.168.1.1
> 127.0.0.0/8 via 127.0.0.1 dev lo
> default via 216.150.213.97 dev eth0
> 
> There is nothing in the logs about this being dropped.  When pinging I 
> get "Destination host unreachable."
> 
> So basically all I''m trying to do is somehow allow traffic from
the 208
> address to the 216 address which both are behind the firewall (again
I''m
> using proxy arp) connected to a switch connected to eth1.  Thanks.
> 
Ok -- try setting the ''routeback'' option on eth1.

-Tom 
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net