Hi, I am in the process of upgrading a multi-isp router (ISP1, 2, 3). Previously it was working as expected with Shorewall 3.0.8 and kernel 2.6.16. I''m now havig trouble with ISP2 and ISP3 only after moving to shorewall 3.4.2 and kernel 2.6.19. Incoming connections don''t complete. An example: a DNAT rule redirects Internet port 443 to a lan server. (from 217.126.158.166 to 85.48.225.159:443 -> 10.215.144.16:443) Note that 85.48.225.159 (ISP3) is on the ADSL modem/router (PPPoA) and has local IP 192.168.101.1 and redirects all incoming traffic to 192.168.101.2 which is the multi-isp shorewall gateway. Please find the shorewall dump here: http://fhm.zapto.org/dump.gz The failing connection is: tcp 6 33 SYN_RECV src=217.126.158.166 dst=192.168.101.2 sport=2789 dport=443 packets=1 bytes=48 src=10.215.144.16 dst=217.126.158.166 sport=443 dport=2789 packets=3 bytes=144 mark=3 use=1 DNAT rules on ISP1 (192.168.92.2) work as expected from the Internet. Also, according to the rules, pings on $FW should also reply on ISP2 and ISP3 but they don''t. They only reply on ISP1. I did the tests and dumped the following: http://fhm.zapto.org/dump2.gz Before disabling log_martians in /proc/sys/.../conf/*/log_martians I used to receive a lot of martian log messages (as expected). So I removed routefilter as from http://www.shorewall.net/MultiISP.html and also diabled any tcrules entries which all worked fine with the previous kernel. In fact, if I reboot with kernel 2.6.16, all''s well again. Any help or hints appreciated as to how to pinpoint the problem in the new kernel. Vieri ____________________________________________________________________________________ It''s here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Vieri Di Paola wrote:> Hi, > > I am in the process of upgrading a multi-isp router > (ISP1, 2, 3). Previously it was working as expected > with Shorewall 3.0.8 and kernel 2.6.16. > > I''m now havig trouble with ISP2 and ISP3 only after > moving to shorewall 3.4.2 and kernel 2.6.19. Incoming > connections don''t complete. > An example: > a DNAT rule redirects Internet port 443 to a lan > server. (from 217.126.158.166 to 85.48.225.159:443 -> > 10.215.144.16:443) > > Note that 85.48.225.159 (ISP3) is on the ADSL > modem/router (PPPoA) and has local IP 192.168.101.1 > and redirects all incoming traffic to 192.168.101.2 > which is the multi-isp shorewall gateway. > > Please find the shorewall dump here: > http://fhm.zapto.org/dump.gzThis doesn''t look good: 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10001: from all lookup ISP1 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10002: from all lookup ISP2 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 10003: from all lookup ISP3 What route_rules entries do you have? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Vieri Di Paola wrote: >> Hi, >> >> I am in the process of upgrading a multi-isp router >> (ISP1, 2, 3). Previously it was working as expected >> with Shorewall 3.0.8 and kernel 2.6.16. >> >> I''m now havig trouble with ISP2 and ISP3 only after >> moving to shorewall 3.4.2 and kernel 2.6.19. Incoming >> connections don''t complete. >> An example: >> a DNAT rule redirects Internet port 443 to a lan >> server. (from 217.126.158.166 to 85.48.225.159:443 -> >> 10.215.144.16:443) >> >> Note that 85.48.225.159 (ISP3) is on the ADSL >> modem/router (PPPoA) and has local IP 192.168.101.1 >> and redirects all incoming traffic to 192.168.101.2 >> which is the multi-isp shorewall gateway. >> >> Please find the shorewall dump here: >> http://fhm.zapto.org/dump.gz > > This doesn''t look good: > > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10001: from all lookup ISP1 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10002: from all lookup ISP2 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > 10003: from all lookup ISP3 > > What route_rules entries do you have?Those rules have the priority of the rules that Shorewall generates to match fwmarks to providers. So I''m guessing that your kernel isn''t handling routing rules correction. Rule generation looks wrong because the rules don''t have the ''fwmark'' match included; Shorewall only generates these rules if you put something other than ''-'' in the MARK column of /etc/shorewall/providers. Because the wrong rule is being instantiated, the code which deletes these rules during ''restart'' also doesn''t work. This is leaving you with an additional rule per provider per ''shorewall restart''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
--- Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: > > Vieri Di Paola wrote: > >> Hi, > >> > >> I am in the process of upgrading a multi-isp > router > >> (ISP1, 2, 3). Previously it was working as > expected > >> with Shorewall 3.0.8 and kernel 2.6.16. > >> > >> I''m now havig trouble with ISP2 and ISP3 only > after > >> moving to shorewall 3.4.2 and kernel 2.6.19. > Incoming > >> connections don''t complete. > >> An example: > >> a DNAT rule redirects Internet port 443 to a lan > >> server. (from 217.126.158.166 to > 85.48.225.159:443 -> > >> 10.215.144.16:443) > >> > >> Note that 85.48.225.159 (ISP3) is on the ADSL > >> modem/router (PPPoA) and has local IP > 192.168.101.1 > >> and redirects all incoming traffic to > 192.168.101.2 > >> which is the multi-isp shorewall gateway. > >> > >> Please find the shorewall dump here: > >> http://fhm.zapto.org/dump.gz > > > > This doesn''t look good: > > > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10001: from all lookup ISP1 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10002: from all lookup ISP2 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > 10003: from all lookup ISP3 > > > > What route_rules entries do you have? > > Those rules have the priority of the rules that > Shorewall generates to match > fwmarks to providers. So I''m guessing that your > kernel isn''t handling > routing rules correction.Should I look for a specific kernel option?>From the shorewall multi-isp doc:" The /etc/shorewall/route_rules file was added in Shorewall version 3.2.0. The route_rules file allows assigning certain traffic to a particular provider just as entries in the tcrules file. The difference between the two files is that entries in route_rules are independent of Netfilter. " My route_rules file is empty. The rules are in tcrules as shownn below. I will try setting some rules in route_rules and see if it works, since this multi-isp router was using an old shorewall (3.0.8). I may also compile a different kernel. # Shorewall version 3.4 - Providers File #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONSCOPY ISP1 1 1 main eth0 192.168.92.1 track,balance=8 eth1 ISP2 2 2 main eth2 192.168.100.1 track,balance=1 eth1 ISP3 3 3 main eth3 192.168.101.1 track,balance=1 eth1 # Shorewall version 3.4 - Tcrules File #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS # PORT(S) PORT(S) 2:P 0.0.0.0/0 0.0.0.0/0 tcp 25 1:P 10.215.144.0/22 0.0.0.0/0 tcp 80,443 1:P 0.0.0.0/0 217.72.192.149/32 tcp 25 1:P 0.0.0.0/0 217.72.192.188/32 tcp 25 1:P 0.0.0.0/0 212.101.64.4/32 tcp 25 1:P 0.0.0.0/0 212.101.75.227/32 tcp 25 1:P 0.0.0.0/0 64.14.56.246/32 tcp 25 1:P 0.0.0.0/0 216.34.191.52/32 tcp 25 1:P 0.0.0.0/0 158.109.168.132/32 tcp 25 1:P 0.0.0.0/0 158.109.168.135/32 tcp 25 3:P 0.0.0.0/0 0.0.0.0/0 tcp 22,3389,21 3:P 10.215.144.47/32 0.0.0.0/0 3:P 10.215.146.21/32 0.0.0.0/0 2:P 10.215.144.12/32 0.0.0.0/0 tcp 80,443 3:P 10.215.144.10/32 0.0.0.0/0 tcp 80,443 __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Vieri Di Paola wrote:> > Should I look for a specific kernel option?I have no idea. What you are seeing looks like the kernel is just plain broken rather than missing some option. If you forward a trace of ''shorewall restart'' directly to me, I can make sure that the correct commands are being executed.> >>From the shorewall multi-isp doc: > " > The /etc/shorewall/route_rules file was added in > Shorewall version 3.2.0. The route_rules file allows > assigning certain traffic to a particular provider > just as entries in the tcrules file. The difference > between the two files is that entries in route_rules > are independent of Netfilter. > " > > My route_rules file is empty. > The rules are in tcrules as shownn below. > > I will try setting some rules in route_rules and see > if it works, since this multi-isp router was using an > old shorewall (3.0.8). > > I may also compile a different kernel.The one you have certainly seems broken. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
--- Tom Eastep <teastep@shorewall.net> wrote:> Vieri Di Paola wrote: > > Should I look for a specific kernel option? > > I have no idea. What you are seeing looks like the > kernel is just plain > broken rather than missing some option. > > If you forward a trace of ''shorewall restart'' > directly to me, I can make > sure that the correct commands are being executed.I''ll start a new kernel compilation tonight and thus test it tomorrow. If I see more misbehaviors I''ll send in a shorewall trace start. Thank you ____________________________________________________________________________________ Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games. http://videogames.yahoo.com/platform?platform=120121 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/