Shorewall users - Nov 2007 - Help with a dual ISP, dual LAN config

I have two ISPs, both providing a T1 with public IPs. I also have two LAN
interfaces, one for our corporate LAN and the other serving wifi with just
Internet access. Corporate LAN should be routed out ISP A and wifi should be
routed out ISP B. I have two dual port cards in the fw that I''m using
with
Shorewall.

eth0 = wifi
eth1 = LAN
eth2 = ISP B
eth3 = ISP A

Internet connectivity is working fine for the LAN. I can also get to the fw
from either the LAN or wifi zones without any problems. However, I
can''t
access the Internet from the wifi zone. Any suggestions? My policy file
looks like this:

#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
lan             isp-a           ACCEPT
lan             fw              ACCEPT          info

isp-b           fw              ACCEPT          info

wifi             isp-b           ACCEPT
wifi             fw              ACCEPT          info
wifi             all             DROP            info

isp-a           fw              ACCEPT          info
isp-a           all             DROP            info

fw              isp-b           ACCEPT          info
fw              wifi            ACCEPT

all             all             REJECT          info


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Jamie Begin wrote:
> 
> Internet connectivity is working fine for the LAN. I can also get to the
> fw from either the LAN or wifi zones without any problems. However, I
> can''t access the Internet from the wifi zone. Any suggestions?
Yes -- when reporting problems, please follow the guidelines at
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Sorry about that... Here''s the dump.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Jamie Begin wrote:
> Sorry about that... Here''s the dump.
You have not configured Multi-ISP support in Shorewall! All internet traffic
is being routed out of eth3. Given that you are only defining SNAT out of
that interface for the 192.168.1.0/24 network, that is the only local
network that has internet access.

Please see http://www.shorewall.net/3.0/MultiISP.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Jamie Begin wrote:
>> Sorry about that... Here''s the dump.
> 
> You have not configured Multi-ISP support in Shorewall! All internet
traffic
> is being routed out of eth3. Given that you are only defining SNAT out of
> that interface for the 192.168.1.0/24 network, that is the only local
> network that has internet access.
> 
> Please see http://www.shorewall.net/3.0/MultiISP.html
> 
Sorry -- you are using Shorewall 4.0 so the correct URL is
http://www.shorewall.net/MultiISP.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Thanks, Tom! I overlooked the multi-ISP guide and mistakenly believed that
just modifying the masq and policy files would take care of the setup.
It''s
working now.

On Nov 19, 2007 3:20 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Jamie Begin wrote:
> > Sorry about that... Here''s the dump.
>
> You have not configured Multi-ISP support in Shorewall! All internet
> traffic
> is being routed out of eth3. Given that you are only defining SNAT out of
> that interface for the 192.168.1.0/24 network, that is the only local
> network that has internet access.
>
> Please see http://www.shorewall.net/3.0/MultiISP.html
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello


does exist a web interface to configure in a fast and easy shorewall ?
I have found nly an interface on webim but I do no use webmin.
If no ,  do you have it in plan ?

Thank you
Graziano

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Tue, Nov 20, 2007 at 12:17:15AM -0700, Graziano
wrote:
> Hello
> 
> 
> does exist a web interface to configure in a fast and easy shorewall ?
> I have found nly an interface on webim but I do no use webmin.
> If no ,  do you have it in plan ?
> 
Graziano,

Two things:

  1. Please don''t thread hijack (that is, you should send a new message
  to the list, not reply to another message when you intend to start a
  new thread of discussion)

  2. Shorewall''s configuration is *extremely* powerful and flexible.
  Putting a pretty interface on it is probably bad because:

    a. it will be impossible to keep it up to date with all the changes

    b. it will severely limit what you can accomplish with Shorewall

  Overall, the text files are quite simple and well documented.  You
  only need to edit those which pertain to your configuration.  The rest
  you can ignore or omit altogether.  I recommend that you start with
  one of the simple HOWTOs on the website and get a basic configuration
  working.  Once you have that, you can modify to add or remove
  capabilities as they suit your needs.  Of course, you can always ask
  for help on this list or in the #shorewall channel on freenode.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/