Christophe Zwecker
2006-Feb-18 20:17 UTC
Problem with 2 ISPs, cant reach external IP from lan
Hi, I have the problem that I cant reach my dmz server via the 2nd external isp when connecting from inside. Heres my setup: shorewall-3.0.1 Interfaces: net eth0.1 detect nosmurfs,routeback net eth0.5 detect nosmurfs,routeback lan eth0.2 192.168.2.255 dhcp,routeback zco eth0.3 192.168.3.255 dhcp,routeback dmz eth0.4 85.183.131.15 routeback eth0.1 IP 192.168.1.2 eth0.5 IP 192.168.5.254 the default gateway is 192.168.1.1 that is a SDSL router (dedicated line) the gateway for eth0.5 is 192.168.5.253, that is a adsl router, that connection has dynamic ips my providers file: SDSL1 1 1 main eth0.1 192.168.1.1 track,balance eth0.2,eth0.3,eth0.4 ADSL2 2 2 main eth0.5 192.168.5.253 track,balance eth0.2,eth0.3,eth0.4 masq: eth0.1 192.168.2.10 85.183.140.9 eth0.1 192.168.1.2 85.183.140.9 eth0.1 192.168.2.6 85.183.140.9 eth0.1 192.168.2.8 85.183.140.9 eth0.1 192.168.2.6 85.183.140.9 eth0.1 192.168.4.100 85.183.140.9 eth0.5 192.168.4.100 192.168.5.254 eth0.1 192.168.4.195 85.183.140.9 #eth0.1 192.168.4.195 #eth0.1 192.168.2.15 eth0.5 85.183.140.9 192.168.5.254 eth0.1 192.168.5.254 85.183.140.9 I get the network 85.183.131.8/248 routed to the firewall and I attach it to my dmz interface. In the dmz I got a server at 85.183.140.11. On the adsl router I do portforwarding to the firewall. When connecting from the "outside" it works, portforwarding on the adsl router forwards me to the firewall and a DNAT roule forwards to the dmz machine. The eth0.4 interface has an alias 192.168.4.254. so I the rules I use the dmz zone for that too, I hope thats ok, it seems to work. Now the problem I want to connect to the adsl routers external ip in order to get to the server via it, from my network or the firewall, but that doesnt work and I get nothing in the log. This looks maybe confusing and I forgot to give info, i will gladly do. thx for any help on this!! Christophe -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Saturday 18 February 2006 12:17, Christophe Zwecker wrote:> > Now the problem I want to connect to the adsl routers external ip in > order to get to the server via it, from my network or the firewall, but > that doesnt work and I get nothing in the log. >This is basically FAQ 1d. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Christophe Zwecker
2006-Feb-19 14:02 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> On Saturday 18 February 2006 12:17, Christophe Zwecker wrote: > > >>Now the problem I want to connect to the adsl routers external ip in >>order to get to the server via it, from my network or the firewall, but >>that doesnt work and I get nothing in the log. >> > > > This is basically FAQ 1d. > > -Tomhm ok I thought this is more complex. as in FAQ I did add a DNAT rule: DNAT lan dmz:85.183.140.11 tcp 21,22 - foobar.dyndns.org this works great while connecting from a workstation in the lan zone to foobar.dyndns.org I get forwarded to the dmz machine. While doing it from a machine that is in dmzp which is a zone (192.168.4.0) that is connected to the same interface as the dmz zone (Parallel zone) (ip alias) it doesnt work: DNAT dmzp dmz:85.183.140.11 tcp 21,22 - foobar.dyndns.org I get timeouts , nothing in log. I wonder if the problem lies within the parallel zone setup here ? thx for clearing things up Christophe -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Sunday 19 February 2006 06:02, Christophe Zwecker wrote:> hm ok I thought this is more complex. as in FAQ I did add a DNAT rule: > > DNAT lan dmz:85.183.140.11 tcp 21,22 - > foobar.dyndns.org > > this works great while connecting from a workstation in the lan zone to > foobar.dyndns.org I get forwarded to the dmz machine. > > While doing it from a machine that is in dmzp which is a zone > (192.168.4.0) that is connected to the same interface as the dmz zone > (Parallel zone) (ip alias) it doesnt work: > > DNAT dmzp dmz:85.183.140.11 tcp 21,22 - > foobar.dyndns.org > > I get timeouts , nothing in log. > > I wonder if the problem lies within the parallel zone setup here ?This then sounds like Shorewall FAQ 2 -- the requests from client->server go through the firewall and have the destination IP rewritten but the replies bypass the firewall because the the server also has an IP address in 192.168.4.0. Is that what is happening in your configuration? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-19 16:51 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> > This then sounds like Shorewall FAQ 2 -- the requests from client->server go > through the firewall and have the destination IP rewritten but the replies > bypass the firewall because the the server also has an IP address in > 192.168.4.0. Is that what is happening in your configuration?ah yes, sounds like thats it -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-20 18:22 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> > This then sounds like Shorewall FAQ 2 -- the requests from client->server go > through the firewall and have the destination IP rewritten but the replies > bypass the firewall because the the server also has an IP address in > 192.168.4.0. Is that what is happening in your configuration? > > -Tomyes it is, well in faq2 it says : In /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect routeback I cant use the routeback option, shorewall refuses it because my interfaces file looks like this: #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0.1 detect nosmurfs,routeback net eth0.5 detect nosmurfs,routeback lan eth0.2 192.168.2.255 dhcp,routeback zco eth0.3 192.168.3.255 dhcp,routeback - eth0.4 detect ant the interface were talking about here is eth0.4 ...ive got two zones to it... how can I fix this ? thx alot and best regards, Christophe -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Monday 20 February 2006 10:22, Christophe Zwecker wrote:> > yes it is, well in faq2 it says : > > > In /etc/shorewall/interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > loc eth1 detect routeback > > I cant use the routeback option, shorewall refuses it because my > interfaces file looks like this: > #ZONE INTERFACE BROADCAST OPTIONS GATEWAY > net eth0.1 detect nosmurfs,routeback > net eth0.5 detect nosmurfs,routeback > lan eth0.2 192.168.2.255 dhcp,routeback > zco eth0.3 192.168.3.255 dhcp,routeback > - eth0.4 detect > > ant the interface were talking about here is eth0.4 ...ive got two zones > to it... > > how can I fix this ? >If the clients and the server are in different zones then you don''t have to do anything. If they are in the same zone, then you need to put ''routeback'' on that zone definition in /etc/shorewall/hosts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-21 15:25 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> On Monday 20 February 2006 10:22, Christophe Zwecker wrote: > > >>yes it is, well in faq2 it says : >> >> >>In /etc/shorewall/interfaces: >> >>#ZONE INTERFACE BROADCAST OPTIONS >>loc eth1 detect routeback >> >>I cant use the routeback option, shorewall refuses it because my >>interfaces file looks like this: >>#ZONE INTERFACE BROADCAST OPTIONS GATEWAY >>net eth0.1 detect nosmurfs,routeback >>net eth0.5 detect nosmurfs,routeback >>lan eth0.2 192.168.2.255 dhcp,routeback >>zco eth0.3 192.168.3.255 dhcp,routeback >>- eth0.4 detect >> >>ant the interface were talking about here is eth0.4 ...ive got two zones >>to it... >> >>how can I fix this ? >> > > > If the clients and the server are in different zones then you don''t have to do > anything. If they are in the same zone, then you need to put ''routeback'' on > that zone definition in /etc/shorewall/hosts.ok I did, but still I can''t connect to the server in the dmz zone. My client is in the dmzp zone which is going thru the same interface on the firewall, i just get a timeout. again my DNAT Rule looks as follows: DNAT dmzp:192.168.4.100 dmz:85.183.140.11 tcp 21,22 - foobar.dyndns.org the DNAT Rule I use from my lan that works: DNAT lan dmz:85.183.140.11 tcp 21,22 - foobar.dyndns.org any ideas what it could be ? thx !! -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Reality is that which, when you stop believing in it, doesn''t go away" ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 21 February 2006 07:25, Christophe Zwecker wrote:> > ok I did, but still I can''t connect to the server in the dmz zone. My > client is in the dmzp zone which is going thru the same interface on the > firewall, i just get a timeout. again my DNAT Rule looks as follows: > > DNAT dmzp:192.168.4.100 dmz:85.183.140.11 tcp > 21,22 - foobar.dyndns.org > > the DNAT Rule I use from my lan that works: > > DNAT lan dmz:85.183.140.11 tcp > 21,22 - foobar.dyndns.org > > any ideas what it could be ? >The (ugly) solution to FAQ 2 also clearly states that you need an entry in /etc/shorewall/masq. Have you added that? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-21 17:17 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> > This then sounds like Shorewall FAQ 2 -- the requests from client->server go > through the firewall and have the destination IP rewritten but the replies > bypass the firewall because the the server also has an IP address in > 192.168.4.0. Is that what is happening in your configuration? > > -Tomyes it is, well in faq2 it says : In /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS loc eth1 detect routeback I cant use the routeback option, shorewall refuses it because my interfaces file looks like this: #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0.1 detect nosmurfs,routeback net eth0.5 detect nosmurfs,routeback lan eth0.2 192.168.2.255 dhcp,routeback zco eth0.3 192.168.3.255 dhcp,routeback - eth0.4 detect ant the interface were talking about here is eth0.4 ...ive got two zones to it... how can I fix this ? thx alot and best regards, Christophe -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-21 17:17 UTC
Re: Problem with 2 ISPs, cant reach external IP from lan
Tom Eastep wrote:> On Tuesday 21 February 2006 07:25, Christophe Zwecker wrote: > > >>ok I did, but still I can''t connect to the server in the dmz zone. My >>client is in the dmzp zone which is going thru the same interface on the >>firewall, i just get a timeout. again my DNAT Rule looks as follows: >> >>DNAT dmzp:192.168.4.100 dmz:85.183.140.11 tcp >>21,22 - foobar.dyndns.org >> >>the DNAT Rule I use from my lan that works: >> >>DNAT lan dmz:85.183.140.11 tcp >>21,22 - foobar.dyndns.org >> >>any ideas what it could be ? >> > > > The (ugly) solution to FAQ 2 also clearly states that you need an entry > in /etc/shorewall/masq. Have you added that? > > -Tomyes: eth0.4:192.168.4.100 eth0.4 192.168.4.254 tcp 21,22 or I tried this too: eth0.4:192.168.4.100 eth0.4 85.183.140.9 tcp 21,22 -- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Tuesday 21 February 2006 09:17, Christophe Zwecker wrote:> > yes: > > eth0.4:192.168.4.100 eth0.4 192.168.4.254 tcp 21,22 > > or I tried this too: > eth0.4:192.168.4.100 eth0.4 85.183.140.9 tcp 21,22Ok -- I''ve gone as far as I can with this given that all I''m seeing is snippets of your configuration over time. Please submit a full problem report as described at http://www.shorewall.net/support.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Christophe Zwecker
2006-Feb-22 10:03 UTC
Problem with 2 ISPs, cant reach external IP from one zone
> Ok -- I''ve gone as far as I can with this given that all I''m seeing is > snippets of your configuration over time. Please submit a full problem report > as described at http://www.shorewall.net/support.htmok here goes: while doing the dump: im trying to establish a connection from 192.168.4.100 (dmzp zone) to 84.142.166.180 Port 1970. This connection shall be rerouted to 85.183.131.11 which is in dmz zone. dmz and dmzp zone are going thru the same interface (eth0.4) Doing the same from my lan (192.168.2.10) works! I suppose you can see anything else in the dump ? show log doesnt show either 192.168.4.100 nor 84.142.166.180 Here are my config files: Interfaces: #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0.1 detect nosmurfs net eth0.5 detect nosmurfs lan eth0.2 192.168.2.255 dhcp zco eth0.3 192.168.3.255 dhcp - eth0.4 detect hosts: dmz eth0.4:85.183.131.8/255.255.255.248 routeback dmzp eth0.4:192.168.4.0/24 routeback masqs: eth0.1 192.168.2.10 85.183.131.9 eth0.1 192.168.1.2 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.2.8 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.4.100 85.183.131.9 eth0.5 85.183.131.9 192.168.5.254 eth0.1 192.168.5.254 85.183.131.9 eth0.5 192.168.2.10 192.168.5.254 eth0.5 192.168.2.8 192.168.5.254 eth0.4:192.168.4.100 eth0.4 192.168.4.254 tcp 1970 policy: dmz dmzp ACCEPT dmzp dmz ACCEPT fw net ACCEPT net all DROP info net net NONE dmzp fw ACCEPT all all REJECT info part of rules: DNAT lan dmz:85.183.131.11 tcp 1970,54999:56001 - gz2000.dyndns.org DNAT dmzp:192.168.4.100 dmz:85.183.131.11 tcp 22,1970,54999:56001 - gz2000.dyndns.org Hope this is the info you needed, ill gladly provide more. thx alot! Christophe -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Reality is that which, when you stop believing in it, doesn''t go away"
Christophe Zwecker
2006-Feb-24 15:43 UTC
Problem with 2 ISPs, cant reach external IP from one zone
Hi, not sure whether this made it to the list, so I post it again..> Ok -- I''ve gone as far as I can with this given that all I''m seeing is > snippets of your configuration over time. Please submit a full problem report > as described at http://www.shorewall.net/support.htmok here goes: while doing the dump: im trying to establish a connection from 192.168.4.100 (dmzp zone) to 84.142.166.180 Port 1970. This connection shall be rerouted to 85.183.131.11 which is in dmz zone. dmz and dmzp zone are going thru the same interface (eth0.4) Doing the same from my lan (192.168.2.10) works! I suppose you can see anything else in the dump ? show log doesnt show either 192.168.4.100 nor 84.142.166.180 Here are my config files: Interfaces: #ZONE INTERFACE BROADCAST OPTIONS GATEWAY net eth0.1 detect nosmurfs net eth0.5 detect nosmurfs lan eth0.2 192.168.2.255 dhcp zco eth0.3 192.168.3.255 dhcp - eth0.4 detect hosts: dmz eth0.4:85.183.131.8/255.255.255.248 routeback dmzp eth0.4:192.168.4.0/24 routeback masqs: eth0.1 192.168.2.10 85.183.131.9 eth0.1 192.168.1.2 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.2.8 85.183.131.9 eth0.1 192.168.2.6 85.183.131.9 eth0.1 192.168.4.100 85.183.131.9 eth0.5 85.183.131.9 192.168.5.254 eth0.1 192.168.5.254 85.183.131.9 eth0.5 192.168.2.10 192.168.5.254 eth0.5 192.168.2.8 192.168.5.254 eth0.4:192.168.4.100 eth0.4 192.168.4.254 tcp 1970 policy: dmz dmzp ACCEPT dmzp dmz ACCEPT fw net ACCEPT net all DROP info net net NONE dmzp fw ACCEPT all all REJECT info part of rules: DNAT lan dmz:85.183.131.11 tcp 1970,54999:56001 - gz2000.dyndns.org DNAT dmzp:192.168.4.100 dmz:85.183.131.11 tcp 22,1970,54999:56001 - gz2000.dyndns.org Hope this is the info you needed, ill gladly provide more. thx alot! Christophe -- Christophe Zwecker mail: doc@zwecker.de Hamburg, Germany fon: +49 179 3994867 http://www.zwecker.de "Reality is that which, when you stop believing in it, doesn''t go away"
Tom Eastep
2006-Feb-24 16:05 UTC
Re: Problem with 2 ISPs, cant reach external IP from one zone
On Friday 24 February 2006 07:43, Christophe Zwecker wrote:> Hi, > > not sure whether this made it to the list, so I post it again.. >Sorry -- I looked at it yesterday but got busy with work and forgot to reply. Your masq rule is definitely wrong. I suggest: eth0.4:85.183.131.11 192.168.4.0/24 85.183.131.9 tcp <ports> If that doesn''t work for you, please send another dump. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Christophe Zwecker
2006-Feb-25 15:49 UTC
Re: Problem with 2 ISPs, cant reach external IP from one zone
THX TOM! it works now!! thx alot.. Christophe Tom Eastep wrote:> On Friday 24 February 2006 07:43, Christophe Zwecker wrote: > >>Hi, >> >>not sure whether this made it to the list, so I post it again.. >> > > > Sorry -- I looked at it yesterday but got busy with work and forgot to reply. > > Your masq rule is definitely wrong. I suggest: > > eth0.4:85.183.131.11 192.168.4.0/24 85.183.131.9 tcp <ports> > > If that doesn''t work for you, please send another dump. > > -Tom-- Christophe Zwecker :Sysctl Koppel 96 20099 Hamburg phon: +49 40 41263790 fax: +49 40 41263799 mail: czwecker@sysctl.de ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642