Shorewall users - Sep 2003 - Two links to Internet Configuration

Hi All,

I have a Bering Firewall 1.2, running Shorewall 1.4.5 with 4 interfaces as
follows

1 Internal Network
2 DMZ Network
3 Internet (Leased Line),
4 Internet (Broadband).

My question is as follows: -

I have two links to the Internet (3 and 4) and essentially want to send the
outgoing traffic from the local zone to go via the Broadband Internet
connection (4), but at the same time I need to make sure that the packets
arriving inbound on the 3rd Internet interface, are equally replied to via
the same interface.

I realise that I can''t simply change the default gateway to point to
the 4th
interface, since this would impact the inbound traffic on 3. Is there any
sensible way of approaching this, without having to use static routes?

Any help would be much appreciated.

Regards,

Simon.

Ps

Thanks to Tom and the Bering guys for a wonderful Firewall solution.

Hi Simon, hi the list,
here is another Bering user.

Sure, Bering/Shorewall is a wonderfull firewall/router solution !
Many thanks to Jacques Nilo crew and Tom Eastep !

What do you wnat to do exactly with the 3rd interface .
Input only ?
Have you try to do DNAT, pointing to the correct LAN device, regarding TCP/UDP
ports distribution ?
Could you explain more about your project ?

To read you, Dear Simon.

Best Regards,
Francois BERGERET,
France.
> -----Message d''origine-----
> De : shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net]De la part de Simon
> Chalk
> Envoy? : samedi 27 septembre 2003 14:16
> ? : shorewall-users@lists.shorewall.net
> Objet : [Shorewall-users] Two links to Internet Configuration
>
>
> Hi All,
>
> I have a Bering Firewall 1.2, running Shorewall 1.4.5 with 4 interfaces as
> follows
>
> 1 Internal Network
> 2 DMZ Network
> 3 Internet (Leased Line),
> 4 Internet (Broadband).
>
> My question is as follows: -
>
> I have two links to the Internet (3 and 4) and essentially want to send the
> outgoing traffic from the local zone to go via the Broadband Internet
> connection (4), but at the same time I need to make sure that the packets
> arriving inbound on the 3rd Internet interface, are equally replied to via
> the same interface.
>
> I realise that I can''t simply change the default gateway to point
to the 4th
> interface, since this would impact the inbound traffic on 3. Is there any
> sensible way of approaching this, without having to use static routes?
>
> Any help would be much appreciated.
>
> Regards,
>
> Simon.
>
> Ps
>
> Thanks to Tom and the Bering guys for a wonderful Firewall solution.
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Sat, 2003-09-27 at 05:15, Simon Chalk wrote:
> Hi All,
> 
> I have a Bering Firewall 1.2, running Shorewall 1.4.5 with 4 interfaces as
> follows
> 
> 1 Internal Network
> 2 DMZ Network
> 3 Internet (Leased Line),
> 4 Internet (Broadband).
> 
> My question is as follows: -
> 
> I have two links to the Internet (3 and 4) and essentially want to send the
> outgoing traffic from the local zone to go via the Broadband Internet
> connection (4), but at the same time I need to make sure that the packets
> arriving inbound on the 3rd Internet interface, are equally replied to via
> the same interface.
> 
> I realise that I can''t simply change the default gateway to point
to the 4th
> interface, since this would impact the inbound traffic on 3. Is there any
> sensible way of approaching this, without having to use static routes?
> 
> Any help would be much appreciated.
> 
See the LARTC, section 4.2.1 -- there is a link to the LARTC site from
the Shorewall "Useful Links" page.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom,



-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom
Eastep
Sent: 27 September 2003 14:58
To: Shorewall Users Mailing List
Subject: Re: [Shorewall-users] Two links to Internet Configuration


On Sat, 2003-09-27 at 05:15, Simon Chalk wrote:
> Hi All,
>
> I have a Bering Firewall 1.2, running Shorewall 1.4.5 with 4 interfaces as
> follows
>
> 1 Internal Network
> 2 DMZ Network
> 3 Internet (Leased Line),
> 4 Internet (Broadband).
>
> My question is as follows: -
>
> I have two links to the Internet (3 and 4) and essentially want to send
the
> outgoing traffic from the local zone to go via the Broadband Internet
> connection (4), but at the same time I need to make sure that the packets
> arriving inbound on the 3rd Internet interface, are equally replied to via
> the same interface.
>
> I realise that I can''t simply change the default gateway to point
to the
4th
> interface, since this would impact the inbound traffic on 3. Is there any
> sensible way of approaching this, without having to use static routes?
>
> Any help would be much appreciated.
>
See the LARTC, section 4.2.1 -- there is a link to the LARTC site from
the Shorewall "Useful Links" page.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net


_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

H Francois,

Tom Eastep has pointed me in the direction of LARTC

http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN268

It describes exactly what I want to achieve.

Our setup is such that we have web servers hosted on one Internet
connection, and we want all inbound traffic to equally go back out of that
interface. We then have a second route onto the internet which I want our
internal network to route through, as well as outbound email. This will then
in theory not impact to the web users, when we generate traffic from our
local LAN.

Regards,

Simon.


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of
Francois BERGERET
Sent: 27 September 2003 13:27
To: Shorewall Users Mailing List
Subject: RE: [Shorewall-users] Two links to Internet Configuration


Hi Simon, hi the list,
here is another Bering user.

Sure, Bering/Shorewall is a wonderfull firewall/router solution !
Many thanks to Jacques Nilo crew and Tom Eastep !

What do you wnat to do exactly with the 3rd interface .
Input only ?
Have you try to do DNAT, pointing to the correct LAN device, regarding
TCP/UDP ports distribution ?
Could you explain more about your project ?

To read you, Dear Simon.

Best Regards,
Francois BERGERET,
France.
> -----Message d''origine-----
> De : shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net]De la part de Simon
> Chalk
> Envoy? : samedi 27 septembre 2003 14:16
> ? : shorewall-users@lists.shorewall.net
> Objet : [Shorewall-users] Two links to Internet Configuration
>
>
> Hi All,
>
> I have a Bering Firewall 1.2, running Shorewall 1.4.5 with 4 interfaces as
> follows
>
> 1 Internal Network
> 2 DMZ Network
> 3 Internet (Leased Line),
> 4 Internet (Broadband).
>
> My question is as follows: -
>
> I have two links to the Internet (3 and 4) and essentially want to send
the
> outgoing traffic from the local zone to go via the Broadband Internet
> connection (4), but at the same time I need to make sure that the packets
> arriving inbound on the 3rd Internet interface, are equally replied to via
> the same interface.
>
> I realise that I can''t simply change the default gateway to point
to the
4th
> interface, since this would impact the inbound traffic on 3. Is there any
> sensible way of approaching this, without having to use static routes?
>
> Any help would be much appreciated.
>
> Regards,
>
> Simon.
>
> Ps
>
> Thanks to Tom and the Bering guys for a wonderful Firewall solution.
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

> See the LARTC, section 4.2.1 -- there is a link to the LARTC site from
> the Shorewall "Useful Links" page.
how about bgp4 and the other routing protocols for multihomed networks,
but that requires _real_ internet connections and not home brewn
dsl/cable/so-called-broadband stuff. that leasedline company can
probably offer you bgp4, but u have to get another non-consumer
connection through some professional provider, with your own AS and
portable ip address ranges

> See the LARTC, section 4.2.1 -- there is a link to the LARTC site from
> the Shorewall "Useful Links" page.
how about bgp4 and the other routing protocols for multihomed networks,
but that requires _real_ internet connections and not home brewn
dsl/cable/so-called-broadband stuff. that leasedline company can
probably offer you bgp4, but u have to get another non-consumer
connection through some professional provider, with your own AS and
portable ip address ranges