I have a multi-Isp Setup and when connecting via poptop
I belive that the firewall does not know to route the traffic back
out of ISP1. Not sure how to tackle this issue. Does anyone have
a suggestion?
Mike
Poptop connects to ISP1 From the net
ISP2 is a gateway in the local network
providers
ISP1 1 256 main eth0 208.48.178.121
track,balance eth1
ISP2 2 512 main eth1 10.5.198.238
track,balance eth1
masq
eth0 10.5.198.0/24 208.48.178.122
eth1 208.48.178.122 10.5.198.254
tunnels
#TYPE ZONE GATEWAY GATEWAY
#
openvpn:7777 net 131.191.70.21
openvpn:5000 net 205.134.193.138
pptpserver net 0.0.0.0/0
interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,tcpflags,nosmurfs
loc eth1 detect routeback
loc ppp+
vpnt tun1
vpno tun0
ns2:~ # ip route ls
172.16.2.1 dev tun1 proto kernel scope link src 172.16.2.2
172.16.1.1 dev tun0 proto kernel scope link src 172.16.1.2
208.48.178.120/29 dev eth0 proto kernel scope link src 208.48.178.122
192.168.1.0/24 via 172.16.2.1 dev tun1
10.19.227.0/24 via 172.16.1.1 dev tun0
10.5.198.0/24 dev eth1 proto kernel scope link src 10.5.198.254
63.90.86.0/24 via 10.5.198.238 dev eth1
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default
nexthop via 208.48.178.121 dev eth0 weight 1
nexthop via 10.5.198.238 dev eth1 weight 1
This is a dump of eth1 the local interface when pinging a local address
through the tunnel. 10.5.198.191 is an IP from poptops IP pool.
10.5.198.191 is trying to ping 10.5.198.1 from the net poptop vpn.
My guess is that the firewall is trying to route the reply through
the 10.5.198.238 gateway.
I am thinking that 10.5.198.191
ns2:~ # tcpdump -nei eth1 host 10.5.198.191
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:30:09.842114 00:10:18:28:5a:d4 > 00:02:55:7b:b2:d2, ethertype IPv4
(0x0800), length 74: 10.5.198.191 > 10.5.198.1: ICMP echo request, id 768,
seq 2048, length 40
11:30:09.842378 00:02:55:7b:b2:d2 > 00:10:18:28:5a:d4, ethertype IPv4
(0x0800), length 74: 10.5.198.1 > 10.5.198.191: ICMP echo reply, id 768, seq
2048, length 40
11:30:09.848139 00:10:18:28:5a:d4 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 42: arp who-has 10.5.198.191 tell 10.5.198.254
11:30:10.848133 00:10:18:28:5a:d4 > ff:ff:ff:ff:ff:ff, ethertype ARP
(0x0806), length 42: arp who-has 10.5.198.191 tell 10.5.198.254
11:30:11.602844 00:10:18:28:5a:d4 > 00:1b:54:50:53:12, ethertype IPv4
(0x0800), length 222: 10.5.198.191.3635 > 76.101.63.161.8767: UDP, length
180
11:30:11.726850 00:1b:54:50:53:12 > 00:10:18:28:5a:d4, ethertype IPv4
(0x0800), length 478: 76.101.63.161.8767 > 10.5.198.191.3635: UDP, l
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
I have a multi-Isp Setup and when connecting via poptop I belive that the firewall does not know to route the traffic back out of ISP1. Not sure how to tackle this issue. Does anyone have a suggestion? I tried this route rule - 10.5.198.191 main 1000 And it worked, however the second person that connects to poptop would not be routed correctly with making the whole poptop address pool 10.5.198.191-199 ??? example second poptops client IP would be 10.5.198.192 what would be neat is ppp+ - main 1000 Would this work? Mike Please forgive me if this double post as I sent one mail through this tunnel when I was working on this ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike wrote:>> I tried this route rule > > - 10.5.198.191 main 1000 > > And it worked, however the second person that connects to poptop would not > be routed correctly with making the whole poptop address pool > 10.5.198.191-199 ??? > example second poptops client IP would be 10.5.198.192 > > what would be neat is > > ppp+ - main > 1000 > > Would this work?Hi Mike, The use of ''+'' to indicate wildcard matches is unique to iptables -- the ''ip'' utility does not support this convention. -Tom ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike wrote:> > I tried this route rule > > - 10.5.198.191 main 1000 > > And it worked, however the second person that connects to poptop would not > be routed correctly with making the whole poptop address pool > 10.5.198.191-199 ???In these cases, it''s always good to pretend that you were born with 8 (or 16) fingers rather than 10. That way, you will define the poptop address pool as 10.5.198.192/29 or 10.5.198.192/30 and you can place that network in DEST column and a single entry would suffice. -Tom ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Mike wrote:> > I tried this route rule > > - 10.5.198.191 main 1000 > > And it worked, however the second person that connects to poptop would > not be routed correctly with making the whole poptop address pool > 10.5.198.191-199 ???In these cases, it''s always good to pretend that you were born with 8 (or 16) fingers rather than 10. That way, you will define the poptop address pool as 10.5.198.192/29 or 10.5.198.192/30 and you can place that network in DEST column and a single entry would suffice. -Tom I suppose that would be what I would do the next time is try to allocate an even subnet. However, I just entered each one into route rules as single entries since only 5 connections are needed at any given time. I was not sure if there was alternate method under the hood of shorewall. It works Thank you, Mike ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/