Hello, I have two NICs in my box, one of which connects to a local net with 10.31.x.x and the other one to the outside. I can ssh fine to anything in the 10.31 subnet, but other parts of the local net like 10.4.x.x don''t work. I''m frankly at a loss where to even start looking for what (the default routes according to the net admin are correct) and would appreciate any help on what to do and what to provide to the group in terms of configuration information. Does this fall under the "connection" problems on the support page or no? Thanks, Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Johannes Graumann wrote:> Hello, > > I have two NICs in my box, one of which connects to a local net with > 10.31.x.x and the other one to the outside. I can ssh fine to anything in > the 10.31 subnet, but other parts of the local net like 10.4.x.x don''t > work. > I''m frankly at a loss where to even start looking for what (the default > routes according to the net admin are correct) and would appreciate any > help on what to do and what to provide to the group in terms of > configuration information. Does this fall under the "connection" problems > on the support page or no?Yes -- this is a connection problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> Yes -- this is a connection problem.Thanks, So I did as the trouble shootung page requests: - first ssh 10.31.0.69 (works) - second ssh 10.4.0.38 (fails) - /sbin/shorewall dump > /tmp/status.txt && bzip2 /tmp/status.txt File is attached. any hints are greatly appreciated! Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Fri, 2007-08-17 at 08:42 +0200, Johannes Graumann wrote:> Tom Eastep wrote: > > Yes -- this is a connection problem. > > Thanks, So I did as the trouble shootung page requests: > - first ssh 10.31.0.69 (works) > - second ssh 10.4.0.38 (fails)You ssh''ed from where? The firewall? And what does "fails" mean? Timeout? Connection Refused? Keyboard burst into flames?> - /sbin/shorewall dump > /tmp/status.txt && bzip2 /tmp/status.txt > > File is attached. any hints are greatly appreciated!From the dump, it looks like you have a providers file that looks something like this: #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ICA 1 1 main eth1 141.61.79.1 loose eth0 LAN 2 2 main eth0 10.31.0.1 loose eth1 There are a number of things wrong with this: a) You don''t want the ''loose'' option. b) You do want the ''balance'' option. c) You don''t want to copy eth1 routes to the ICA routing table. d) You don''t want to copy eth0 routes to the LAN routing table. e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables. So you need a providers file more on the order of: #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ICA 1 1 main eth1 141.61.79.1 balance vmnet0,vmnet8 LAN 2 2 main eth0 10.31.0.1 balance vmnet0,vmnet8 You are also missing the entries in /etc/shorewall/masq recommended by the MultiISP documentation (http://www.shorewall.net/3.0/MultiISP.html). See the paragraph that begins "Regardless of whether you have masqueraded hosts or not,...". Now about the test you performed. I suspect that 10.4.0.38 is only accessible via eth0 but your main routing table doesn''t reflect that. So you must add routes via 10.31.0.1 to those non-local networks that are only accessible through eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Thanks for your time and help! Tom Eastep wrote:>> Thanks, So I did as the trouble shootung page requests: >> - first ssh 10.31.0.69 (works) >> - second ssh 10.4.0.38 (fails) > > You ssh''ed from where? The firewall?Correct.> And what does "fails" mean?ssh 10.4.0.38 ssh: connect to host 10.4.0.38 port 22: Connection timed out> From the dump, it looks like you have a providers file that looks > something like this: > > #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ICA 1 1 main eth1 141.61.79.1 loose eth0 > LAN 2 2 main eth0 10.31.0.1 loose eth1You are correct again.> There are a number of things wrong with this: > a) You don''t want the ''loose'' option.Agreed.> b) You do want the ''balance'' option.Is this really true? Doesn''t that imply that I try to use both connections equally? In truth I''m trying to route everything but the 10.* and 192.* networks through eth1 ...> c) You don''t want to copy eth1 routes to the ICA routing table. > d) You don''t want to copy eth0 routes to the LAN routing table. > e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables.All agreed.> So you need a providers file more on the order of: > #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ICA 1 1 main eth1 141.61.79.1 balance > vmnet0,vmnet8 > LAN 2 2 main eth0 10.31.0.1 balance > vmnet0,vmnet8Adapted.> You are also missing the entries in /etc/shorewall/masq recommended by > the MultiISP documentation (http://www.shorewall.net/3.0/MultiISP.html). > See the paragraph that begins "Regardless of whether you have > masqueraded hosts or not,...".No, I''m not ... /etc/shorewall params reads: ETH0_IP=$(python -c ''import os;print os.popen("ifconfig eth0").readlines( [1].split(":")[1].split(" ")[0].strip()'') ETH1_IP=$(python -c ''import os;print os.popen("ifconfig eth1").readlines( [1].split(":")[1].split(" ")[0].strip()'') And /etc/shorewall masq has: eth0 $ETH1_IP $ETH0_IP eth1 $ETH0_IP $ETH1_IP> Now about the test you performed. I suspect that 10.4.0.38 is only > accessible via eth0 but your main routing table doesn''t reflect that. > So you must add routes via 10.31.0.1 to those non-local networks that > are only accessible through eth0.I tried to achieve that with the following /etc/shorewall/route_rules: - 192.168.0.0/16 LAN 26000 - 0.0.0.0/0 ICA 26000 - 10.0.0.0/8 LAN 26000 ... but according to your analysis this doesn''t seem to work ... I also tried this with "lo" as the source ... Thanks again for your insight, Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Johannes Graumann wrote:>> Now about the test you performed. I suspect that 10.4.0.38 is only >> accessible via eth0 but your main routing table doesn''t reflect that. >> So you must add routes via 10.31.0.1 to those non-local networks that >> are only accessible through eth0. > > I tried to achieve that with the following /etc/shorewall/route_rules: > - 192.168.0.0/16 LAN 26000 > - 0.0.0.0/0 ICA 26000 > - 10.0.0.0/8 LAN 26000... 0.0.0.0/0 is the last route really ... sorry for the mess up ... still doesn''t work, Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Johannes Graumann wrote:> Thanks for your time and help! > > Tom Eastep wrote: >>> Thanks, So I did as the trouble shootung page requests: >>> - first ssh 10.31.0.69 (works) >>> - second ssh 10.4.0.38 (fails) >> You ssh''ed from where? The firewall? > Correct. > >> And what does "fails" mean? > ssh 10.4.0.38 > ssh: connect to host 10.4.0.38 port 22: Connection timed out > >> From the dump, it looks like you have a providers file that looks >> something like this: >> >> #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> ICA 1 1 main eth1 141.61.79.1 loose eth0 >> LAN 2 2 main eth0 10.31.0.1 loose eth1 > You are correct again. > >> There are a number of things wrong with this: >> a) You don''t want the ''loose'' option. > Agreed. >> b) You do want the ''balance'' option. > Is this really true? Doesn''t that imply that I try to use both connections > equally? In truth I''m trying to route everything but the 10.* and 192.* > networks through eth1 ...From the MultiISP howto: ----------------------- Important If you are using /etc/shorewall/providers because you have multiple internet connections, we recommend that you specify ''balance'' even if you don''t need it. You can still use entries in /etc/shorewall/tcrules (and /etc/shorewall/route_rules) to force all traffic to one provider or another. Note If you don''t heed this advice then be prepared to read FAQ 57 and FAQ 58. ------------------------ We don''t make these recommendations because we''re idiots; we make them because we''ve found that most people can''t make multi-ISP work without ''balance''.>> c) You don''t want to copy eth1 routes to the ICA routing table. >> d) You don''t want to copy eth0 routes to the LAN routing table. >> e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables. > All agreed. > >> So you need a providers file more on the order of: >> #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> ICA 1 1 main eth1 141.61.79.1 balance >> vmnet0,vmnet8 >> LAN 2 2 main eth0 10.31.0.1 balance >> vmnet0,vmnet8 > Adapted.> > And /etc/shorewall masq has: > eth0 $ETH1_IP $ETH0_IP > eth1 $ETH0_IP $ETH1_IPSorry -- I must have been asleep.> >> Now about the test you performed. I suspect that 10.4.0.38 is only >> accessible via eth0 but your main routing table doesn''t reflect that. >> So you must add routes via 10.31.0.1 to those non-local networks that >> are only accessible through eth0. > > I tried to achieve that with the following /etc/shorewall/route_rules: > - 192.168.0.0/16 LAN 26000 > - 0.0.0.0/0 ICA 26000 > - 10.0.0.0/8 LAN 26000 > ... but according to your analysis this doesn''t seem to work ... I also > tried this with "lo" as the source ...I''m sorry but I''m not going to try to visualize what your configuration now looks like after you''ve made all of these changes; I''ll need to see another dump. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> I''m sorry but I''m not going to try to visualize what your configuration > now looks like after you''ve made all of these changes; I''ll need to see > another dump.Attached. Thank you again, Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Johannes Graumann wrote:> Tom Eastep wrote: >> I''m sorry but I''m not going to try to visualize what your configuration >> now looks like after you''ve made all of these changes; I''ll need to see >> another dump. > Attached. >Your routing rules are now: Routing Rules 0: from all lookup local 10001: from all fwmark 0x1 lookup LAN 10002: from all fwmark 0x2 lookup ICA 20000: from 10.31.0.96 lookup LAN 20256: from 141.61.79.153 lookup ICA 26000: from all to 192.168.0.0/16 iif lo lookup LAN 26000: from all iif lo lookup ICA 32766: from all lookup main 32767: from all lookup default All of the ''iif lo'' appearing in the rules are nonsense. Those rules will never match since any traffic arriving on the ''lo'' interface is addressed to the firewall itself and handled already by the ''local'' table. So your routing rules are really this: 0: from all lookup local 10001: from all fwmark 0x1 lookup LAN 10002: from all fwmark 0x2 lookup ICA 20000: from 10.31.0.96 lookup LAN 20256: from 141.61.79.153 lookup ICA 32766: from all lookup main 32767: from all lookup default So, if you attempt to ssh to 10.4.0.38, we end up at 32766 (lookup main). Your ''main'' table has: 172.16.35.0/24 dev vmnet8 proto kernel scope link src 172.16.35.1 192.168.149.0/24 dev vmnet1 proto kernel scope link src 192.168.149.1 141.61.79.0/24 dev eth1 proto kernel scope link src 141.61.79.153 10.31.0.0/16 dev eth0 proto kernel scope link src 10.31.0.96 default nexthop via 10.31.0.1 dev eth0 weight 1 nexthop via 141.61.79.1 dev eth1 weight 1 default via 10.31.0.1 dev eth0 The first ''default'' route is the one that matches this traffic so we can go to either provider. So it may or may not do the right thing. a) Remove your ''lo'' entries from the route_rules file b) Add entries in the 15000 range that direct traffic to 10.0.0.0/8 to the LAN table. c) I would also remove the route filtering from both eth0 and eth0 until you get this working. Since you are not logging martians, you have no idea if your kernel is silently dropping response packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Tom Eastep wrote:> a) Remove your ''lo'' entries from the route_rules file > b) Add entries in the 15000 range that direct traffic to 10.0.0.0/8 to the > LAN table. > c) I would also remove the route filtering from both eth0 and eth0 until > you get this working. Since you are not logging martians, you have no idea > if your kernel is silently dropping response packets.The 15000 thing did the job. Sir, you are a genious! Thanks! Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/