Shorewall users - Mar 2005 - Client Behind Router can''t get internet & cannot do fowarding...

i ask here after give up reading and following all the
documentation..

i got 3 nic

eth0:222.222.222.222
netmask:255.255.255.252
gateway:222.222.222.221

eth1:10.10.10.254
netmask:255.255.255.0
gateway:blank

eth2:10.10.11.254
netmask:255.255.255.0
gateway: blank


i''m running redhat9, and shorewall2.2.2

eth0 connected to dsl modem ( static ip )
eth1 connected to d-link router ( for office network )
eth2 connected to hub/switch ( for DMZ )

my d-link conf:
wan setting
ip:10.10.10.1
netmask:255.255.255.0
gateway:10.10.10.254

d-link office client is using dhcp:
ip:192.168.0.1
netmask:255.255.255.0

I got 2 big problem after running shorewall:

1) forward my static ip ( 222.222.222.222 ) to my
local webserver at DMZ area ( 10.10.11.10 ) at port
80. my lan disallow to 10.10.11.10 but have to use
222.222.222.222 to access the webserver. but i failed
to do this...dont know what is the problem

2) office network cannot get the internet from d-link
router. but when i connect the eth1 directly to a
single pc, yes i can get the internet.


glad if there is a help



cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> i ask here after give up reading and following all the
> documentation..
> 
> i got 3 nic
> 
> eth0:222.222.222.222
> netmask:255.255.255.252
> gateway:222.222.222.221
> 
> eth1:10.10.10.254
> netmask:255.255.255.0
> gateway:blank
> 
> eth2:10.10.11.254
> netmask:255.255.255.0
> gateway: blank
> 
> 
> i''m running redhat9, and shorewall2.2.2
> 
> eth0 connected to dsl modem ( static ip )
> eth1 connected to d-link router ( for office network )
> eth2 connected to hub/switch ( for DMZ )
> 
> my d-link conf:
> wan setting
> ip:10.10.10.1
> netmask:255.255.255.0
> gateway:10.10.10.254
> 
> d-link office client is using dhcp:
> ip:192.168.0.1
> netmask:255.255.255.0
> 
> I got 2 big problem after running shorewall:
> 
> 1) forward my static ip ( 222.222.222.222 ) to my
> local webserver at DMZ area ( 10.10.11.10 ) at port
> 80. my lan disallow to 10.10.11.10 but have to use
> 222.222.222.222 to access the webserver. but i failed
> to do this...dont know what is the problem
> 
I''m sure Tom will correct me if I''m wrong given your setup :),
but
connections that leave the router and then try to loop back into the 
router using the external connection address don''t work.

> 2) office network cannot get the internet from d-link
> router. but when i connect the eth1 directly to a
> single pc, yes i can get the internet.
As for this, it''s hard to know without seeing the shorewall config and 
other stuff, but it sounds like a config error somewhere or other.
> 
> 
> glad if there is a help
> 
> 
> 
> cout<<"Erik";
> 
Mark II


-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
Konfucius: Naco mas google, mantak ?
-----------------------------------

Thank you fore reply,

1) I dont quite understand you meaning on the first
answer

--- "Mark D. Montgomery II" <techiem2@techiem2.net>
wrote:
> Erik wrote:
> > i ask here after give up reading and following all
> the
> > documentation..
> > 
> > i got 3 nic
> > 
> > eth0:222.222.222.222
> > netmask:255.255.255.252
> > gateway:222.222.222.221
> > 
> > eth1:10.10.10.254
> > netmask:255.255.255.0
> > gateway:blank
> > 
> > eth2:10.10.11.254
> > netmask:255.255.255.0
> > gateway: blank
> > 
> > 
> > i''m running redhat9, and shorewall2.2.2
> > 
> > eth0 connected to dsl modem ( static ip )
> > eth1 connected to d-link router ( for office
> network )
> > eth2 connected to hub/switch ( for DMZ )
> > 
> > my d-link conf:
> > wan setting
> > ip:10.10.10.1
> > netmask:255.255.255.0
> > gateway:10.10.10.254
> > 
> > d-link office client is using dhcp:
> > ip:192.168.0.1
> > netmask:255.255.255.0
> > 
> > I got 2 big problem after running shorewall:
> > 
> > 1) forward my static ip ( 222.222.222.222 ) to my
> > local webserver at DMZ area ( 10.10.11.10 ) at
> port
> > 80. my lan disallow to 10.10.11.10 but have to use
> > 222.222.222.222 to access the webserver. but i
> failed
> > to do this...dont know what is the problem
> > 
> 
> I''m sure Tom will correct me if I''m wrong given your
> setup :), but 
> connections that leave the router and then try to
> loop back into the 
> router using the external connection address don''t
> work.
> 
> 
> > 2) office network cannot get the internet from
> d-link
> > router. but when i connect the eth1 directly to a
> > single pc, yes i can get the internet.
> 
> As for this, it''s hard to know without seeing the
> shorewall config and 
> other stuff, but it sounds like a config error
> somewhere or other.
> 
> > 
> > 
> > glad if there is a help
> > 
> > 
> > 
> > cout<<"Erik";
> > 
> 
> Mark II
> 
> 
> -- 
> END
> -----------------------------------
> TechieM2 (Mark D. Montgomery II)
> https://techiem2.no-ip.com
> techiem2@techiem2.net
> Isaiah 40:28-31
> -----------------------------------
> Konfucius: Naco mas google, mantak ?
> -----------------------------------
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> i got 3 nic
> 
> eth0:222.222.222.222
> netmask:255.255.255.252
> gateway:222.222.222.221
> 
> eth1:10.10.10.254
> netmask:255.255.255.0
> gateway:blank
> 
> eth2:10.10.11.254
> netmask:255.255.255.0
> gateway: blank
> 
> 
> i''m running redhat9, and shorewall2.2.2
> 
> eth0 connected to dsl modem ( static ip )
> eth1 connected to d-link router ( for office network )
> eth2 connected to hub/switch ( for DMZ )
> 
> my d-link conf:
> wan setting
> ip:10.10.10.1
> netmask:255.255.255.0
> gateway:10.10.10.254
> 
> d-link office client is using dhcp:
> ip:192.168.0.1
> netmask:255.255.255.0
> 
> I got 2 big problem after running shorewall:
> 
> 1) forward my static ip ( 222.222.222.222 ) to my
> local webserver at DMZ area ( 10.10.11.10 ) at port
> 80. my lan disallow to 10.10.11.10 but have to use
> 222.222.222.222 to access the webserver. but i failed
> to do this...dont know what is the problem
I''m sorry -- from your description, I don''t understand what
problem you
are seeing. And given that you have not told us one single thing about
your Shorewall configuration, I don''t know how you expect us to help
you.
> 
> 2) office network cannot get the internet from d-link
> router. but when i connect the eth1 directly to a
> single pc, yes i can get the internet.
> 
Do you have the proper routes to the office network set up on your firewall>
> 
> glad if there is a help
Please see http://shorewall.net/support.htm#Guidelines for the
information that we need to diagnose these sorts of problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik <hezry79@yahoo.com> wrote:
> 
> i''m running redhat9, and shorewall2.2.2
oops..get a supported distro first ¡¡
> 
> I got 2 big problem after running shorewall:
> 
> 1) forward my static ip ( 222.222.222.222 ) to my
> local webserver at DMZ area ( 10.10.11.10 ) at port
> 80. my lan disallow to 10.10.11.10 but have to use
> 222.222.222.222 to access the webserver. but i failed
> to do this...dont know what is the problem
> 
> 2) office network cannot get the internet from d-link
> router. but when i connect the eth1 directly to a
> single pc, yes i can get the internet.
> 
> glad if there is a help
> 
> cout<<"Erik";
> 
Please provide the necessary info.

Cristian Rodriguez wrote:
> On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik <hezry79@yahoo.com>
wrote:
> 
> 
>>i''m running redhat9, and shorewall2.2.2
> 
> 
> oops..get a supported distro first ¡¡
> 
RH9 should still be Ok as far as Shorewall is concerned but without
security updates, I don''t think I would want to run RH9 as a firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Erik wrote:
> Thank you fore reply,
> 
> 1) I dont quite understand you meaning on the first
> answer
If I understood your setup right, your local lan does not have access to 
the webserver using it''s 10.x.x.x address, but is trying to use your 
external static IP address to access it.
This doesn''t work.
Any request from behind the firewall to the external address of the 
firewall won''t work.
Basically it''s trying to send the request out and then loop it back in.

Mark II




-- 
END
-----------------------------------
TechieM2 (Mark D. Montgomery II)
https://techiem2.no-ip.com
techiem2@techiem2.net
Isaiah 40:28-31
-----------------------------------
    "It''s hard to be mad at someone who misses you while
you''re asleep."
-Calvin
-----------------------------------

Mark D. Montgomery II wrote:
> Erik wrote:
> 
>> Thank you fore reply,
>>
>> 1) I dont quite understand you meaning on the first
>> answer
> 
> 
> If I understood your setup right, your local lan does not have access to
> the webserver using it''s 10.x.x.x address, but is trying to use
your
> external static IP address to access it.
> This doesn''t work.
> Any request from behind the firewall to the external address of the
> firewall won''t work.
> Basically it''s trying to send the request out and then loop it
back in.
> 
FAQ #2 discusses that case but I don''t think that''s what Eric
is trying
to do. I think possibly that he is trying to access his DMZ server by
external IP from his local network -- that just requires an appropriate
DNAT rule. But again, that''s only a guess.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> 
> 
> FAQ #2 discusses that case but I don''t think that''s what
Eric is trying
> to do. I think possibly that he is trying to access his DMZ server by
> external IP from his local network -- that just requires an appropriate
> DNAT rule. But again, that''s only a guess.
> 
I''ve added FAQ 1d that describes the rule to allow local access to a
DMZ
server using an external IP on the firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>
>>FAQ #2 discusses that case but I don''t think that''s
what Eric is trying
>>to do. I think possibly that he is trying to access his DMZ server by
>>external IP from his local network -- that just requires an appropriate
>>DNAT rule. But again, that''s only a guess.
>>
> 
> 
> I''ve added FAQ 1d that describes the rule to allow local access to
a DMZ
> server using an external IP on the firewall.
> 
http://shorewall.net/FAQ.htm#faq1d

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

so you mean shorewall is best running on which OS?

--- Tom Eastep <teastep@shorewall.net> wrote:
> Cristian Rodriguez wrote:
> > On Sun, 20 Mar 2005 10:51:20 +0000 (GMT), Erik
> <hezry79@yahoo.com> wrote:
> > 
> > 
> >>i''m running redhat9, and shorewall2.2.2
> > 
> > 
> > oops..get a supported distro first ¡¡
> > 
> 
> RH9 should still be Ok as far as Shorewall is
> concerned but without
> security updates, I don''t think I would want to run
> RH9 as a firewall.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

yeah..correct...that is what i mean


--- Tom Eastep <teastep@shorewall.net> wrote:
> Mark D. Montgomery II wrote:
> > Erik wrote:
> > 
> >> Thank you fore reply,
> >>
> >> 1) I dont quite understand you meaning on the
> first
> >> answer
> > 
> > 
> > If I understood your setup right, your local lan
> does not have access to
> > the webserver using it''s 10.x.x.x address, but is
> trying to use your
> > external static IP address to access it.
> > This doesn''t work.
> > Any request from behind the firewall to the
> external address of the
> > firewall won''t work.
> > Basically it''s trying to send the request out and
> then loop it back in.
> > 
> 
> FAQ #2 discusses that case but I don''t think that''s
> what Eric is trying
> to do. I think possibly that he is trying to access
> his DMZ server by
> external IP from his local network -- that just
> requires an appropriate
> DNAT rule. But again, that''s only a guess.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

i will provide my configuration...sorry for delay

--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> 
> > i got 3 nic
> > 
> > eth0:222.222.222.222
> > netmask:255.255.255.252
> > gateway:222.222.222.221
> > 
> > eth1:10.10.10.254
> > netmask:255.255.255.0
> > gateway:blank
> > 
> > eth2:10.10.11.254
> > netmask:255.255.255.0
> > gateway: blank
> > 
> > 
> > i''m running redhat9, and shorewall2.2.2
> > 
> > eth0 connected to dsl modem ( static ip )
> > eth1 connected to d-link router ( for office
> network )
> > eth2 connected to hub/switch ( for DMZ )
> > 
> > my d-link conf:
> > wan setting
> > ip:10.10.10.1
> > netmask:255.255.255.0
> > gateway:10.10.10.254
> > 
> > d-link office client is using dhcp:
> > ip:192.168.0.1
> > netmask:255.255.255.0
> > 
> > I got 2 big problem after running shorewall:
> > 
> > 1) forward my static ip ( 222.222.222.222 ) to my
> > local webserver at DMZ area ( 10.10.11.10 ) at
> port
> > 80. my lan disallow to 10.10.11.10 but have to use
> > 222.222.222.222 to access the webserver. but i
> failed
> > to do this...dont know what is the problem
> 
> I''m sorry -- from your description, I don''t
> understand what problem you
> are seeing. And given that you have not told us one
> single thing about
> your Shorewall configuration, I don''t know how you
> expect us to help you.
> 
> > 
> > 2) office network cannot get the internet from
> d-link
> > router. but when i connect the eth1 directly to a
> > single pc, yes i can get the internet.
> > 
> 
> Do you have the proper routes to the office network
> set up on your firewall>
> 
> > 
> > glad if there is a help
> 
> Please see
> http://shorewall.net/support.htm#Guidelines for the
> information that we need to diagnose these sorts of
> problems.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> so you mean shorewall is best running on which OS?
It is not a question of "where it runs best".  It is a question of the
O/S itself and if it is currently supported by the Vendor.

RH9 has reached EOL (End of Life) and as such no longer is getting 
updates of any kind from Red Hat.  That is, no security updates, etc. 
While there are some groups out there putting updates out for that 
version of Red Hat it is normally suggested that you switch to
"Fedora"
if you don''t need/want the "paid" support that goes with Red
Hat
Enterprise Linux.

Ed


-- 
"A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools."

--Ford Prefect in "Mostly Harmless".

Here is my output of #

actually my eth0 is 218.111.120.210
netmask :255.255.255.252

shorewall version
ip addr show
ip route show

[root@firewall root]# shorewall version
2.2.2
[root@firewall root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff
    inet 218.111.120.210/30 brd 218.111.120.211 scope
global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.254/24 brd 10.10.10.255 scope global
eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.254/24 brd 10.10.11.255 scope global
eth2
[root@firewall root]# ip route show
218.111.120.208/30 dev eth0  scope link
10.10.10.0/24 dev eth1  scope link
10.10.11.0/24 dev eth2  scope link
169.254.0.0/16 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 218.111.120.209 dev eth0
[root@firewall root]#



--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> 
> > i got 3 nic
> > 
> > eth0:222.222.222.222
> > netmask:255.255.255.252
> > gateway:222.222.222.221
> > 
> > eth1:10.10.10.254
> > netmask:255.255.255.0
> > gateway:blank
> > 
> > eth2:10.10.11.254
> > netmask:255.255.255.0
> > gateway: blank
> > 
> > 
> > i''m running redhat9, and shorewall2.2.2
> > 
> > eth0 connected to dsl modem ( static ip )
> > eth1 connected to d-link router ( for office
> network )
> > eth2 connected to hub/switch ( for DMZ )
> > 
> > my d-link conf:
> > wan setting
> > ip:10.10.10.1
> > netmask:255.255.255.0
> > gateway:10.10.10.254
> > 
> > d-link office client is using dhcp:
> > ip:192.168.0.1
> > netmask:255.255.255.0
> > 
> > I got 2 big problem after running shorewall:
> > 
> > 1) forward my static ip ( 222.222.222.222 ) to my
> > local webserver at DMZ area ( 10.10.11.10 ) at
> port
> > 80. my lan disallow to 10.10.11.10 but have to use
> > 222.222.222.222 to access the webserver. but i
> failed
> > to do this...dont know what is the problem
> 
> I''m sorry -- from your description, I don''t
> understand what problem you
> are seeing. And given that you have not told us one
> single thing about
> your Shorewall configuration, I don''t know how you
> expect us to help you.
> 
> > 
> > 2) office network cannot get the internet from
> d-link
> > router. but when i connect the eth1 directly to a
> > single pc, yes i can get the internet.
> > 
> 
> Do you have the proper routes to the office network
> set up on your firewall>
> 
> > 
> > glad if there is a help
> 
> Please see
> http://shorewall.net/support.htm#Guidelines for the
> information that we need to diagnose these sorts of
> problems.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> [root@firewall root]# ip route show
> 218.111.120.208/30 dev eth0  scope link
> 10.10.10.0/24 dev eth1  scope link
> 10.10.11.0/24 dev eth2  scope link
> 169.254.0.0/16 dev eth2  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 218.111.120.209 dev eth0
> [root@firewall root]#
I don''t see any route to the network behind the router in the local
zone!

Please see: http://shorewall.net/Multiple_Zones.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

for the Multiple_Zones, i test all the
configuration...but fail...

let me inform something:
my eth1 is [ip:10.10.10.254, netmask:255.255.255.0,
gateway: blank]

this eth1 i connect to wireless router at WAN port by
using crossover cable. so the router WAN port
configuration i set it as like below:
ip:10.10.10.1, netmask:255.255.255.0,
gateway:10.10.10.254.

so from the router, all my wireless client dhcp is:
ip:192.168.0.X, netmask:255.255.255.0,
gateway:192.168.0.1 ( 192.168.0.1 is router ip )

so...can you suggest me which conf is better for the
shorewall?

--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> 
> > [root@firewall root]# ip route show
> > 218.111.120.208/30 dev eth0  scope link
> > 10.10.10.0/24 dev eth1  scope link
> > 10.10.11.0/24 dev eth2  scope link
> > 169.254.0.0/16 dev eth2  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 218.111.120.209 dev eth0
> > [root@firewall root]#
> 
> I don''t see any route to the network behind the
> router in the local zone!
> 
> Please see: http://shorewall.net/Multiple_Zones.html
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> for the Multiple_Zones, i test all the
> configuration...but fail...
> 
> let me inform something:
> my eth1 is [ip:10.10.10.254, netmask:255.255.255.0,
> gateway: blank]
> 
> this eth1 i connect to wireless router at WAN port by
> using crossover cable. so the router WAN port
> configuration i set it as like below:
> ip:10.10.10.1, netmask:255.255.255.0,
> gateway:10.10.10.254.
> 
> so from the router, all my wireless client dhcp is:
> ip:192.168.0.X, netmask:255.255.255.0,
> gateway:192.168.0.1 ( 192.168.0.1 is router ip )
> 
> so...can you suggest me which conf is better for the
> shorewall?
You need a route to 192.168.0.9/24 via 10.10.10.1.
>>>[root@firewall root]# ip route show
>>>218.111.120.208/30 dev eth0  scope link
>>>10.10.10.0/24 dev eth1  scope link
>>>10.10.11.0/24 dev eth2  scope link
>>>169.254.0.0/16 dev eth2  scope link
>>>127.0.0.0/8 dev lo  scope link
>>>default via 218.111.120.209 dev eth0
THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via 10.10.10;1.

Look at the above routing table and ask yourself how the %$#@ your
firewall will ever know to send packets to 192.168.0.0/24 through
10.10.10.1.

-Tom

And yes, I''M SHOUTING.
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

1 good news and 1 bad news. good news is i succesfully
make the fowarding...

bad news is i still can''t spread the internet
connection to wireless client thru router...from my
situation how do i can create a route ? router in my
router or router in my network card eth1?


--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> > for the Multiple_Zones, i test all the
> > configuration...but fail...
> > 
> > let me inform something:
> > my eth1 is [ip:10.10.10.254,
> netmask:255.255.255.0,
> > gateway: blank]
> > 
> > this eth1 i connect to wireless router at WAN port
> by
> > using crossover cable. so the router WAN port
> > configuration i set it as like below:
> > ip:10.10.10.1, netmask:255.255.255.0,
> > gateway:10.10.10.254.
> > 
> > so from the router, all my wireless client dhcp
> is:
> > ip:192.168.0.X, netmask:255.255.255.0,
> > gateway:192.168.0.1 ( 192.168.0.1 is router ip )
> > 
> > so...can you suggest me which conf is better for
> the
> > shorewall?
> 
> 
> >>>[root@firewall root]# ip route show
> >>>218.111.120.208/30 dev eth0  scope link
> >>>10.10.10.0/24 dev eth1  scope link
> >>>10.10.11.0/24 dev eth2  scope link
> >>>169.254.0.0/16 dev eth2  scope link
> >>>127.0.0.0/8 dev lo  scope link
> >>>default via 218.111.120.209 dev eth0
> 
> THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via
> 10.10.10;1.
> 
> Look at the above routing table and ask yourself how
> the %$#@ your
> firewall will ever know to send packets to
> 192.168.0.0/24 through
> 10.10.10.1.
> 
> -Tom
> 
> And yes, I''M SHOUTING.
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

i try to add route to my eth1:

/sbin/route add -net 192.168.0.0 netmask 255.255.255.0
gw 10.10.10.1

still not working....my
eth1[10.10.10.254,255.255.255.0], so is it correct is
set the route gw as 10.10.10.1?

--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> > for the Multiple_Zones, i test all the
> > configuration...but fail...
> > 
> > let me inform something:
> > my eth1 is [ip:10.10.10.254,
> netmask:255.255.255.0,
> > gateway: blank]
> > 
> > this eth1 i connect to wireless router at WAN port
> by
> > using crossover cable. so the router WAN port
> > configuration i set it as like below:
> > ip:10.10.10.1, netmask:255.255.255.0,
> > gateway:10.10.10.254.
> > 
> > so from the router, all my wireless client dhcp
> is:
> > ip:192.168.0.X, netmask:255.255.255.0,
> > gateway:192.168.0.1 ( 192.168.0.1 is router ip )
> > 
> > so...can you suggest me which conf is better for
> the
> > shorewall?
> 
> You need a route to 192.168.0.9/24 via 10.10.10.1.
> 
> >>>[root@firewall root]# ip route show
> >>>218.111.120.208/30 dev eth0  scope link
> >>>10.10.10.0/24 dev eth1  scope link
> >>>10.10.11.0/24 dev eth2  scope link
> >>>169.254.0.0/16 dev eth2  scope link
> >>>127.0.0.0/8 dev lo  scope link
> >>>default via 218.111.120.209 dev eth0
> 
> THERE IS NO ROUTE HERE FOR 192.168.0.0/24 via
> 10.10.10;1.
> 
> Look at the above routing table and ask yourself how
> the %$#@ your
> firewall will ever know to send packets to
> 192.168.0.0/24 through
> 10.10.10.1.
> 
> -Tom
> 
> And yes, I''M SHOUTING.
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> i try to add route to my eth1:
> 
> /sbin/route add -net 192.168.0.0 netmask 255.255.255.0
> gw 10.10.10.1
> 
> still not working....my
> eth1[10.10.10.254,255.255.255.0], so is it correct is
> set the route gw as 10.10.10.1?
> 
If that is the address of your wireless router, yes. After you added
this route, did you restart shorewall? If your entry in
/etc/shorewall/masq has "eth1" in the SUBNETS column, Shorewall  uses
the routing table to construct the correct MASQUERADE/SNAT rules.

If that doesn''t work then please:

a) Go to http://shorewall.net/support.htm.
b) Read the problem reporting guidelines!!
c) Follow them -- especially the part that begins "THIS IS IMPORTANT!"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi there..

I gave up. I need help. My problem is i cannot make my
office network client which are connected thru
wireless router get the internet connection. and my
wireless router is connected to my eth1 thru crossover
cable at wireless WAN port.

After first installation of shorewall, i copy and
paste  the Three-interface Linux System acting as a
firewall/router for a small local network and a DMZ
files to my existing shorewall directory. Then I surf
to this link
http://www.shorewall.net/Multiple_Zones.html and try
to follow the procedure for my wireless client able to
surf the internet

p/s: if i connected the network cable either from eth1
and eth2 to a switch, all the switch client can get
the internet connection. I already try to add router
to my eth1 but the wireless client still can''t get the
internet. This is my route to eth1:
/sbin/route add -net 192.168.0.0 netmask 255.255.255.0
gw 10.10.10.1

My setting:

I have 1 pc server act as Linux Router with 3 NIC.
eth0 , eth1 and eth2. My intenet connection is using
XDSL plus with 1 static ip. I have been given my
static ip is 218.111.120.210 netmask 255.255.255.252
and gateway 218.111.120.209.

so here my linux router setting:

eth0: < connect to XDSL with 1 public ip >
ip:218.111.120.210
netmsk: 255.255.255.252
gw: 218.111.120.209

eth1: < connect to wireless router at WAN port >
ip:10.10.10.1
netmsk:255.255.255.0
gw: blank

eth2: < connect to switch for DMZ, web serv, ftp serv
>
ip:10.10.11.1
netmsk:255.255.255.0
gw:blank

my wireless router:
WAN setting ( static ip );
ip:10.10.10.2
netmsk:255.255.255.0
gw:10.10.10.1 ( <- eth1 )

+ wireless router ip is 192.168.0.1 and so dhcp client
for office network client is range 192.168.0.X, netmsk
255.255.255.0 gateway 192.168.0.1


shorewall version> 
2.2.2

ip addr show>
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff
    inet 218.111.120.210/30 brd 218.111.120.211 scope
global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global
eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.1/24 brd 10.10.11.255 scope global
eth2

ip route show>
218.111.120.208/30 dev eth0  scope link
10.10.10.0/24 dev eth1  scope link
10.10.11.0/24 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 218.111.120.209 dev eth0


--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> > i try to add route to my eth1:
> > 
> > /sbin/route add -net 192.168.0.0 netmask
> 255.255.255.0
> > gw 10.10.10.1
> > 
> > still not working....my
> > eth1[10.10.10.254,255.255.255.0], so is it correct
> is
> > set the route gw as 10.10.10.1?
> > 
> 
> If that is the address of your wireless router, yes.
> After you added
> this route, did you restart shorewall? If your entry
> in
> /etc/shorewall/masq has "eth1" in the SUBNETS
> column, Shorewall  uses
> the routing table to construct the correct
> MASQUERADE/SNAT rules.
> 
> If that doesn''t work then please:
> 
> a) Go to http://shorewall.net/support.htm.
> b) Read the problem reporting guidelines!!
> c) Follow them -- especially the part that begins
> "THIS IS IMPORTANT!"
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Hi there..

I ALREADY SEND THIS MSG PREVIOUSLY BUT NO REPLY. I
REALLY BEGGING FOR HELP

I gave up. I need help. My problem is i cannot make my
office network client which are connected thru
wireless router get the internet connection. and my
wireless router is connected to my eth1 thru crossover
cable at wireless WAN port.

After first installation of shorewall, i copy and
paste  the Three-interface Linux System acting as a
firewall/router for a small local network and a DMZ
files to my existing shorewall directory. Then I surf
to this link
http://www.shorewall.net/Multiple_Zones.html and try
to follow the procedure for my wireless client able to
surf the internet

p/s: if i connected the network cable either from eth1
and eth2 to a switch, all the switch client can get
the internet connection. I already try to add router
to my eth1 but the wireless client still can''t get the
internet. This is my route to eth1:
/sbin/route add -net 192.168.0.0 netmask 255.255.255.0
gw 10.10.10.1

My setting:

I have 1 pc server act as Linux Router with 3 NIC.
eth0 , eth1 and eth2. My intenet connection is using
XDSL plus with 1 static ip. I have been given my
static ip is 218.111.120.210 netmask 255.255.255.252
and gateway 218.111.120.209.

so here my linux router setting:

eth0: < connect to XDSL with 1 public ip >
ip:218.111.120.210
netmsk: 255.255.255.252
gw: 218.111.120.209

eth1: < connect to wireless router at WAN port >
ip:10.10.10.1
netmsk:255.255.255.0
gw: blank

eth2: < connect to switch for DMZ, web serv, ftp serv
>
ip:10.10.11.1
netmsk:255.255.255.0
gw:blank

my wireless router:
WAN setting ( static ip );
ip:10.10.10.2
netmsk:255.255.255.0
gw:10.10.10.1 ( <- eth1 )

+ wireless router ip is 192.168.0.1 and so dhcp client
for office network client is range 192.168.0.X, netmsk
255.255.255.0 gateway 192.168.0.1


shorewall version> 
2.2.2

ip addr show>
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:11:09:14:68:93 brd ff:ff:ff:ff:ff:ff
    inet 218.111.120.210/30 brd 218.111.120.211 scope
global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:7e:97:76 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global
eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
    link/ether 00:0d:88:37:47:97 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.1/24 brd 10.10.11.255 scope global
eth2

ip route show>
218.111.120.208/30 dev eth0  scope link
10.10.10.0/24 dev eth1  scope link
10.10.11.0/24 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 218.111.120.209 dev eth0

--- Tom Eastep <teastep@shorewall.net> wrote:
> Erik wrote:
> > i try to add route to my eth1:
> > 
> > /sbin/route add -net 192.168.0.0 netmask
> 255.255.255.0
> > gw 10.10.10.1
> > 
> > still not working....my
> > eth1[10.10.10.254,255.255.255.0], so is it correct
> is
> > set the route gw as 10.10.10.1?
> > 
> 
> If that is the address of your wireless router, yes.
> After you added
> this route, did you restart shorewall? If your entry
> in
> /etc/shorewall/masq has "eth1" in the SUBNETS
> column, Shorewall  uses
> the routing table to construct the correct
> MASQUERADE/SNAT rules.
> 
> If that doesn''t work then please:
> 
> a) Go to http://shorewall.net/support.htm.
> b) Read the problem reporting guidelines!!
> c) Follow them -- especially the part that begins
> "THIS IS IMPORTANT!"
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \
> https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
>
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
cout<<"Erik";

________________________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html

Erik wrote:
> 
> my wireless router:
> WAN setting ( static ip );
> ip:10.10.10.2
> netmsk:255.255.255.0
> gw:10.10.10.1 ( <- eth1 )
> 
> + wireless router ip is 192.168.0.1 and so dhcp client
> for office network client is range 192.168.0.X, netmsk
> 255.255.255.0 gateway 192.168.0.1
> ip route show>
> 218.111.120.208/30 dev eth0  scope link
> 10.10.10.0/24 dev eth1  scope link
> 10.10.11.0/24 dev eth2  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 218.111.120.209 dev eth0
> 
So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the
above routing table, your firewall is trying to send packets to
192.168.0.0/24 via 218.111.120.209.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Erik wrote:
> 
> 
>>my wireless router:
>>WAN setting ( static ip );
>>ip:10.10.10.2
>>netmsk:255.255.255.0
>>gw:10.10.10.1 ( <- eth1 )
>>
>>+ wireless router ip is 192.168.0.1 and so dhcp client
>>for office network client is range 192.168.0.X, netmsk
>>255.255.255.0 gateway 192.168.0.1
> 
> 
>>ip route show>
>>218.111.120.208/30 dev eth0  scope link
>>10.10.10.0/24 dev eth1  scope link
>>10.10.11.0/24 dev eth2  scope link
>>127.0.0.0/8 dev lo  scope link
>>default via 218.111.120.209 dev eth0
>>
> 
> 
> So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the
> above routing table, your firewall is trying to send packets to
> 192.168.0.0/24 via 218.111.120.209.
> 
> -Tom
I don''t remember the rest of this thread but it looks like his wireless
router would be doing NAT, so the shorewall box is only talking to the
wireless router''s WAN addr of 10.10.10.2

Brad wrote:
> 
> 
> Tom Eastep wrote:
>> Erik wrote:
>>
>>
>>> my wireless router:
>>> WAN setting ( static ip );
>>> ip:10.10.10.2
>>> netmsk:255.255.255.0
>>> gw:10.10.10.1 ( <- eth1 )
>>>
>>> + wireless router ip is 192.168.0.1 and so dhcp client
>>> for office network client is range 192.168.0.X, netmsk
>>> 255.255.255.0 gateway 192.168.0.1
>>
>>
>>> ip route show>
>>> 218.111.120.208/30 dev eth0  scope link
>>> 10.10.10.0/24 dev eth1  scope link
>>> 10.10.11.0/24 dev eth2  scope link
>>> 127.0.0.0/8 dev lo  scope link
>>> default via 218.111.120.209 dev eth0
>>>
>>
>>
>> So where is the route to 192.168.0.0/24 via 10.10.10.2???? With the
>> above routing table, your firewall is trying to send packets to
>> 192.168.0.0/24 via 218.111.120.209.
>>
>> -Tom
> 
> I don''t remember the rest of this thread but it looks like his
wireless
> router would be doing NAT, so the shorewall box is only talking to the
> wireless router''s WAN addr of 10.10.10.2
In which case, what Erik has right now should work.

I''ve tried to get Erik to send the output of "shorewall
status" (after
trying to connect from the office wireless network) but I''ve given up.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key