Shorewall users - Nov 2008 - Multi-ISP problem: cannot reach my FW from one of the ISP

Hi

I using Shorewall 3.4.8 (quite old I know) and I set up a multi-ISP 
configuration, and it works nice, I can route part of the traffic (to our 
production site) through one ISP and the rest of the traffic through the other 
ISP. I''m doing this using route_rules, something like this:

eth0                    1.1.1.1/24       ISP2            1002
lo                      1.1.1.1/24       ISP2            1003
eth0                    -                       ISP1         1005
lo                      -                       ISP1         1006

and this is how my providers looks like
ISP1 1       1       main            eth1            172.10.1.1     
track,balance           eth0

ISP2    2       2       main            eth2            10.0.0.1    
track,balance           eth0

so assuming the IP are real :), if I try to connect to an IP of 1.1.1.1/24 I 
pass through ISP2, and if I try to connect to whatever public Internet IP it 
uses ISP1. Fine.

Now, the problem is that, even if  I open the icmp 8 for both providers (so, 
both ethX, I have one NIC for ISP, configured in interfaces), I can ping my 
external ISP1 IP only from the Internet and not from my production site, and 
viceversa, I can ping my ISP2 public IP only from my production site and not 
the Internet.
I''m absolutely sure that''s a routing problem, but I
can''t figure out how to
solve this.

Any help?

-- 
Davide Ferrari
Atrapalo.com System Administrator

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Davide Ferrari wrote:
> 
> Any help?
> 
Please see http://www.shorewall.net/support.htm#Guidelines for
instructions for reporting this type of problem.

And please to not obfuscate the details -- finding the solution to
networking problems is all about details.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

On Friday 21 November 2008 16:40:26 Shorewall Geek
wrote:
> Davide Ferrari wrote:
> > Any help?
>
> Please see http://www.shorewall.net/support.htm#Guidelines for
> instructions for reporting this type of problem.
>
> And please to not obfuscate the details -- finding the solution to
> networking problems is all about details.
Hi,

I know that security through obscurity is not a big deal but really, there are 
details in a shorewall dump that I would like to not post to a public ML whose 
archives are indexed by Google...
May I mail you by private mail, or at least some way to get attachments not 
accesible by web archives?

Thank you for your help and for Shorewall and sorry 

-- 
Davide Ferrari
Atrapalo.com System Administrator

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

On Monday 24 November 2008 10:51:13 Davide Ferrari wrote:
> I know that security through obscurity is not a big deal but really, there
> are details in a shorewall dump that I would like to not post to a public
> ML whose archives are indexed by Google...
> May I mail you by private mail, or at least some way to get attachments not
> accesible by web archives?
Ok, thanks to the kind and insightful off-list help of Jerry Vonau, I managed 
to solve the problem.
The problem basically was that I had a route_rule forcing the
"generic" traffic
(aka the one not directed to my production site) to ISP1, which was as a side 
effect making impossible to establish any kind of connection between ISP2 and 
the rest of the world... because every request arriving to the firewall through 
ISP2 was answered through the ISP1 route... you see it :)
The solution was to modify the masq configuration and get rid of the 
route_rules forcing the generic traffic.
Now I have balanced generic traffic between ISP1 and ISP2 (I''ll fine
tune it with
traffing shaping) and the rest of the world can see my ISP2 public address (and 
my prod site can see ISP1 public IP as well).

Thank again to jerry for his great help and to the Shorewall devs in general 
for this great piece of software!

-- 
Davide Ferrari
Atrapalo.com System Administrator

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/