I thought that request from outside the firewall would be returned on the same nic, but I am having some trouble. I have this configuration: Eth0 66.92.114.46 isp1 dg 66.92.114.33 Eth1 209.141.2.194 isp2 dg 209.141.2.195 Eth2 192.168.119.101 I have set up masquerade like this although i''m not sure it is right. Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.119.0/24 through eth0 using 66.92.114.46 To 0.0.0.0/0 from 192.168.119.0/24 through eth1 using 209.141.2.194 No the problem is that I cant ping eth1 from the outside. I can ping it from within router 209.141.2.195. I can ping it from a server next to it 209.141.2.196. For some reason anything beyond 209.141.2.195 cannot reach ShoreWall box? I have check the 209.141.2.195 router and it is able to ping 209.141.2.210 and 209.141.2.196. Any ideas greatly appreciated?
Thad Marsh wrote:> I thought that request from outside the firewall would be returned on > the same nic, but I am having some trouble.That flawed assumption gets a lot of people into trouble -- each packet is routed independently ACCORDING TO YOUR ROUTING TABLE!> > > > I have this configuration: > > Eth0 66.92.114.46 isp1 dg 66.92.114.33 > > Eth1 209.141.2.194 isp2 dg 209.141.2.195 > > Eth2 192.168.119.101 > > > > I have set up masquerade like this although i''m not sure it is right. > > > > Masqueraded Subnets and Hosts: > > To 0.0.0.0/0 from 192.168.119.0/24 through eth0 using 66.92.114.46 > > To 0.0.0.0/0 from 192.168.119.0/24 through eth1 using 209.141.2.194 > > > > > > NoW the problem is that I cant ping eth1 from the outside. I can ping it > from within router 209.141.2.195. I can ping it from a server next to > it 209.141.2.196. > > > > For some reason anything beyond 209.141.2.195 cannot reach ShoreWall > box? I have check the 209.141.2.195 router and it is able to ping > 209.141.2.210 and 209.141.2.196. > > > > Any ideas greatly appreciated? >See the Linux Advanced Routing and Traffic Control HOWTO (http://ds9a.nl/lartc) for instructions on setting up routing for your environment. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
That flawed assumption gets a lot of people into trouble -- each packet is routed independently ACCORDING TO YOUR ROUTING TABLE! I have looked at the advanced routing piece and tried several different config, but here''s the catch: I can ping from the router in front of the ShoreWall device and get a response so why would the ShoreWall device drop packets when it comes from beyond that? I don''t think this is routing at this point it is something in the configuration of ShoreWall that I am missing. =20 Are the masq below correct? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, September 16, 2002 3:13 PM To: Thad Marsh Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] two wan nic one internal nic masq Thad Marsh wrote:> I thought that request from outside the firewall would be returned on > the same nic, but I am having some trouble.That flawed assumption gets a lot of people into trouble -- each packet is routed independently ACCORDING TO YOUR ROUTING TABLE!> >=20 > > I have this configuration: > > Eth0 66.92.114.46 isp1 dg 66.92.114.33 > > Eth1 209.141.2.194 isp2 dg 209.141.2.195 > > Eth2 192.168.119.101 > >=20 > > I have set up masquerade like this although i''m not sure it is right. > >=20 > > Masqueraded Subnets and Hosts: > > To 0.0.0.0/0 from 192.168.119.0/24 through eth0 using 66.92.114.46 > > To 0.0.0.0/0 from 192.168.119.0/24 through eth1 using 209.141.2.194 > >=20 > >=20 > > NoW the problem is that I cant ping eth1 from the outside. I can ping it > from within router 209.141.2.195. I can ping it from a server next to > it 209.141.2.196. > >=20 > > For some reason anything beyond 209.141.2.195 cannot reach ShoreWall > box? I have check the 209.141.2.195 router and it is able to ping > 209.141.2.210 and 209.141.2.196. > >=20 > > Any ideas greatly appreciated? >See the Linux Advanced Routing and Traffic Control HOWTO (http://ds9a.nl/lartc) for instructions on setting up routing for your environment. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thad Marsh wrote:> That flawed assumption gets a lot of people into trouble -- each packet is > routed independently ACCORDING TO YOUR ROUTING TABLE! > > I have looked at the advanced routing piece and tried several different config, but here''s the catch: > > I can ping from the router in front of the ShoreWall device and get a response so why would the ShoreWall device drop packets when it comes from beyond that? I don''t think this is routing at this point it is something in the configuration of ShoreWall that I am missing. >I suspect that it is not dropping the packets -- it is rather mis-routing the replies.> Are the masq below correct?If they weren''t I would have told you in my previous post... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > I suspect that it is not dropping the packets -- it is rather > mis-routing the replies. >That is to say that your firewall is mis-routing the replies -- run tcpdump on your firewall and monitor all interfaces while you are testing... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net