Davide Ferrari
2008-Nov-21 10:59 UTC
Multi-ISP problem: cannot reach my FW from one of the ISP
Hi I using Shorewall 3.4.8 (quite old I know) and I set up a multi-ISP configuration, and it works nice, I can route part of the traffic (to our production site) through one ISP and the rest of the traffic through the other ISP. I''m doing this using route_rules, something like this: eth0 1.1.1.1/24 ISP2 1002 lo 1.1.1.1/24 ISP2 1003 eth0 - ISP1 1005 lo - ISP1 1006 and this is how my providers looks like ISP1 1 1 main eth1 172.10.1.1 track,balance eth0 ISP2 2 2 main eth2 10.0.0.1 track,balance eth0 so assuming the IP are real :), if I try to connect to an IP of 1.1.1.1/24 I pass through ISP2, and if I try to connect to whatever public Internet IP it uses ISP1. Fine. Now, the problem is that, even if I open the icmp 8 for both providers (so, both ethX, I have one NIC for ISP, configured in interfaces), I can ping my external ISP1 IP only from the Internet and not from my production site, and viceversa, I can ping my ISP2 public IP only from my production site and not the Internet. I''m absolutely sure that''s a routing problem, but I can''t figure out how to solve this. Any help? -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek
2008-Nov-21 15:40 UTC
Re: Multi-ISP problem: cannot reach my FW from one of the ISP
Davide Ferrari wrote:> > Any help? >Please see http://www.shorewall.net/support.htm#Guidelines for instructions for reporting this type of problem. And please to not obfuscate the details -- finding the solution to networking problems is all about details. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Davide Ferrari
2008-Nov-24 09:51 UTC
Re: Multi-ISP problem: cannot reach my FW from one of the ISP
On Friday 21 November 2008 16:40:26 Shorewall Geek wrote:> Davide Ferrari wrote: > > Any help? > > Please see http://www.shorewall.net/support.htm#Guidelines for > instructions for reporting this type of problem. > > And please to not obfuscate the details -- finding the solution to > networking problems is all about details.Hi, I know that security through obscurity is not a big deal but really, there are details in a shorewall dump that I would like to not post to a public ML whose archives are indexed by Google... May I mail you by private mail, or at least some way to get attachments not accesible by web archives? Thank you for your help and for Shorewall and sorry -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Davide Ferrari
2008-Nov-24 12:18 UTC
Re: Multi-ISP problem: cannot reach my FW from one of the ISP
On Monday 24 November 2008 10:51:13 Davide Ferrari wrote:> I know that security through obscurity is not a big deal but really, there > are details in a shorewall dump that I would like to not post to a public > ML whose archives are indexed by Google... > May I mail you by private mail, or at least some way to get attachments not > accesible by web archives?Ok, thanks to the kind and insightful off-list help of Jerry Vonau, I managed to solve the problem. The problem basically was that I had a route_rule forcing the "generic" traffic (aka the one not directed to my production site) to ISP1, which was as a side effect making impossible to establish any kind of connection between ISP2 and the rest of the world... because every request arriving to the firewall through ISP2 was answered through the ISP1 route... you see it :) The solution was to modify the masq configuration and get rid of the route_rules forcing the generic traffic. Now I have balanced generic traffic between ISP1 and ISP2 (I''ll fine tune it with traffing shaping) and the rest of the world can see my ISP2 public address (and my prod site can see ISP1 public IP as well). Thank again to jerry for his great help and to the Shorewall devs in general for this great piece of software! -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/