Shorewall users - Feb 2008 - masq rule

Hello to all.

I have 2 server connected with openvpn.

ServerA (openvpn server)
eth0 (wan) 
eth1 (lan) 172.16.1.254
tap0 (vpn) 192.168.99.1


ServerB (openvpn client)
eth0 (wan) 
eth1 (lan) 172.16.2.254
tap0 (vpn) 192.168.99.2

i need a masq rule to Windows clients inside lan network of ServerB
(172.16.2.0) can access lan network to ServerA (172.16.1.0).
>From ServerB i ping normaly the lan network of serverA.
thanks,
Wilson



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Wilson A. Galafassi Jr. wrote:
> Hello to all.
> 
> I have 2 server connected with openvpn.
> 
> ServerA (openvpn server)
> eth0 (wan) 
> eth1 (lan) 172.16.1.254
> tap0 (vpn) 192.168.99.1
> 
> 
> ServerB (openvpn client)
> eth0 (wan) 
> eth1 (lan) 172.16.2.254
> tap0 (vpn) 192.168.99.2
> 
> i need a masq rule to Windows clients inside lan network of ServerB
> (172.16.2.0) can access lan network to ServerA (172.16.1.0).
> 
>>From ServerB i ping normaly the lan network of serverA.
You don''t need any NAT hack -- you just need to add the proper routes
on
each of the gateways. See http://www.shorewall.net/OpenVPN.html and 
notice the ''route'' entries in the OpenVPN configuration files.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi All,

I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on CentOS 
and Kernel 2.6.24 recompiled with netfilter options)

Some days ago I have upgraded configuration from a 3.x version (single ISP) 
to actual (in sense that I have reinstalled OS from scratch not simply 
updated).
I have added a second ISP in providers file and updated other original files 
(zones, etc.) to new syntax and configuration.

Actual configuration is:
eth0 lan
eth1 ISP1 (new provider)
eth2 ISP2 (existing provider)
eth3 DMZ (with public ip on existing provider and some servers defined in 
proxyarp)

Problems are:

1) Restart lock

if I issue a ''shorewall restart'' command I get an error on

----------------
IP Forwarding Enabled
Setting up Proxy ARP...
RTNETLINK answers: File exists
   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev eth3" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 664: 13447 Terminated              $SHOREWALL_SHELL 
${VARDIR}/.restart $debugging restart
-----------------

where AAA.AAA.AAA.5 is first interface defined in proxyarp file

****
  NOTE: real IP addresses are substitued with:
  AAA.AAA.AAA. is on existing ISP range (ISP2 on eth2 and some on DMZ eth3)
  BBB.BBB.BBB. is on new      ISP range (ISP1 on eth1)
  other are real ip on intranet (eth0)
****

so to restart correctly I need to exec:
shorewall stop
service network restart
shorewall start

and this is a big problem because this stops me from remote connection and I 
have to run above commands from console.

2) Fixed routes

I need to route some connections via ISP2 interface, because there are some 
web sites that need to see IPS2 address range to enable access.

I have added in route_rules this entries:

#SOURCE               DEST                         PROVIDER    PRIORITY
$DMZ_IF                 -                                 ISP2 
1000
$INT_IF                  CCC.CCC.CCC.CCC/24         ISP2              1000
-                               DDD.DDD.DDD.DDD/24         main 
1000

where
CCC.CCC.CCC.CCC is public web site that checks origin ip address
DDD.DDD.DDD.DDD is local ISP2 public address range  (assigned to eth2)

but, if I have providers balanced (option balance=1 to both) route not 
works, if I set balance=100 to ISP2 it works.

In masq I have:

###############################################################################
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) 
IPSEC   MARK

$ISP2_IF $INT_IF $ISP2_IP
$ISP1_IF $INT_IF $ISP1_IP

$ISP2_IF $ISP1_IP $ISP2_IP
$ISP1_IF $ISP2_IP $ISP1_IP


#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

where ISP1_IP and ISP2_IP are IPs assigned to public eth1 and eth2 
interfaces

I have also added in tcrules

###############################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST 
LENGTH  TOS
#                                               PORT(S) PORT(S)
2:P     $INT_IF         DDD.DDD.DDD.DDD/24 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

without results.

I have also upgraded to shorewall 4.0.8-4 but result is the same.
Also I have read MultiISP and other docs from shorewall.net site, but surely 
I''m missing something.
Attached there are dump from shorewall dump and current shorewall.conf

TIA

Best Regards

Francesco Saverio Giudice

PS: Thank you to Tom Eastep for have created this great software, for 
excellent docs and to you all for support.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> Hi All,
> 
> I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on 
> CentOS and Kernel 2.6.24 recompiled with netfilter options)
> 
> Some days ago I have upgraded configuration from a 3.x version (single 
> ISP) to actual (in sense that I have reinstalled OS from scratch not 
> simply updated).
> I have added a second ISP in providers file and updated other original 
> files (zones, etc.) to new syntax and configuration.
> 
> Actual configuration is:
> eth0 lan
> eth1 ISP1 (new provider)
> eth2 ISP2 (existing provider)
> eth3 DMZ (with public ip on existing provider and some servers defined 
> in proxyarp)
> 
> Problems are:
> 
> 1) Restart lock
> 
> if I issue a ''shorewall restart'' command I get an error
on
> 
> ----------------
> IP Forwarding Enabled
> Setting up Proxy ARP...
> RTNETLINK answers: File exists
>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev eth3" Failed
This seems to be a bug in recent kernels/iproute2 -- attempting to 
replace a route fails with ''File exists''. This should never
happen --
that''s the whole point of using ''replace'' rather than
''add''.

Please try this:

     ip route add 1.2.4.5 dev eth3
     ip route replace 1.2.4.5 dev eth3

Do you get an error? You shouldn''t.

Regardless, after the test enter ''ip route del 1.2.4.5''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Francesco Saverio Giudice wrote:
>> Hi All,
>>
>> I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on 
>> CentOS and Kernel 2.6.24 recompiled with netfilter options)
>>
>> Some days ago I have upgraded configuration from a 3.x version (single 
>> ISP) to actual (in sense that I have reinstalled OS from scratch not 
>> simply updated).
>> I have added a second ISP in providers file and updated other original 
>> files (zones, etc.) to new syntax and configuration.
>>
>> Actual configuration is:
>> eth0 lan
>> eth1 ISP1 (new provider)
>> eth2 ISP2 (existing provider)
>> eth3 DMZ (with public ip on existing provider and some servers defined 
>> in proxyarp)
>>
>> Problems are:
>>
>> 1) Restart lock
>>
>> if I issue a ''shorewall restart'' command I get an
error on
>>
>> ----------------
>> IP Forwarding Enabled
>> Setting up Proxy ARP...
>> RTNETLINK answers: File exists
>>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev eth3"
Failed
> 
> This seems to be a bug in recent kernels/iproute2 -- attempting to 
> replace a route fails with ''File exists''. This should
never happen --
> that''s the whole point of using ''replace'' rather
than ''add''.
> 
> Please try this:
> 
>     ip route add 1.2.4.5 dev eth3
>     ip route replace 1.2.4.5 dev eth3
> 
> Do you get an error? You shouldn''t.
> 
> Regardless, after the test enter ''ip route del 1.2.4.5''.
Attached is a patch that might help. After applying the patch, set 
DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works 
around the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi Tom,

I get the error:

---------
# ip route add 1.2.4.5 dev eth3
# ip route replace 1.2.4.5 dev eth3
RTNETLINK answers: File exists
---------

I have to patch kernel or something else ?

And for the rest ? Is it related to same iproute2 error ?

Thank you for you help

Best Regards

Francesco


Francesco Saverio Giudice wrote:
> Hi All,
> 
> I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on 
> CentOS and Kernel 2.6.24 recompiled with netfilter options)
> 
> Some days ago I have upgraded configuration from a 3.x version (single 
> ISP) to actual (in sense that I have reinstalled OS from scratch not 
> simply updated).
> I have added a second ISP in providers file and updated other original 
> files (zones, etc.) to new syntax and configuration.
> 
> Actual configuration is:
> eth0 lan
> eth1 ISP1 (new provider)
> eth2 ISP2 (existing provider)
> eth3 DMZ (with public ip on existing provider and some servers defined 
> in proxyarp)
> 
> Problems are:
> 
> 1) Restart lock
> 
> if I issue a ''shorewall restart'' command I get an error
on
> 
> ----------------
> IP Forwarding Enabled
> Setting up Proxy ARP...
> RTNETLINK answers: File exists
>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev eth3" Failed
This seems to be a bug in recent kernels/iproute2 -- attempting to 
replace a route fails with ''File exists''. This should never
happen --
that''s the whole point of using ''replace'' rather than
''add''.

Please try this:

     ip route add 1.2.4.5 dev eth3
     ip route replace 1.2.4.5 dev eth3

Do you get an error? You shouldn''t.

Regardless, after the test enter ''ip route del 1.2.4.5''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> Hi Tom,
> 
> I get the error:
> 
> ---------
> # ip route add 1.2.4.5 dev eth3
> # ip route replace 1.2.4.5 dev eth3
> RTNETLINK answers: File exists
> ---------
> 
> I have to patch kernel or something else ?
> 
You should report it at netdev@vger.kernel.org (that''s where the Linux 
networking developers hang out). This failure does not occur with kernel 
2.6.22 and iproute2 ss070710:

gateway:~ # ip route add 1.2.4.5 dev eth0
gateway:~ # ip route replace 1.2.4.5 dev eth0
gateway:~ # ip route del 1.2.4.5

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi Tom,

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 5:38 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes


Tom Eastep wrote:
> Francesco Saverio Giudice wrote:
>> Hi All,
>>
Attached is a patch that might help. After applying the patch, set
DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works
around the problem.

------------------------

no, I have applied the patch, and checked  DELETE_THEN_ADD (that was already 
set to yes) but doing a shorewall restart the problem is still there.

I''m trying to build a new kernel using 2.6.22 as you suggest in the
other
mail but to test it I have to wait monday.

In the meanwhile, do you think that the 2nd problem is related to 
kernel/iproute2 bug ?

Thank you for your help (excellent as usual).

Best Regards

Francesco


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Francesco Saverio Giudice wrote:
>>> Hi All,
>>>
>>> I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4
on
>>> CentOS and Kernel 2.6.24 recompiled with netfilter options)
>>>
>>> Some days ago I have upgraded configuration from a 3.x version 
>>> (single ISP) to actual (in sense that I have reinstalled OS from 
>>> scratch not simply updated).
>>> I have added a second ISP in providers file and updated other 
>>> original files (zones, etc.) to new syntax and configuration.
>>>
>>> Actual configuration is:
>>> eth0 lan
>>> eth1 ISP1 (new provider)
>>> eth2 ISP2 (existing provider)
>>> eth3 DMZ (with public ip on existing provider and some servers 
>>> defined in proxyarp)
>>>
>>> Problems are:
>>>
>>> 1) Restart lock
>>>
>>> if I issue a ''shorewall restart'' command I get an
error on
>>>
>>> ----------------
>>> IP Forwarding Enabled
>>> Setting up Proxy ARP...
>>> RTNETLINK answers: File exists
>>>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev
eth3" Failed
>>
<snip>
> Attached is a patch that might help. After applying the patch, set 
> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works 
> around the problem.
> 
I think Proxyarp.pm might need this variable fix also.

Jerry


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, 2008-02-22 at 18:31 +0100, Francesco Saverio Giudice
wrote:
> Hi Tom,
> 
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Friday, February 22, 2008 5:38 PM
> Subject: Re: [Shorewall-users] MultiISP and fixed routes
> 
> 
> Tom Eastep wrote:
> > Francesco Saverio Giudice wrote:
> >> Hi All,
> >>
> 
> Attached is a patch that might help. After applying the patch, set
> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works
> around the problem.
> 
> ------------------------
> 
> no, I have applied the patch, and checked  DELETE_THEN_ADD (that was
already
> set to yes) but doing a shorewall restart the problem is still there.
> 
No it''s not -- there may be a different problem but there is no
''route
replace'' command generated so it can''t be the same problem.
> In the meanwhile, do you think that the 2nd problem is related to 
> kernel/iproute2 bug ?
I don''t know -- your dump is the third in my queue.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, 2008-02-22 at 18:31 +0100, Francesco Saverio Giudice
wrote:
> Hi Tom,
> 
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Friday, February 22, 2008 5:38 PM
> Subject: Re: [Shorewall-users] MultiISP and fixed routes
> 
> 
> Tom Eastep wrote:
> > Francesco Saverio Giudice wrote:
> >> Hi All,
> >>
> 
> Attached is a patch that might help. After applying the patch, set
> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works
> around the problem.
> 
> ------------------------
> 
> no, I have applied the patch, and checked  DELETE_THEN_ADD (that was
already
> set to yes) but doing a shorewall restart the problem is still there.
> 
No it''s not -- there may be a different problem but there is no
''route
replace'' command generated so it can''t be the same problem.
> In the meanwhile, do you think that the 2nd problem is related to 
> kernel/iproute2 bug ?
I don''t know -- your dump is the third in my queue.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Jerry Vonau wrote:
> Tom Eastep wrote:
>> Tom Eastep wrote:
>>> Francesco Saverio Giudice wrote:
>>>> Hi All,
>>>>
>>>> I have 2 problems with MultiISP configuration: (Shorewall
4.0.8-4 on
>>>> CentOS and Kernel 2.6.24 recompiled with netfilter options)
>>>>
>>>> Some days ago I have upgraded configuration from a 3.x version 
>>>> (single ISP) to actual (in sense that I have reinstalled OS
from
>>>> scratch not simply updated).
>>>> I have added a second ISP in providers file and updated other 
>>>> original files (zones, etc.) to new syntax and configuration.
>>>>
>>>> Actual configuration is:
>>>> eth0 lan
>>>> eth1 ISP1 (new provider)
>>>> eth2 ISP2 (existing provider)
>>>> eth3 DMZ (with public ip on existing provider and some servers 
>>>> defined in proxyarp)
>>>>
>>>> Problems are:
>>>>
>>>> 1) Restart lock
>>>>
>>>> if I issue a ''shorewall restart'' command I
get an error on
>>>>
>>>> ----------------
>>>> IP Forwarding Enabled
>>>> Setting up Proxy ARP...
>>>> RTNETLINK answers: File exists
>>>>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev
eth3" Failed
> <snip>
>> Attached is a patch that might help. After applying the patch, set 
>> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works
>> around the problem.
>>
> I think Proxyarp.pm might need this variable fix also.
> 
That can be fixed by setting HAVEROUTES to Yes and adding the routes 
manually.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Jerry Vonau wrote:
>> Tom Eastep wrote:
>>> Tom Eastep wrote:
>>>> Francesco Saverio Giudice wrote:
>>>>> Hi All,
>>>>>
>>>>> I have 2 problems with MultiISP configuration: (Shorewall
4.0.8-4
>>>>> on CentOS and Kernel 2.6.24 recompiled with netfilter
options)
>>>>>
>>>>> Some days ago I have upgraded configuration from a 3.x
version
>>>>> (single ISP) to actual (in sense that I have reinstalled OS
from
>>>>> scratch not simply updated).
>>>>> I have added a second ISP in providers file and updated
other
>>>>> original files (zones, etc.) to new syntax and
configuration.
>>>>>
>>>>> Actual configuration is:
>>>>> eth0 lan
>>>>> eth1 ISP1 (new provider)
>>>>> eth2 ISP2 (existing provider)
>>>>> eth3 DMZ (with public ip on existing provider and some
servers
>>>>> defined in proxyarp)
>>>>>
>>>>> Problems are:
>>>>>
>>>>> 1) Restart lock
>>>>>
>>>>> if I issue a ''shorewall restart'' command
I get an error on
>>>>>
>>>>> ----------------
>>>>> IP Forwarding Enabled
>>>>> Setting up Proxy ARP...
>>>>> RTNETLINK answers: File exists
>>>>>   ERROR: Command "ip route replace AAA.AAA.AAA.5 dev
eth3" Failed
>> <snip>
>>> Attached is a patch that might help. After applying the patch, set 
>>> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this 
>>> works around the problem.
>>>
>> I think Proxyarp.pm might need this variable fix also.
>>
> 
> That can be fixed by setting HAVEROUTES to Yes and adding the routes 
> manually.
But here''s a patch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 6:43 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes

> On Fri, 2008-02-22 at 18:31 +0100, Francesco Saverio Giudice wrote:
> > Hi Tom,
> >
> >
> > no, I have applied the patch, and checked  DELETE_THEN_ADD (that was 
> > already
> > set to yes) but doing a shorewall restart the problem is still there.
> >
>
> No it''s not -- there may be a different problem but there is no
''route
> replace'' command generated so it can''t be the same
problem.
Sorry Tom, I have not pasted the screen, but the error is reported *exactly* 
in same way:

-------------
....
IP Forwarding Enabled
Setting up Proxy ARP...
RTNETLINK answers: File exists
   ERROR: Command "ip route replace 192.107.88.5 dev eth3" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 664: 27611 Terminated              $SHOREWALL_SHELL 
${VARDIR}/.restart $debugging restart

-------------

Looking to Providers.pm I have seen that your patch is inside
     if ( $gateway eq ''detect'' ) {
that isn''t my case.

This is my providers file (sorry I have missed it in first mail)
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY 
OPTIONS         COPY
ISP1   1       1       main            $ISP1_IF         $ISP1_GW 
track,optional,balance          $INT_IF
ISP2    2       2       main            $ISP2_IF         $ISP2_GW 
track,optional,balance      $INT_IF
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

where ISPx_GW have correct GW values.
>
> > In the meanwhile, do you think that the 2nd problem is related to
> > kernel/iproute2 bug ?
>
> I don''t know -- your dump is the third in my queue.
>
Great, near first position ;-)

BR

Francesco



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> On Fri, 2008-02-22 at 18:31 +0100, Francesco Saverio Giudice wrote:
>> Hi Tom,
>>
>> ----- Original Message ----- 
>> From: "Tom Eastep" <teastep@shorewall.net>
>> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
>> Sent: Friday, February 22, 2008 5:38 PM
>> Subject: Re: [Shorewall-users] MultiISP and fixed routes
>>
>>
>> Tom Eastep wrote:
>>> Francesco Saverio Giudice wrote:
>>>> Hi All,
>>>>
>> Attached is a patch that might help. After applying the patch, set
>> DELETE_THEN_ADD=Yes in shorewall.conf. Please let me know of this works
>> around the problem.
>>
>> ------------------------
>>
>> no, I have applied the patch, and checked  DELETE_THEN_ADD (that was
already
>> set to yes) but doing a shorewall restart the problem is still there.
>>
> 
> No it''s not -- there may be a different problem but there is no
''route
> replace'' command generated so it can''t be the same
problem.
> 
>> In the meanwhile, do you think that the 2nd problem is related to 
>> kernel/iproute2 bug ?
> 
> I don''t know -- your dump is the third in my queue.
> 
I''m sorry but ''route not works'' isn''t enough
to let me know what the
problem is. I need to know what the source IP address is, what the 
destination IP address is and where the packet gets routed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Friday, February 22, 2008 6:43 PM
> Subject: Re: [Shorewall-users] MultiISP and fixed routes
> 
> 
>> On Fri, 2008-02-22 at 18:31 +0100, Francesco Saverio Giudice wrote:
>>> Hi Tom,
>>>
>>>
>>> no, I have applied the patch, and checked  DELETE_THEN_ADD (that
was
>>> already
>>> set to yes) but doing a shorewall restart the problem is still
there.
>>>
>> No it''s not -- there may be a different problem but there is
no ''route
>> replace'' command generated so it can''t be the same
problem.
> 
> Sorry Tom, I have not pasted the screen, but the error is reported
*exactly*
> in same way:
Please try the second patch I sent or reconfigure proxy ARP as I 
suggested earlier in my response to Jerry.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom,
> Please try the second patch I sent or reconfigure proxy ARP as I
> suggested earlier in my response to Jerry.
tested and the result is:

#shorewall restart

-----------------
IP Forwarding Enabled
Setting up Proxy ARP...
Adding Providers...
RTNETLINK answers: File exists
   ERROR: Command "ip route replace default scope global nexthop via
A.A.A.A
dev eth1 weight 1 nexthop via B.B.B.B dev eth2 weight 100" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 664:  1729 Terminated              $SHOREWALL_SHELL 
${VARDIR}/.restart $debugging restart

-----------------
A.A.A.A = ISP1 GW
B.B.B.B = ISP2 GW

#shorewall restart (again)

-----------------


IP Forwarding Enabled
Setting up Proxy ARP...
RTNETLINK answers: No such process
   ERROR: Command "ip route del B.B.B.5" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 368:  3290 Terminated              ${VARDIR}/.start 
$debugging start

-----------------

#shorewall stop
#service network restart
#shorewall start

Setting up Martian Logging...
Setting up Accept Source Routing...
IP Forwarding Enabled
Setting up Proxy ARP...
RTNETLINK answers: No such process
   ERROR: Command "ip route del B.B.B.5" Failed
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 368:  4709 Terminated              ${VARDIR}/.start 
$debugging start

------------------

If I adding one-by-one every ip route than it start.
After this I have reverted the patch because it miss every ip route on every 
restart.

Francesco


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> tested and the result is:
> 
> #shorewall restart
> 
> -----------------
> IP Forwarding Enabled
> Setting up Proxy ARP...
> Adding Providers...
> RTNETLINK answers: File exists
>    ERROR: Command "ip route replace default scope global nexthop via
A.A.A.A
> dev eth1 weight 1 nexthop via B.B.B.B dev eth2 weight 100" Failed
> Processing /etc/shorewall/stop ...
> IP Forwarding Enabled
> Processing /etc/shorewall/stopped ...
> /sbin/shorewall: line 664:  1729 Terminated              $SHOREWALL_SHELL 
> ${VARDIR}/.restart $debugging restart
This should fix both issues. Note that these are horrible hacks which 
will open a window where you will have no default route in the main 
routing table.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 8:42 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes


This should fix both issues. Note that these are horrible hacks which
will open a window where you will have no default route in the main
routing table.

-------------

I have seen $DEFAULT_ROUTE in your patch.
I have to declare it in some point or it is auto detected ?

Because I''m working in remote (!) and I have fear to loose connection
(and
in this moment firewall is alone, no one at its side) I think that is better 
to try on Monday.

Thanks for patch

In meanwhile I''m checking some info for 2nd problem.
As you wrote in previous email:
------------
I''m sorry but ''route not works'' isn''t enough
to let me know what the
problem is. I need to know what the source IP address is, what the
destination IP address is and where the packet gets routed.
------------

the scenario is:
firewall:
eth0 intranet (loc in zones)
eth1 ISP1 (new provider defined as net in zones)
eth2 ISP2 (old provider defined as net in zones)
eth3 DMZ (dmz in zones - server in zones uses public ips from ISP2 and 
defined in proxyarp)

the problem is that there are some web sites on net that check source ip to 
allow access to some pages and accepts ip only from ISP2 address range.
if I run browser from any server on dmz (that uses ip from ISP2 range) it 
works
instead if I run browser from local lan it happens that connetion
doesn''t
work.
Surely it happens because, having a balanced connection in providers file, I 
get randomic route path between the two providers.
If I force a heavy balance to ISP2 (setting balance=100 in providers) it 
works also from local lan.
So my idea was to add a route to force use of ISP2 for connection going 
towards above sites and I have added a route in route_rules like:

#SOURCE                 DEST                    PROVIDER        PRIORITY
$DMZ_IF                 -                              ISP2 
1000
$INT_IF                 $PROTECTED_SITE_LAN        ISP2            1000
-                              $ISP2_IP_RANGE     main            1000

but also so, resetting balance to 1 to both providers, it doesn''t work.

Probably I have not explained well or I have misunderstood what you need, 
but tell me what I can write to clarify.
May I send directly to you my shorewall configuration files ?
I prefer to not put them on mailing list because of public ip.

Thank you again for your precious time and sorry if I wasting it.

Best Regards

Francesco


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Friday, February 22, 2008 8:42 PM
> Subject: Re: [Shorewall-users] MultiISP and fixed routes
> 
> 
> This should fix both issues. Note that these are horrible hacks which
> will open a window where you will have no default route in the main
> routing table.
> 
> -------------
> 
> I have seen $DEFAULT_ROUTE in your patch.
> I have to declare it in some point or it is auto detected ?
> 
> Because I''m working in remote (!) and I have fear to loose
connection (and
> in this moment firewall is alone, no one at its side) I think that is
better
> to try on Monday.
> 
> Thanks for patch
> 
> In meanwhile I''m checking some info for 2nd problem.
> As you wrote in previous email:
> ------------
> I''m sorry but ''route not works'' isn''t
enough to let me know what the
> problem is. I need to know what the source IP address is, what the
> destination IP address is and where the packet gets routed.
> ------------
> 
> the scenario is:
> firewall:
> eth0 intranet (loc in zones)
> eth1 ISP1 (new provider defined as net in zones)
> eth2 ISP2 (old provider defined as net in zones)
> eth3 DMZ (dmz in zones - server in zones uses public ips from ISP2 and 
> defined in proxyarp)
> 
> the problem is that there are some web sites on net that check source ip to
> allow access to some pages and accepts ip only from ISP2 address range.
> if I run browser from any server on dmz (that uses ip from ISP2 range) it 
> works
> instead if I run browser from local lan it happens that connetion
doesn''t
> work.
> Surely it happens because, having a balanced connection in providers file,
I
> get randomic route path between the two providers.
> If I force a heavy balance to ISP2 (setting balance=100 in providers) it 
> works also from local lan.
> So my idea was to add a route to force use of ISP2 for connection going 
> towards above sites and I have added a route in route_rules like:
> 
> #SOURCE                 DEST                    PROVIDER        PRIORITY
> $DMZ_IF                 -                              ISP2 
> 1000
> $INT_IF                 $PROTECTED_SITE_LAN        ISP2            1000
> -                              $ISP2_IP_RANGE     main            1000
> 
> but also so, resetting balance to 1 to both providers, it doesn''t
work.
> 
> Probably I have not explained well or I have misunderstood what you need, 
> but tell me what I can write to clarify.
The above will do exactly what it is intended to do. But apparently that 
isn''t what you want it to do. So I need to know:

a) What is the source IP address of packets that "don''t
work"?
b) what is the destination IP address of packets that "don''t
work"?
c) Where do you want those packets to go?

Incidentally, you actually have three routing rules, not two.
> May I send directly to you my shorewall configuration files ?
Sure -- in fact there is an email address (support@shorewall.net) 
dedicated to that purpose.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users"
<shorewall-users@lists.sourceforge.net>
> Sent: Friday, February 22, 2008 8:42 PM
> Subject: Re: [Shorewall-users] MultiISP and fixed routes
> 
> 
> This should fix both issues. Note that these are horrible hacks which
> will open a window where you will have no default route in the main
> routing table.
> 
> -------------
> 
> I have seen $DEFAULT_ROUTE in your patch.
> I have to declare it in some point or it is auto detected ?
It''s constructed automatically.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 10:14 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes

> So my idea was to add a route to force use of ISP2 for connection going
> towards above sites and I have added a route in route_rules like:
>
> #SOURCE                 DEST                    PROVIDER        PRIORITY
> $DMZ_IF                 -                              ISP2
> 1000
> $INT_IF                 $PROTECTED_SITE_LAN        ISP2            1000
> -                              $ISP2_IP_RANGE     main            1000
>
> but also so, resetting balance to 1 to both providers, it doesn''t
work.
>
> Probably I have not explained well or I have misunderstood what you need,
> but tell me what I can write to clarify.
The above will do exactly what it is intended to do. But apparently that
isn''t what you want it to do. So I need to know:

a) What is the source IP address of packets that "don''t
work"?
b) what is the destination IP address of packets that "don''t
work"?
c) Where do you want those packets to go?
>>>>>>>>>>>>>>>>>>>>>>>>>>>
a) 172.16.0.x
b) lan or single ip of protected web site on net (i.e. 82.189.125.99 )
c) trought ISP2 (eth2) on exit and back on same interface

<<<<<<<<<<<<<<<<<<<<<<<<<<<

Incidentally, you actually have three routing rules, not two.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Yes, I know. I have added 1st and 3rd to route from dmz to net using ISP2 
(1st) and back (3rd).
The 2nd I have added for above problem thinking that the 3rd can serve the 
2nd also for returning.
Without 1st and 3rd also DMZ servers (using ip from ISP2 range) on exit use 
randomic ISP1 or ISP2.
<<<<<<<<<<<<<<<<<<<<<<<<<<<
> May I send directly to you my shorewall configuration files ?
Sure -- in fact there is an email address (support@shorewall.net)
dedicated to that purpose.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
done

<<<<<<<<<<<<<<<<<<<<<<<<<<<

Francesco


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 10:21 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes

> 
> I have seen $DEFAULT_ROUTE in your patch.
> I have to declare it in some point or it is auto detected ?
It''s constructed automatically.
>>>>>>>>>>>>>>>>>>>>
Ok. Thanks.
I will inform you if patch works as expected.

Francesco

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 5:55 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes



You should report it at netdev@vger.kernel.org (that''s where the Linux 
networking developers hang out). This failure does not occur with kernel 
2.6.22 and iproute2 ss070710:

gateway:~ # ip route add 1.2.4.5 dev eth0
gateway:~ # ip route replace 1.2.4.5 dev eth0
gateway:~ # ip route del 1.2.4.5
>>>>>>>>>>>>>>>>>
Done

Francesco


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hi All,

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Friday, February 22, 2008 5:55 PM
Subject: Re: [Shorewall-users] MultiISP and fixed routes


You should report it at netdev@vger.kernel.org (that''s where the Linux 
networking developers hang out). This failure does not occur with kernel 
2.6.22 and iproute2 ss070710:

gateway:~ # ip route add 1.2.4.5 dev eth0
gateway:~ # ip route replace 1.2.4.5 dev eth0
gateway:~ # ip route del 1.2.4.5
>>>>>>>>>>>>>>>>>>>>>>>>>>>
just to know, the reply from netdev@vger.kernel.org is:


----- Original Message ----- 
From: "Joonwoo Park" <joonwpark81@gmail.com>
To: "Francesco Saverio Giudice" <info@fsgiudice.com>
Cc: <netdev@vger.kernel.org>
Sent: Saturday, February 23, 2008 7:44 AM
Subject: Re: Error on ip route replace command

> 
> Francesco,
> It was fixed by 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6 and
> c18865f39276435abb9286f9a816cb5b66c99a00.
> Please try with lastest git source
> 
> Joonwoo.
>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Best Regards

Francesco



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Francesco Saverio Giudice wrote:
> 
> just to know, the reply from netdev@vger.kernel.org is:
> 
> 
> ----- Original Message ----- 
> From: "Joonwoo Park" <joonwpark81@gmail.com>
> To: "Francesco Saverio Giudice" <info@fsgiudice.com>
> Cc: <netdev@vger.kernel.org>
> Sent: Saturday, February 23, 2008 7:44 AM
> Subject: Re: Error on ip route replace command
> 
> 
>> Francesco,
>> It was fixed by 936f6f8e1bc46834bbb3e3fa3ac13ab44f1e7ba6 and
>> c18865f39276435abb9286f9a816cb5b66c99a00.
>> Please try with lastest git source
Thanks, Francesco.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Friday 22 February 2008 16:42, Francesco Saverio Giudice
wrote:
> Hi Tom,
>
> I get the error:
>
> ---------
> # ip route add 1.2.4.5 dev eth3
> # ip route replace 1.2.4.5 dev eth3
> RTNETLINK answers: File exists
> ---------
>
> I have to patch kernel or something else ?
>
Tom / Francesco

This is fixed in kernel 2.6.24.3

Steven.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Steven Jan Springl wrote:
> On Friday 22 February 2008 16:42, Francesco Saverio Giudice wrote:
>> Hi Tom,
>>
>> I get the error:
>>
>> ---------
>> # ip route add 1.2.4.5 dev eth3
>> # ip route replace 1.2.4.5 dev eth3
>> RTNETLINK answers: File exists
>> ---------
>>
>> I have to patch kernel or something else ?
>>
> 
> Tom / Francesco
> 
> This is fixed in kernel 2.6.24.3
> 
Thanks, Steven

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

----- Original Message ----- 
From: "Steven Jan Springl" <steven@springl.ukfsn.org>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, February 26, 2008 3:52 AM
Subject: Re: [Shorewall-users] MultiISP and fixed routes

> Tom / Francesco
> 
> This is fixed in kernel 2.6.24.3
> 
Thank you Steven

Francesco

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/