Thad Marsh
2002-Aug-31 22:47 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
Tom, Welcome back! I have the basic two interface version working great, but now I need something more complex. Or at least I am finding it that way. I have an rh7.3 ShoreWall config with several network cards. The two external interfaces are connected each to a different ISP for failover. Eth0 net ISP 1 #Eth1 net ISP2diabled for now eth2 loc 192.168.119.101 #eth3 loc 192.168.120.101 disabled for now Now the above firewall sits in front of fault tolerant router with two external (in this case its really the dmz between ShoreWall and itself I''ll probably put a hub inhere so that I can have an external server) and one internal interface. For now its I m just trying to get one working but once that happens I will connect the second external to eth3 and enable eth1 on the ShoreWall for the second isp. It is configured with nat as that is how the failover mechanism works for this router. Wan1 192.168.119.100 Wan2 192.168.120.100 Eth 192.168.121.101 internal network default gateway Ok now for the problem I have enabled DNAT on the ShoreWall box and port forwarding on the failover router but I cant seem to get the traffic to pass from the ShoreWall box through the failover router to my 192.168.121.101. This also doesn''t work with the routstopped. I have checked the config files for ShoreWall and they seem right. I''m not sure if there is something that needs to be explicitly defined in RedHat or ShoreWall, please advise. Thad Marsh President Marsh Technology Group, LLC. 15 East 21st Street Huntington Station, New York 11746 Phone: (631) 385-7250 Fax: (631) 673-3951 thad@marshtek.com
Tom Eastep
2002-Aug-31 22:58 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
On Saturday 31 August 2002 03:47 pm, Thad Marsh wrote:> Tom, > > Welcome back! > > I have the basic two interface version working great, but now I need > something more complex. Or at least I am finding it that way. > > I have an rh7.3 ShoreWall config with several network cards. The two > external interfaces are connected each to a different ISP for failover. > > Eth0 net ISP 1 > #Eth1 net ISP2diabled for now > eth2 loc 192.168.119.101 > #eth3 loc 192.168.120.101 disabled for now > > > Now the above firewall sits in front of fault tolerant router with two > external (in this case its really the dmz between ShoreWall and itself I''ll > probably put a hub inhere so that I can have an external server) and one > internal interface. For now its I m just trying to get one working but once > that happens I will connect the second external to eth3 and enable eth1 on > the ShoreWall for the second isp. It is configured with nat as that is how > the failover mechanism works for this router. > > Wan1 192.168.119.100 > Wan2 192.168.120.100 > Eth 192.168.121.101 internal network default gateway > > Ok now for the problem I have enabled DNAT on the ShoreWall box and port > forwarding on the failover router but I cant seem to get the traffic to > pass from the ShoreWall box through the failover router to my > 192.168.121.101. This also doesn''t work with the routstopped. > > I have checked the config files for ShoreWall and they seem right. > > I''m not sure if there is something that needs to be explicitly defined in > RedHat or ShoreWall, please advise.I don''t understand what you expect to gain with this setup but your problem is almost certainlly routing related. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Aug-31 23:09 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
On Saturday 31 August 2002 04:09 pm, Thad Marsh wrote:> The only reason why I am including the failover router in this piece is > because the client already has it deployed with a smoothwall. They like > that it automatically switches from one isp to another if their main > circuit goes down. I would like to replace the smoothwall with ShoreWall > and consolidate some fragment functions. If there is an easy way to set up > fail over with ShoreWall I will remove the failover router gladly?There are Shorewall users using failover -- I''m not one of them though. I''m reluctant to get involved trying to solve your problem because I''m leaving Tuesday for another week''s vacation. If you can give my ALL of the details, I''ll take a look... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thad Marsh
2002-Aug-31 23:09 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
The only reason why I am including the failover router in this piece is because the client already has it deployed with a smoothwall.=20 They like that it automatically switches from one isp to another if their main circuit goes down.=20 I would like to replace the smoothwall with ShoreWall and consolidate some fragment functions.=20 If there is an easy way to set up fail over with ShoreWall I will remove the failover router gladly? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, August 31, 2002 6:59 PM To: Thad Marsh; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] forwarding through ShoreWall and failover router On Saturday 31 August 2002 03:47 pm, Thad Marsh wrote:> Tom, > > Welcome back! > > I have the basic two interface version working great, but now I need > something more complex. Or at least I am finding it that way. > > I have an rh7.3 ShoreWall config with several network cards. The two > external interfaces are connected each to a different ISP for failover. > > Eth0 net ISP 1 > #Eth1 net ISP2diabled for now > eth2 loc 192.168.119.101 > #eth3 loc 192.168.120.101 disabled for now > > > Now the above firewall sits in front of fault tolerant router with two > external (in this case its really the dmz between ShoreWall and itself I''ll > probably put a hub inhere so that I can have an external server) and one > internal interface. For now its I m just trying to get one working but once > that happens I will connect the second external to eth3 and enable eth1 on > the ShoreWall for the second isp. It is configured with nat as that is how > the failover mechanism works for this router. > > Wan1 192.168.119.100 > Wan2 192.168.120.100 > Eth 192.168.121.101 internal network default gateway > > Ok now for the problem I have enabled DNAT on the ShoreWall box and port > forwarding on the failover router but I cant seem to get the traffic to > pass from the ShoreWall box through the failover router to my > 192.168.121.101. This also doesn''t work with the routstopped. > > I have checked the config files for ShoreWall and they seem right. > > I''m not sure if there is something that needs to be explicitly defined in > RedHat or ShoreWall, please advise.I don''t understand what you expect to gain with this setup but your problem is almost certainlly routing related. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thad Marsh
2002-Aug-31 23:23 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
Tom, I really appreciate it, vacations are very important and you''ve always been very helpful for that I am very grateful. I am sure its something simple I m just missing it. What specific details would help, i.e. files from ShoreWall and anything else? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, August 31, 2002 7:09 PM To: Thad Marsh; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] forwarding through ShoreWall and failover router On Saturday 31 August 2002 04:09 pm, Thad Marsh wrote:> The only reason why I am including the failover router in this piece is > because the client already has it deployed with a smoothwall. They like > that it automatically switches from one isp to another if their main > circuit goes down. I would like to replace the smoothwall with ShoreWall > and consolidate some fragment functions. If there is an easy way to set up > fail over with ShoreWall I will remove the failover router gladly?There are Shorewall users using failover -- I''m not one of them though. I''m reluctant to get involved trying to solve your problem because I''m leaving Tuesday for another week''s vacation. If you can give my ALL of the details, I''ll take a look... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Aug-31 23:32 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
On Saturday 31 August 2002 04:23 pm, Thad Marsh wrote:> Tom, > I really appreciate it, vacations are very important and you''ve always been > very helpful for that I am very grateful. I am sure its something simple I > m just missing it. What specific details would help, i.e. files from > ShoreWall and anything else?Thad -- I''m on vacation. I will take a look at your problem but I''m not going to spend a half an hour trying to guess what your network looks like and trying to guess what information I might need. YOU know what your network looks like. YOU know what you''ve tried and what you saw. YOU know if packets are reaching the servers or not. If packets are reaching the servers, YOU know if it is the replies that are getting lost. YOU know if there are any log messages... So if you tell me everything that YOU know about the setup then maybe I can help. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Aug-31 23:38 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
On Saturday 31 August 2002 04:38 pm, Thad Marsh wrote:> Agreed I ll give you what I got so far! > Didn''t mean to sound like I wanted you to do all the work, just didn''t want > to bog you done with useless stuff. I''ll send you what I have.Ok -- don''t look for a reply from me before tomorrow. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thad Marsh
2002-Aug-31 23:38 UTC
[Shorewall-users] forwarding through ShoreWall and failover router
Agreed I ll give you what I got so far!=20 Didn''t mean to sound like I wanted you to do all the work, just didn''t want to bog you done with useless stuff. I''ll send you what I have. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, August 31, 2002 7:33 PM To: Thad Marsh; shorewall-users@shorewall.net Subject: Re: [Shorewall-users] forwarding through ShoreWall and failover router On Saturday 31 August 2002 04:23 pm, Thad Marsh wrote:> Tom, > I really appreciate it, vacations are very important and you''ve always been > very helpful for that I am very grateful. I am sure its something simple I > m just missing it. What specific details would help, i.e. files from > ShoreWall and anything else?Thad -- I''m on vacation. I will take a look at your problem but I''m not going to spend a half an hour trying to guess what your network looks like and trying to guess what information I might need. YOU know what your network looks like. YOU know what you''ve tried and what you saw. YOU know if packets are reaching the servers or not. If packets are reaching the servers, YOU know if it is the replies that are getting lost. YOU know if there are any log messages... So if you tell me everything that YOU know about the setup then maybe I can help. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net