Hi, I am migrating from one ISP to another, and would like to run both simultaneously for a while. So: (both netmask 255.255.255.248) [ISP1] 24.106.62.180 [ISP2] 209.181.237.230 | | | | \ / -----[ HUB ]----- | | -------- eth0 --------- | Linux FW/Server | ---------eth1 --------- | | [ HUB ] | 10.0.0.x/255.255.255.0 The default IP on eth0 in my RedHat 7.2 box is ISP1 and it''s default route to ISP1''s gateway. I am getting rid of ISP2 in the future. Until then, I want to either forward all request coming in on ISP2 to ISP1 so all ISP1 firewall rules will apply, or just maintain separate rules for them, whichever is easier. So both internet ip''s are on eth0, and I tried manually setting ISP2 as an alias for ISP1, giving me eth0 and eth0:0 under ifconfig. This allows me to ping both ip''s from my FW, but only ISP1 is pingable from the internet. All this is without shorewall active (shorewall clear). So I assume it is a routing issue, where requests coming in on ISP2 try to go back out via ISP1''s default route. How do I do this, using net and loc zones, where net is ISP1 and ISP2. And can shorewall automatically add the routes necessary, if so, how, if not, how do I do this manually? I have spent a week reading docs and about routing, but am too much of a rookie to figure this out. So I am hoping someone can help me out more than referencing to more docs I don''t understand. I would urge you to reply to my shorewall at incisoft dot com e-mail address until I have subscribed to the mailinglist. Fonz
Hi, I am migrating from one ISP to another, and would like to run both simultaneously for a while. So: (both netmask 255.255.255.248) [ISP1] 24.106.62.180 [ISP2] 209.181.237.230 | | | | \ / -----[ HUB ]----- | | -------- eth0 --------- | Linux FW/Server | ---------eth1 --------- | | [ HUB ] | 10.0.0.x/255.255.255.0 The default IP on eth0 in my RedHat 7.2 box is ISP1 and it''s default route to ISP1''s gateway. I am getting rid of ISP2 in the future. Until then, I want to either forward all request coming in on ISP2 to ISP1 so all ISP1 firewall rules will apply, or just maintain separate rules for them, whichever is easier. So both internet ip''s are on eth0, and I tried manually setting ISP2 as an alias for ISP1, giving me eth0 and eth0:0 under ifconfig. This allows me to ping both ip''s from my FW, but only ISP1 is pingable from the internet. All this is without shorewall active (shorewall clear). So I assume it is a routing issue, where requests coming in on ISP2 try to go back out via ISP1''s default route. How do I do this, using net and loc zones, where net is ISP1 and ISP2. And can shorewall automatically add the routes necessary, if so, how, if not, how do I do this manually? I am using shorewall version 1.3.14, iptables 1.2.6a I have spent a week reading docs and about routing, but am too much of a rookie to figure this out. So I am hoping someone can help me out more than referencing to more docs I don''t understand. Please try to reply or CC to my shorewall at incisoft dot com e-mail address as I am not sure if my subscription to the mailing list is in working. Fonz
--On Friday, February 28, 2003 09:50:58 PM +0100 Fonz <shorewall@incisoft.com> wrote:> So both internet ip''s are on eth0, and I tried manually setting ISP2 as an > alias for ISP1, giving me eth0 and eth0:0 under ifconfig. This allows me > to ping both ip''s from my FW, but only ISP1 is pingable from the > internet. All this is without shorewall active (shorewall clear). So I > assume it is a routing issue, where requests coming in on ISP2 try to go > back out via ISP1''s default route.Yes -- reply packets aren''t like spawning Salmon in that they don''t carry a genetic code from their parents (request packets) that directs them back to their origin. Outgoing packets are routed based on the contents of your routing table independent of any other considerations.> > How do I do this, using net and loc zones, where net is ISP1 and ISP2. And > can shorewall automatically add the routes necessary, if so, how, if not, > how do I do this manually?Shorewall cannot do this -- Shorewall''s sole involvement in routing has to do with Proxy ARP.> > I am using shorewall version 1.3.14, iptables 1.2.6a > > I have spent a week reading docs and about routing, but am too much of a > rookie to figure this out. So I am hoping someone can help me out more > than referencing to more docs I don''t understand. >I''ve never done it so I can''t give you a cookbook although I''m confident that I could get it working. Unfortunately I''m going to be out of town for the weekend so I won''t be able to help you. Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
So basically having 2 internet ip''s on eth0 is problematic. And setting up the routing so anything that comes in on one of the two internet ip''s goes out back the same way it came in, is everything but obvious. How about if I use eth0 for ISP1 eth1 for ISP2 and eth2 for loc? That doesn''t change anything to the problem, does it? What if I have ISP1 on eth0 in the ''net'' zone, and ISP2 on ''eth1'' in the ''dmz'' zone with ISP2 as the internet ip where I use DNAT to map ISP2 to the outside. Does that help any? Or is the whole difficulty here really that ISP1 and ISP2 are not on the same subnet network range? Thank you for your time, and enjoy your weekend (while I''ll be spending it hitting my head against the wall ;-)). Fonz -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Friday, February 28, 2003 10:01 PM To: Fonz; shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] 2 internet ip numbers on eth0 --On Friday, February 28, 2003 09:50:58 PM +0100 Fonz <shorewall@incisoft.com> wrote:> So both internet ip''s are on eth0, and I tried manually setting ISP2 > as an alias for ISP1, giving me eth0 and eth0:0 under ifconfig. This > allows me to ping both ip''s from my FW, but only ISP1 is pingable from > the internet. All this is without shorewall active (shorewall clear). > So I assume it is a routing issue, where requests coming in on ISP2 > try to go back out via ISP1''s default route.Yes -- reply packets aren''t like spawning Salmon in that they don''t carry a genetic code from their parents (request packets) that directs them back to their origin. Outgoing packets are routed based on the contents of your routing table independent of any other considerations.> > How do I do this, using net and loc zones, where net is ISP1 and ISP2. > And can shorewall automatically add the routes necessary, if so, how, > if not, how do I do this manually?Shorewall cannot do this -- Shorewall''s sole involvement in routing has to do with Proxy ARP.> > I am using shorewall version 1.3.14, iptables 1.2.6a > > I have spent a week reading docs and about routing, but am too much of > a rookie to figure this out. So I am hoping someone can help me out > more than referencing to more docs I don''t understand. >I''ve never done it so I can''t give you a cookbook although I''m confident that I could get it working. Unfortunately I''m going to be out of town for the weekend so I won''t be able to help you. Sorry, -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Friday, February 28, 2003 10:11:17 PM +0100 Fonz <shorewall@incisoft.com> wrote:> So basically having 2 internet ip''s on eth0 is problematic. > And setting up the routing so anything that comes in on one of the two > internet ip''s goes out back the same way it came in, is everything but > obvious.Yes -- it''s fairly easy to set up a load-balancing setup outbound but accepting inbound connections on both IPs is more challenging. I think that the LARTC HowTo has a pretty good description about how to do the load balancing thing but you''ve probably already looked at that (I think I mentioned it last night in ICQ).> > How about if I use eth0 for ISP1 eth1 for ISP2 and eth2 for loc? That > doesn''t change anything to the problem, does it? What if I have ISP1 on > eth0 in the ''net'' zone, and ISP2 on ''eth1'' in the ''dmz'' zone with ISP2 as > the internet ip where I use DNAT to map ISP2 to the outside. Does that > help any? Or is the whole difficulty here really that ISP1 and ISP2 are > not on the same subnet network range? >The problem is that you have to ensure that the source IP in reply packets is correct for what the client expects and that these packets are forwarded to the appropriate next hop router. It really doesn''t matter if you have one NIC or two although the documentation and examples that you find on this topic will usually assume separate NICs for the individual ISPs.> Thank you for your time, and enjoy your weekend (while I''ll be spending it > hitting my head against the wall ;-)). >Given the way that I get to spend my out of town weekends, hitting my head against a wall sounds like a refreshing change. But thanks anyway... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Don''t be hitting your head anywhere as it is too valuable for us. ;-) Ok, I decided to use 2 servers. Server1 will be setup for ISP1, Server2 for ISP2, each with their own set of internet ip''s and default routes. So they work independently. Now I want Server2 to forward all incoming traffic to Server1. This should be possible, as Server2 will be the middleman for Server1 and the internet if Server2 is approached. So Server1 basically gets requests from the internet, on ISP1, which is fine, or it gets Server2, and acts as just another client on the internet. Correct? So Server2 has to forward everything it gets on eth0 to eth1. How is this done? DNAT net fw:<some local ip> Works.. But DNAT net net:$ISP1 Is not valid, is it? It must run through the linux machine. How can I do this? Fonz -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Friday, February 28, 2003 10:55 PM To: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] 2 internet ip numbers on eth0 --On Friday, February 28, 2003 10:11:17 PM +0100 Fonz <shorewall@incisoft.com> wrote:> So basically having 2 internet ip''s on eth0 is problematic. And > setting up the routing so anything that comes in on one of the two > internet ip''s goes out back the same way it came in, is everything but > obvious.Yes -- it''s fairly easy to set up a load-balancing setup outbound but accepting inbound connections on both IPs is more challenging. I think that the LARTC HowTo has a pretty good description about how to do the load balancing thing but you''ve probably already looked at that (I think I mentioned it last night in ICQ).> > How about if I use eth0 for ISP1 eth1 for ISP2 and eth2 for loc? That > doesn''t change anything to the problem, does it? What if I have ISP1 > on eth0 in the ''net'' zone, and ISP2 on ''eth1'' in the ''dmz'' zone with > ISP2 as the internet ip where I use DNAT to map ISP2 to the outside. > Does that help any? Or is the whole difficulty here really that ISP1 > and ISP2 are not on the same subnet network range? >The problem is that you have to ensure that the source IP in reply packets is correct for what the client expects and that these packets are forwarded to the appropriate next hop router. It really doesn''t matter if you have one NIC or two although the documentation and examples that you find on this topic will usually assume separate NICs for the individual ISPs.> Thank you for your time, and enjoy your weekend (while I''ll be > spending it hitting my head against the wall ;-)). >Given the way that I get to spend my out of town weekends, hitting my head against a wall sounds like a refreshing change. But thanks anyway... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
--On Friday, February 28, 2003 11:21:01 PM +0100 Fonz <shorewall@incisoft.com> wrote:> Don''t be hitting your head anywhere as it is too valuable for us. ;-) > > Ok, I decided to use 2 servers. Server1 will be setup for ISP1, Server2 > for ISP2, each with their own set of internet ip''s and default routes. So > they work independently. > Now I want Server2 to forward all incoming traffic to Server1. > This should be possible, as Server2 will be the middleman for Server1 and > the internet if Server2 is approached. So Server1 basically gets requests > from the internet, on ISP1, which is fine, or it gets Server2, and acts as > just another client on the internet. > Correct? > > So Server2 has to forward everything it gets on eth0 to eth1. How is this > done? > DNAT net fw:<some local ip> > Works.. > > But > DNAT net net:$ISP1 > Is not valid, is it? It must run through the linux machine. > > How can I do this? >Keep it simple: ISP1 ISP2 | eth0 | eth0 ----- ----- | |eth1 eth1 | | | fw1 |<---------| fw2 | |_____| |_____| | eth2 | local LAN In fw1 /etc/shorewall/interfaces net eth0 ... net eth1 ... In fw2 /etc/shorewall/interfaces loc eth1 DNAT net loc:<ip of eth1 in fw1> all - - all:<ip of eth1> You need the last part of that rule to SNAT everything coming from ISP2 so that replies will go back out through fw2 instead through ISP1. The downside of this is that all connections from ISP2 will appear to come from the local interface of fw2. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net