Hi folks,
I know this isn''t a shorewall question, but i''m hoping someone
can
point me to the right place to look for answers on this (since, as Tom
suggests, search engines are useless for some things):
Here is my firewall setup:
ADSL1 ADSL2 dialup
\ | /
firewall
|
DMZ
It''s a fairly simple setup. ADSL1 has a static IP, ADSL2 is dynamic.
There is DNAT across both ADSL links to a single host in the DMZ.
The dialup IPs (a /29 subnet) are routed into the DMZ.
ADSL1 is my normal default route, with some host-specific routes via
ADSL2. The problem is that if i switch my default route to ADSL2, all
the DNAT rules that apply to ADSL1 break.
I can see the packets coming into the box and getting DNATed, but on
the return path, netfilter fails to send the packet out at all. I''ve
checked my rules several times and i can''t see any problems with them.
Any suggestions?
--
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
--
The information contained in this message is copyright by Redlands
College. Any use for direct sales or marketing purposes is expressly
forbidden. This message does not represent the views of Redlands
College.
Paul Gear wrote:> > ADSL1 is my normal default route, with some host-specific routes via > ADSL2. The problem is that if i switch my default route to ADSL2, all > the DNAT rules that apply to ADSL1 break. > > I can see the packets coming into the box and getting DNATed, but on > the return path, netfilter fails to send the packet out at all. I''ve > checked my rules several times and i can''t see any problems with them. > > Any suggestions?Paul, I believe that the part of the answer to FAQ 32 that was contributed by Martin Brown deals with this issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Paul Gear wrote: > > >>ADSL1 is my normal default route, with some host-specific routes via >>ADSL2. The problem is that if i switch my default route to ADSL2, all >>the DNAT rules that apply to ADSL1 break. >> >>I can see the packets coming into the box and getting DNATed, but on >>the return path, netfilter fails to send the packet out at all. I''ve >>checked my rules several times and i can''t see any problems with them. >> >>Any suggestions? > > > Paul, > > I believe that the part of the answer to FAQ 32 that was contributed by > Martin Brown deals with this issue.I''ve been reading up on this and trying to understand why it only affects on of the interfaces on my firewall. I have 2 ADSL interfaces, and 1 works fine as the default route while the other doesn''t. Am i missing something really important in that FAQ and the related links? Why does one work and the other just doesn''t? -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> ... > affects on of the interfaces on my firewall. I have 2 ADSLs/on/one/ -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Tom Eastep
2005-Feb-23 02:27 UTC
Re: Re: Routing changes break NAT (not a shorewall question)
Paul Gear wrote:> I''ve been reading up on this and trying to understand why it only > affects on of the interfaces on my firewall. I have 2 ADSL > interfaces, and 1 works fine as the default route while the other > doesn''t. Am i missing something really important in that FAQ and the > related links? Why does one work and the other just doesn''t? >I hope you aren''t asking me -- I personally spend $110US per month for an ADSL service that allows me to verify one-to-one NAT and proxy ARP. I simply can''t justify paying more out of my own pocket so that I can experiment with two Internet interfaces. This is one case where Shorewall users that have the ability to test this stuff are going to have to tell ME how it works... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key