Shorewall users - Feb 2006 - Selecting upline to Internet depending on internal address

Hi all!

I''ve got a 3 interface firewall with the following settings:

eth0: 192.168.0.251
eth0r: 192.168.0.252 
          (set up with "ip addr add 192.168.0.252/24 dev eth0 alias eth0r)
eth1: 83.33.111.13
eth2: 212.156.34.2

I want to allow users to select which uplink they want to use depending on the 
IP they set as gateway. If they set 192.168.0.251 as gateway, then route 
through eth1. If their default gateway is 192.168.0.252, then go out using 
eth2. 

My entry in providers is:

isp1        1       1       main            eth1            83.33.111.1
isp2        2       2       main            eth2            212.156.34.1

and tcrules shows:

1:P     eth0            0.0.0.0/0       all
2:P     eth0r           0.0.0.0/0       all


The problem I find is that it doesn''t matter if it comes from eth0 or
eth0r,
it always matches the first rule in tcrules. 

Any idea on how to solve this issue?

Regards

-- 
Eduardo Díaz Comellas
Ultreia Comunicaciones S.L.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Thursday 09 February 2006 14:54, Eduardo Díaz Comellas wrote:
>
> Any idea on how to solve this issue?
You can''t -- your firewall has no knowledge of which default gateway
internal
configured (and cannot tell by just looking at the ip traffic forwarded 
through it).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Hi!

El Viernes, 10 de Febrero de 2006 00:03, Tom Eastep escribió:
> On Thursday 09 February 2006 14:54, Eduardo Díaz Comellas wrote:
> > Any idea on how to solve this issue?
>
> You can''t -- your firewall has no knowledge of which default
gateway
> internal configured (and cannot tell by just looking at the ip traffic
> forwarded through it).
OK... maybe I''ll be luckier using one interface for the two inet
connections
and the other two for the internal gateways? That way I would have two 
different interfaces (with two different MAC addresses)  and the kernel would 
know which one was used to connect to Internet. Am I rigth?

That way I''ll use:

interfaces:

loc	eth0	detect
loc   eth1	detect
net	eth2	detect

providers:

isp1        1       1       main            eth2            83.33.111.1		track
isp2        2       2       main            eth2            212.156.34.1	track

tcrules: 

1:P     eth0            0.0.0.0/0       all
2:P     eth1            0.0.0.0/0       all

Would this configuration work? I think using "track" twice on an
interface
causes problems (I''m afraid that I still don''t fully
understand  how this
tracking works)

Regards
-- 
Eduardo Díaz Comellas
Ultreia Comunicaciones S.L.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Eduardo Díaz Comellas wrote:
> Hi!
> 
> El Viernes, 10 de Febrero de 2006 00:03, Tom Eastep escribió:
> 
> 
>>On Thursday 09 February 2006 14:54, Eduardo Díaz Comellas wrote:
>>
>>>Any idea on how to solve this issue?
>>
>>You can''t -- your firewall has no knowledge of which default
gateway
>>internal configured (and cannot tell by just looking at the ip traffic
>>forwarded through it).
> 
> 
> OK... maybe I''ll be luckier using one interface for the two inet
connections
> and the other two for the internal gateways? That way I would have two 
> different interfaces (with two different MAC addresses)  and the kernel
would
> know which one was used to connect to Internet. Am I rigth?
> 
> That way I''ll use:
> 
> interfaces:
> 
> loc	eth0	detect
> loc   eth1	detect
> net	eth2	detect
> 
> providers:
> 
> isp1        1       1       main            eth2            83.33.111.1	
track
> isp2        2       2       main            eth2            212.156.34.1
track
> 
> tcrules: 
> 
> 1:P     eth0            0.0.0.0/0       all
> 2:P     eth1            0.0.0.0/0       all
> 
> Would this configuration work? I think using "track" twice on an
interface
> causes problems (I''m afraid that I still don''t fully
understand  how this
> tracking works)
> 
> Regards
You''d be better off just sticking a 4th nic into the mix, less problems
to overcome.

Jerry.





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Thursday 09 February 2006 15:41, Jerry Vonau wrote:
> You''d be better off just sticking a 4th nic into the mix, less
problems
> to overcome.
I agree completely.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi!

El Viernes, 10 de Febrero de 2006 01:33, Tom Eastep escribió:

I finally added a 4th nic to the firewall and everything works nicely.

Regards
> On Thursday 09 February 2006 15:41, Jerry Vonau wrote:
> > You''d be better off just sticking a 4th nic into the mix,
less problems
> > to overcome.
>
> I agree completely.
>
> -Tom
-- 
Eduardo Díaz Comellas
Ultreia Comunicaciones S.L.


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642