Shorewall users - Mar 2009 - MultiWAN & Vlans

Hello, 

I''m trying to setup an 8 port wan configuration (pptp+pppoe) with one
vlan trunk.

My internal networks are : 
LAN(eth9): 10.0.0.0/16 
VLAN10(eth9) 10.10.0.0/24 
VLAN20(eth9) 10.20.0.0/24 
VLAN30(eth9) 10.30.0.0/24 
VLAN100(eth9) 10.100.0.0/24 

I would like to post my configuration here since i don''t success to do
the following:

1. Communicate between VLANxx to LAN & outside. 
2. Failover between interfaces, so if one goes down the other one goes up. 
3. Routing based on device model (VLAN10 gateway will be ppp0 and in a case of
failover it will jump to ppp1 for example)


post of my config files: 

interfaces: 
#NET 
net0 ppp0 detect tcpflags,dhcp,routefilter,nosmurfs 
net1 ppp1 detect tcpflags,dhcp,routefilter,nosmurfs 
net2 ppp2 detect tcpflags,dhcp,routefilter,nosmurfs 
net3 ppp3 detect tcpflags,dhcp,routefilter,nosmurfs 

#WAN 
wan0 eth0 detect tcpflags,routefilter,nosmurfs 
wan1 eth1 detect tcpflags,routefilter,nosmurfs 
wan2 eth2 detect tcpflags,routefilter,nosmurfs 
wan3 eth3 detect tcpflags,routefilter,nosmurfs 
dmz eth8 detect 

# LOCAL 
loc eth9 detect tcpflags,nosmurfs,detectnets 

# VLAN 
v10 vlan10 detect tcpflags,nosmurfs,detectnets 
v20 vlan20 detect tcpflags,nosmurfs,detectnets 
v30 vlan30 detect tcpflags,nosmurfs,detectnets 
v100 vlan100 detect tcpflags,nosmurfs,detectnets 

masq: 

eth9 10.10.0.0/24 
eth9 10.20.0.0/24 
eth9 10.30.0.0/24 
eth9 10.100.0.0/24 
ppp0 vlan10 
ppp1 vlan20 
ppp2 vlan30 
ppp3 vlan100 


policy: 
# on your firewall, change the loc to net policy to REJECT info. 
v10 all ACCEPT info 
v20 all ACCEPT info 
v30 all ACCEPT info 
v100 all ACCEPT info 

wan0 all ACCEPT info 
wan1 all ACCEPT info 
wan2 all ACCEPT info 
wan3 all ACCEPT info 


loc all ACCEPT info 


# Policies for traffic originating from the firewall ($FW) 
# 
# If you want open access to the Internet from your firewall, change the 
# $FW to net policy to ACCEPT and remove the ''ULOG'' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall. 
$FW net0 ACCEPT info 
$FW net1 ACCEPT info 
$FW net2 ACCEPT info 
$FW net3 ACCEPT info 
$FW loc ACCEPT info 
$FW all ACCEPT info 


# THE FOLLOWING POLICY MUST BE LAST 
all all REJECT info 

providers: 

bzq1 1 1 main ppp0 - track,balance vlan10 
bzq2 2 2 main ppp1 - track,balance vlan20 
zhav1 3 3 main ppp2 - track,balance vlan30 
netv1 4 4 main ppp3 - track,balance vlan100 


rules: 

SSH/ACCEPT all all 
Ping/ACCEPT all all - - - - 1/sec:100 

pptpserver net0 0.0.0.0/0 
pptpserver net1 0.0.0.0/0 
pptpserver net2 0.0.0.0/0 
pptpserver net3 0.0.0.0/0 

zones: 

fw firewall 
dmz ipv4 

# NET 
net0 ipv4 
net1 ipv4 
net2 ipv4 
net3 ipv4 

# WAN 
wan0 ipv4 
wan1 ipv4 
wan2 ipv4 
wan3 ipv4 

# LOCAL 
loc ipv4 
v10 ipv4 
v20 ipv4 
v30 ipv4 
v100 ipv4 

Any help will be appreciated. 

Thank you. 





------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H

Tal Hazan wrote:
> Hello,
> 
> I''m trying to setup an 8 port wan configuration (pptp+pppoe) with
one
> vlan trunk.
> 
> My internal networks are :
> LAN(eth9): 10.0.0.0/16
> VLAN10(eth9) 10.10.0.0/24
> VLAN20(eth9) 10.20.0.0/24
> VLAN30(eth9) 10.30.0.0/24
> VLAN100(eth9) 10.100.0.0/24
> 
> I would like to post my configuration here since i don''t success
to do
> the following:
> 
> 1. Communicate between VLANxx to LAN & outside.
> 2. Failover between interfaces, so if one goes down the other one goes up.
> 3. Routing based on device model (VLAN10 gateway will be ppp0 and in a
> case of failover it will jump to ppp1 for example)
> 
> 
> post of my config files:

Please see http://www.shorewall.net/support.htm#Guidelines for
instructions regarding problem reports. Those guidelines explicitly ask
that users do not post their configuration files unless specifically
asked to.

I will look at your config files as time permits but we usually find
that configuration errors are not obvious from the files themselves
unless the errors are extremely basic. Given the information asked for
in the Guidelines, we are almost always able to spot the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H