I have two ISPs, both providing a T1 with public IPs. I also have two LAN interfaces, one for our corporate LAN and the other serving wifi with just Internet access. Corporate LAN should be routed out ISP A and wifi should be routed out ISP B. I have two dual port cards in the fw that I''m using with Shorewall. eth0 = wifi eth1 = LAN eth2 = ISP B eth3 = ISP A Internet connectivity is working fine for the LAN. I can also get to the fw from either the LAN or wifi zones without any problems. However, I can''t access the Internet from the wifi zone. Any suggestions? My policy file looks like this: #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL lan isp-a ACCEPT lan fw ACCEPT info isp-b fw ACCEPT info wifi isp-b ACCEPT wifi fw ACCEPT info wifi all DROP info isp-a fw ACCEPT info isp-a all DROP info fw isp-b ACCEPT info fw wifi ACCEPT all all REJECT info ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jamie Begin wrote:> > Internet connectivity is working fine for the LAN. I can also get to the > fw from either the LAN or wifi zones without any problems. However, I > can''t access the Internet from the wifi zone. Any suggestions?Yes -- when reporting problems, please follow the guidelines at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry about that... Here''s the dump. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jamie Begin wrote:> Sorry about that... Here''s the dump.You have not configured Multi-ISP support in Shorewall! All internet traffic is being routed out of eth3. Given that you are only defining SNAT out of that interface for the 192.168.1.0/24 network, that is the only local network that has internet access. Please see http://www.shorewall.net/3.0/MultiISP.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Jamie Begin wrote: >> Sorry about that... Here''s the dump. > > You have not configured Multi-ISP support in Shorewall! All internet traffic > is being routed out of eth3. Given that you are only defining SNAT out of > that interface for the 192.168.1.0/24 network, that is the only local > network that has internet access. > > Please see http://www.shorewall.net/3.0/MultiISP.html >Sorry -- you are using Shorewall 4.0 so the correct URL is http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Thanks, Tom! I overlooked the multi-ISP guide and mistakenly believed that just modifying the masq and policy files would take care of the setup. It''s working now. On Nov 19, 2007 3:20 PM, Tom Eastep <teastep@shorewall.net> wrote:> Jamie Begin wrote: > > Sorry about that... Here''s the dump. > > You have not configured Multi-ISP support in Shorewall! All internet > traffic > is being routed out of eth3. Given that you are only defining SNAT out of > that interface for the 192.168.1.0/24 network, that is the only local > network that has internet access. > > Please see http://www.shorewall.net/3.0/MultiISP.html > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Hello does exist a web interface to configure in a fast and easy shorewall ? I have found nly an interface on webim but I do no use webmin. If no , do you have it in plan ? Thank you Graziano ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Nov 20, 2007 at 12:17:15AM -0700, Graziano wrote:> Hello > > > does exist a web interface to configure in a fast and easy shorewall ? > I have found nly an interface on webim but I do no use webmin. > If no , do you have it in plan ? >Graziano, Two things: 1. Please don''t thread hijack (that is, you should send a new message to the list, not reply to another message when you intend to start a new thread of discussion) 2. Shorewall''s configuration is *extremely* powerful and flexible. Putting a pretty interface on it is probably bad because: a. it will be impossible to keep it up to date with all the changes b. it will severely limit what you can accomplish with Shorewall Overall, the text files are quite simple and well documented. You only need to edit those which pertain to your configuration. The rest you can ignore or omit altogether. I recommend that you start with one of the simple HOWTOs on the website and get a basic configuration working. Once you have that, you can modify to add or remove capabilities as they suit your needs. Of course, you can always ask for help on this list or in the #shorewall channel on freenode. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/