I''m planning a multi isp setup and cafully read the documentation. One thing that bothers me is the masq file. The example uses a single ip address on each public interface. I have multiple addresses on both public interfaces (16 on one and 64 on the other). I''m a bit confused about what to put in the masq file in this situation. Any insights would be appreciated. Ronald -- Ronald van der Meer | Senior Software Engineer Adlib Information Systems P.O. Box 1436 | 3600 BK Maarssen | The Netherlands Tel. +31 (0)30 - 2411885 | Fax. +31 (0)30 - 2412568 http://www.adlibsoft.com | mailto:r.vdmeer@adlibsoft.com
use the addresses that your first router has when connected to you isp provider so eth0=isp1 eth1=isp2 eth0 connected is 10.0.11.2 eth1 connected is 10.0.12.2 eth0 10.0.12.2 10.0.11.2 # notice the cross eth1 10.0.11.2 10.0.12.2 # eth0 $dmzif 10.0.11.2 # if you have a dmz it says if the dmz network gets out to the net and it goes through isp1 masquarade it as 10.0.11.2 eth1 $dmzif 10.0.12.2 eth0 $locif 10.0.11.2 eth1 $locif 10.0.12.2 also if you are not aware of what address is given to your firewall - router use IF0 = `find_first_interface_address eth0` IF1 = `find_first_interface_address eth1` If I am right you are all set and ready to go ..... Regards>I''m planning a multi isp setup and cafully read the >documentation. One thing that bothers me is the masq >file. The example uses a single ip address on each >public interface. I have multiple addresses on both >public interfaces (16 on one and 64 on the other). >I''m a bit confused about what to put in the masq file >in this situation. Any insights would be appreciated. > >Ronald > >-- >Ronald van der Meer | Senior Software Engineer > >Adlib Information Systems >P.O. Box 1436 | 3600 BK Maarssen | The Netherlands >Tel. +31 (0)30 - 2411885 | Fax. +31 (0)30 - 2412568 >http://www.adlibsoft.com | mailto:r.vdmeer@adlibsoft.com > > > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 04 April 2006 05:38, Ronald van der Meer wrote:> I''m planning a multi isp setup and cafully read the > documentation. One thing that bothers me is the masq > file. The example uses a single ip address on each > public interface. I have multiple addresses on both > public interfaces (16 on one and 64 on the other). > I''m a bit confused about what to put in the masq file > in this situation. Any insights would be appreciated.Unless you have applications running on the firewall that bind to one of those other IP addresses, you only need to include masq rules for the primary IP address on each interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you Tom. Could you please explain what exactly the purpose is of these masq entries? What does it solve? And what happens if they are not there? I always like to understand what I''m doing. Couldn''t find it in the faq or in the MultiISP document. Ronald> -----Original Message----- > From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Tuesday, April 04, 2006 5:21 PM > To: shorewall-users@lists.sourceforge.net > Cc: Ronald van der Meer > Subject: Re: [Shorewall-users] Multi ISP, multi address, masq file > > On Tuesday 04 April 2006 05:38, Ronald van der Meer wrote: > > I''m planning a multi isp setup and cafully read the > > documentation. One thing that bothers me is the masq > > file. The example uses a single ip address on each > > public interface. I have multiple addresses on both > > public interfaces (16 on one and 64 on the other). > > I''m a bit confused about what to put in the masq file > > in this situation. Any insights would be appreciated. > > Unless you have applications running on the firewall that > bind to one of those other IP addresses, you only need to > include masq rules for the primary IP address on each interface. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 04 April 2006 11:22, Ronald van der Meer wrote:> Thank you Tom. Could you please explain what exactly the purpose > is of these masq entries? What does it solve? And what happens > if they are not there? I always like to understand what I''m doing. > Couldn''t find it in the faq or in the MultiISP document. >It assures that connections originating on the firewall use the correct source IP address (so that connections going out through ethN don''t have the source IP of ethM). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key