Hi, I have a dual ISP setup which is working flawlessly, except for DNAT. I''ve looked through all the docs (guides faqs etc.) but can find no reference to this problem. A "shorewall show nat" does display the incoming packets but no connection is established. What I did try was disabling the second provider by removing their entries in my providers and masq files, this did not work, but when I disabled the interface entirely DNAT started working properly. According the Shorewall and Routing document : "Connections from the internet are automatically routed back out of the correct interface and through the correct ISP gateway. This works whether the connection is handled by the firewall itself or if it is routed or port-forwarded to a system behind the firewall." So I didn''t think I needed to do something special to get DNAT to work with multiple ISPs. Am I forgetting something here? Any help/comments would be greatly appreciated. Ashendra PS. shorewall status attached
Hi, I have a dual ISP setup which is working flawlessly, except for DNAT. I''ve looked through all the docs (guides faqs etc.) but can find no reference to this problem. A "shorewall show nat" does display the incoming packets but no connection is established. What I did try was disabling the second provider by removing their entries in my providers and masq files, this did not work, but when I disabled the interface entirely DNAT started working properly. According the Shorewall and Routing document : "Connections from the internet are automatically routed back out of the correct interface and through the correct ISP gateway. This works whether the connection is handled by the firewall itself or if it is routed or port-forwarded to a system behind the firewall." So I didn''t think I needed to do something special to get DNAT to work with multiple ISPs. Am I forgetting something here? Any help/comments would be greatly appreciated. Ashendra PS. shorewall status attached
Ashendra Singh wrote:> > According the Shorewall and Routing document : "Connections from the > internet are automatically routed back out of the correct interface and > through the correct ISP gateway. This works whether the connection is > handled by the firewall itself or if it is routed or port-forwarded to a > system behind the firewall." > > So I didn''t think I needed to do something special to get DNAT to work > with multiple ISPs. > > Am I forgetting something here? >Yes -- you need to specify ''track'' on both providers. Also in "Shorewall and Routing": track If specified, connections FROM this interface are to be tracked so that responses may be routed back out this same interface. You want to specify ''track'' if internet hosts will be connecting to local servers through this provider. Any time that you specify ''track'', you will also want to specify ''balance'' (see below). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks, knew it was something stupid :) Tom Eastep wrote:> Ashendra Singh wrote: > > >>According the Shorewall and Routing document : "Connections from the >>internet are automatically routed back out of the correct interface and >>through the correct ISP gateway. This works whether the connection is >>handled by the firewall itself or if it is routed or port-forwarded to a >>system behind the firewall." >> >>So I didn''t think I needed to do something special to get DNAT to work >>with multiple ISPs. >> >>Am I forgetting something here? >> > > > Yes -- you need to specify ''track'' on both providers. > > Also in "Shorewall and Routing": > > track > > If specified, connections FROM this interface are to be tracked so > that responses may be routed back out this same interface. > > You want to specify ''track'' if internet hosts will be connecting to > local servers through this provider. Any time that you specify > ''track'', you will also want to specify ''balance'' (see below). > > -Tom------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl