All, I have 2 3.0 shorewall firewalls (fw1: 192.168.1.1 and fw2: 192.168.1.2) both are configured 99% the same. Each connects to different ISP''s and share a local network. The fw1 also DNAT''s port 80 to 192.168.1.30 (web1, debian linux). I would like to also have fw2 DNAT port 80 to 192.168.1.30. What is the best way to have the web1 system route the traffic back to the firewall that the request came from? I have looked at the multi ISP faq and while the web1 system only has 1 nic, I believe if I put shorewall on it I am make it work. Any ideas Thanks Jim ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wednesday 19 April 2006 09:30, Jim Buttafuoco wrote:> All, > > I have 2 3.0 shorewall firewalls (fw1: 192.168.1.1 and fw2: 192.168.1.2) > both are configured 99% the same. Each connects to different ISP''s and > share a local network. The fw1 also DNAT''s port 80 to 192.168.1.30 (web1, > debian linux). I would like to also have fw2 DNAT port 80 to 192.168.1.30. > What is the best way to have the web1 system route the traffic back to the > firewall that the request came from? I have looked at the multi ISP faq > and while the web1 system only has 1 nic, I believe if I put shorewall on > it I am make it work.Jim, Please review the recent thread "Please help with dnat issues" started by Ricardo Kleeman. Ricardo had exactly this problem and Jerry Vonau provided a nice solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 19 April 2006 09:30, Jim Buttafuoco wrote:> All, > > I have 2 3.0 shorewall firewalls (fw1: 192.168.1.1 and fw2: 192.168.1.2) > both are configured 99% the same. Each connects to different ISP''s and > share a local network. The fw1 also DNAT''s port 80 to 192.168.1.30 (web1, > debian linux). I would like to also have fw2 DNAT port 80 to192.168.1.30.> What is the best way to have the web1 system route the traffic back tothe> firewall that the request came from? I have looked at the multi ISP faq > and while the web1 system only has 1 nic, I believe if I put shorewall on > it I am make it work.Hi Jim, I have a similar setup and with the help of Tom & Jerry ;-) I was able to get the dual router setup configured. I would suggest, however, that your fw1 and fw2 be on different networks, currently you have them on the same network, but different IPs. So for example, you can have fw1 at 192.168.1.1 and fw2 at 192.168.x.1 where x can be whatever you like. For an example, say you have fw2 at 192.168.2.1, and your internal server then can have 2 IPs, 192.168.1.30 and 192.168.2.30 Below is a script I run at startup on the server (not on the firewall). The internal server has 1 main IP and the secondary IP (that is on the alternate network) is configured via the script. I''ve changed my own settings to match what you have. #!/bin/sh # Jerry''s script to install second ip address # and use 2 gateways on the same local LAN # Need some variables LAN=192.168.1.0 MASK=/24 BCAST=192.168.1.255 IP1=192.168.1.30 GW1=192.168.1.1 LAN2=192.168.2.0 MASK2=/24 BCAST2=192.168.2.255 IP2=192.168.2.30 GW2=192.168.2.1 # Add second ip for use with second gateway echo " set second ip " /sbin/ip addr add $IP2$MASK2 broadcast $BCAST2 dev eth0 # This needs to be run once #echo 200 T1 >> /etc/iproute2/rt_tables #echo 201 T2 >> /etc/iproute2/rt_tables # add "table routes" from the ips to there own table echo " set ip to table routes " /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 # Add a host route for each gateway to their table # May not be required. echo " add host routes to for gateways to tables " /sbin/ip route add $GW1 dev eth0 table T1 /sbin/ip route add $GW2 dev eth0 table T2 # add the gateways to their tables echo " add gateways to the tables " /sbin/ip route add default via $GW1 dev eth0 table T1 /sbin/ip route add default via $GW2 dev eth0 table T2 # Now we need some rules # These force the tables to be used # this need to be run once echo " add rules " /sbin/ip rule add from $IP1 table T1 /sbin/ip rule add from $IP2 table T2 /sbin/ip rule add to $GW1 table T1 /sbin/ip rule add to $GW2 table T2 # replace the stock gateway echo "replace gateway" /sbin/ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 weight 1 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I did see the initial postings from last week (I believe) and that is what gave me this idea. So every server will need to be on both the 192.168.1.XXX and 192.168.2.XXX networks for this to work, no problem I can just defined eth0:1 for the second network. I will give this a try and get back to you Thanks for your help Jim ---------- Original Message ----------- From: "Ricardo Kleemann" <ricardo@americasnet.com> To: shorewall-users@lists.sourceforge.net Sent: Wed, 19 Apr 2006 10:10:55 -0700 Subject: Re: [Shorewall-users] 2 shorewall firewalls and routing> On Wednesday 19 April 2006 09:30, Jim Buttafuoco wrote: > > All, > > > > I have 2 3.0 shorewall firewalls (fw1: 192.168.1.1 and fw2: 192.168.1.2) > > both are configured 99% the same. Each connects to different ISP''s and > > share a local network. The fw1 also DNAT''s port 80 to 192.168.1.30 (web1, > > debian linux). I would like to also have fw2 DNAT port 80 to > 192.168.1.30. > > What is the best way to have the web1 system route the traffic back to > the > > firewall that the request came from? I have looked at the multi ISP faq > > and while the web1 system only has 1 nic, I believe if I put shorewall on > > it I am make it work. > > Hi Jim, > > I have a similar setup and with the help of Tom & Jerry ;-) I was able to > get the dual router setup configured. > > I would suggest, however, that your fw1 and fw2 be on different networks, > currently you have them on the same network, but different IPs. So for > example, you can have fw1 at 192.168.1.1 and fw2 at 192.168.x.1 where x can > be whatever you like. For an example, say you have fw2 at 192.168.2.1, and > your internal server then can have 2 IPs, 192.168.1.30 and 192.168.2.30 > > Below is a script I run at startup on the server (not on the firewall). The > internal server has 1 main IP and the secondary IP (that is on the alternate > network) is configured via the script. I''ve changed my own settings to match > what you have. > > #!/bin/sh > # Jerry''s script to install second ip address > # and use 2 gateways on the same local LAN > > # Need some variables > LAN=192.168.1.0 > MASK=/24 > BCAST=192.168.1.255 > IP1=192.168.1.30 > GW1=192.168.1.1 > > LAN2=192.168.2.0 > MASK2=/24 > BCAST2=192.168.2.255 > IP2=192.168.2.30 > GW2=192.168.2.1 > > # Add second ip for use with second gateway > echo " set second ip " > > /sbin/ip addr add $IP2$MASK2 broadcast $BCAST2 dev eth0 > > # This needs to be run once > > #echo 200 T1 >> /etc/iproute2/rt_tables > #echo 201 T2 >> /etc/iproute2/rt_tables > > # add "table routes" from the ips to there own table > echo " set ip to table routes " > > /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 > /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 > > # Add a host route for each gateway to their table > # May not be required. > echo " add host routes to for gateways to tables " > > /sbin/ip route add $GW1 dev eth0 table T1 > /sbin/ip route add $GW2 dev eth0 table T2 > > # add the gateways to their tables > echo " add gateways to the tables " > > /sbin/ip route add default via $GW1 dev eth0 table T1 > /sbin/ip route add default via $GW2 dev eth0 table T2 > > # Now we need some rules > # These force the tables to be used > # this need to be run once > echo " add rules " > > /sbin/ip rule add from $IP1 table T1 > /sbin/ip rule add from $IP2 table T2 > /sbin/ip rule add to $GW1 table T1 > /sbin/ip rule add to $GW2 table T2 > > # replace the stock gateway > echo "replace gateway" > /sbin/ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 > weight 1 > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
this works great. thanks Jim ---------- Original Message ----------- From: "Ricardo Kleemann" <ricardo@americasnet.com> To: shorewall-users@lists.sourceforge.net Sent: Wed, 19 Apr 2006 10:10:55 -0700 Subject: Re: [Shorewall-users] 2 shorewall firewalls and routing> On Wednesday 19 April 2006 09:30, Jim Buttafuoco wrote: > > All, > > > > I have 2 3.0 shorewall firewalls (fw1: 192.168.1.1 and fw2: 192.168.1.2) > > both are configured 99% the same. Each connects to different ISP''s and > > share a local network. The fw1 also DNAT''s port 80 to 192.168.1.30 (web1, > > debian linux). I would like to also have fw2 DNAT port 80 to > 192.168.1.30. > > What is the best way to have the web1 system route the traffic back to > the > > firewall that the request came from? I have looked at the multi ISP faq > > and while the web1 system only has 1 nic, I believe if I put shorewall on > > it I am make it work. > > Hi Jim, > > I have a similar setup and with the help of Tom & Jerry ;-) I was able to > get the dual router setup configured. > > I would suggest, however, that your fw1 and fw2 be on different networks, > currently you have them on the same network, but different IPs. So for > example, you can have fw1 at 192.168.1.1 and fw2 at 192.168.x.1 where x can > be whatever you like. For an example, say you have fw2 at 192.168.2.1, and > your internal server then can have 2 IPs, 192.168.1.30 and 192.168.2.30 > > Below is a script I run at startup on the server (not on the firewall). The > internal server has 1 main IP and the secondary IP (that is on the alternate > network) is configured via the script. I''ve changed my own settings to match > what you have. > > #!/bin/sh > # Jerry''s script to install second ip address > # and use 2 gateways on the same local LAN > > # Need some variables > LAN=192.168.1.0 > MASK=/24 > BCAST=192.168.1.255 > IP1=192.168.1.30 > GW1=192.168.1.1 > > LAN2=192.168.2.0 > MASK2=/24 > BCAST2=192.168.2.255 > IP2=192.168.2.30 > GW2=192.168.2.1 > > # Add second ip for use with second gateway > echo " set second ip " > > /sbin/ip addr add $IP2$MASK2 broadcast $BCAST2 dev eth0 > > # This needs to be run once > > #echo 200 T1 >> /etc/iproute2/rt_tables > #echo 201 T2 >> /etc/iproute2/rt_tables > > # add "table routes" from the ips to there own table > echo " set ip to table routes " > > /sbin/ip route add $LAN$MASK src $IP1 dev eth0 table T1 > /sbin/ip route add $LAN2$MASK2 src $IP2 dev eth0 table T2 > > # Add a host route for each gateway to their table > # May not be required. > echo " add host routes to for gateways to tables " > > /sbin/ip route add $GW1 dev eth0 table T1 > /sbin/ip route add $GW2 dev eth0 table T2 > > # add the gateways to their tables > echo " add gateways to the tables " > > /sbin/ip route add default via $GW1 dev eth0 table T1 > /sbin/ip route add default via $GW2 dev eth0 table T2 > > # Now we need some rules > # These force the tables to be used > # this need to be run once > echo " add rules " > > /sbin/ip rule add from $IP1 table T1 > /sbin/ip rule add from $IP2 table T2 > /sbin/ip rule add to $GW1 table T1 > /sbin/ip rule add to $GW2 table T2 > > # replace the stock gateway > echo "replace gateway" > /sbin/ip route replace default nexthop via $GW1 weight 1 nexthop via $GW2 > weight 1 > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642