Hello, I''m trying to setup an 8 port wan configuration (pptp+pppoe) with one vlan trunk. My internal networks are : LAN(eth9): 10.0.0.0/16 VLAN10(eth9) 10.10.0.0/24 VLAN20(eth9) 10.20.0.0/24 VLAN30(eth9) 10.30.0.0/24 VLAN100(eth9) 10.100.0.0/24 I would like to post my configuration here since i don''t success to do the following: 1. Communicate between VLANxx to LAN & outside. 2. Failover between interfaces, so if one goes down the other one goes up. 3. Routing based on device model (VLAN10 gateway will be ppp0 and in a case of failover it will jump to ppp1 for example) post of my config files: interfaces: #NET net0 ppp0 detect tcpflags,dhcp,routefilter,nosmurfs net1 ppp1 detect tcpflags,dhcp,routefilter,nosmurfs net2 ppp2 detect tcpflags,dhcp,routefilter,nosmurfs net3 ppp3 detect tcpflags,dhcp,routefilter,nosmurfs #WAN wan0 eth0 detect tcpflags,routefilter,nosmurfs wan1 eth1 detect tcpflags,routefilter,nosmurfs wan2 eth2 detect tcpflags,routefilter,nosmurfs wan3 eth3 detect tcpflags,routefilter,nosmurfs dmz eth8 detect # LOCAL loc eth9 detect tcpflags,nosmurfs,detectnets # VLAN v10 vlan10 detect tcpflags,nosmurfs,detectnets v20 vlan20 detect tcpflags,nosmurfs,detectnets v30 vlan30 detect tcpflags,nosmurfs,detectnets v100 vlan100 detect tcpflags,nosmurfs,detectnets masq: eth9 10.10.0.0/24 eth9 10.20.0.0/24 eth9 10.30.0.0/24 eth9 10.100.0.0/24 ppp0 vlan10 ppp1 vlan20 ppp2 vlan30 ppp3 vlan100 policy : # on your firewall, change the loc to net policy to REJECT info. v10 all ACCEPT info v20 all ACCEPT info v30 all ACCEPT info v100 all ACCEPT info wan0 all ACCEPT info wan1 all ACCEPT info wan2 all ACCEPT info wan3 all ACCEPT info loc all ACCEPT info # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''ULOG'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net0 ACCEPT info $FW net1 ACCEPT info $FW net2 ACCEPT info $FW net3 ACCEPT info $FW loc ACCEPT info $FW all ACCEPT info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info providers: bzq1 1 1 main ppp0 - track,balance vlan10 bzq2 2 2 main ppp1 - track,balance vlan20 zhav1 3 3 main ppp2 - track,balance vlan30 netv1 4 4 main ppp3 - track,balance vlan100 rules: SSH/ACCEPT all all Ping/ACCEPT all all - - - - 1/sec:100 pptpserver net0 0.0.0.0/0 pptpserver net1 0.0.0.0/0 pptpserver net2 0.0.0.0/0 pptpserver net3 0.0.0.0/0 zones: fw firewall dmz ipv4 # NET net0 ipv4 net1 ipv4 net2 ipv4 net3 ipv4 # WAN wan0 ipv4 wan1 ipv4 wan2 ipv4 wan3 ipv4 # LOCAL loc ipv4 v10 ipv4 v20 ipv4 v30 ipv4 v100 ipv4 Any help will be appreciated. Thank you. ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Hi Tal, I can only give a hint to your point 1: 1. Communicate between VLANxx to LAN & outside.> > providers: > > bzq1 1 1 main ppp0 - track,balance vlan10 > bzq2 2 2 main ppp1 - track,balance vlan20 > zhav1 3 3 main ppp2 - track,balance vlan30 > netv1 4 4 main ppp3 - track,balance vlan100Your providers file is missing the other interfaces in the COPY option. So no routing roules are created for them. bzq1 1 1 main ppp0 - track,balance eth9,vlan10,vlan20,vlan30,vlan100 bzq2 2 2 main ppp1 - track,balance eth9,vlan10,vlan20,vlan30,vlan100 zhav1 3 3 main ppp2 - track,balance eth9,vlan10,vlan20,vlan30,vlan100 netv1 4 4 main ppp3 - track,balance eth9,vlan10,vlan20,vlan30,vlan100 And why four different zones for net? In most cases all interfaces to providers should be in a common "net" zone. # NET net0 ipv4 net1 ipv4 net2 ipv4 net3 ipv4 To give you further hints, we should know more about your system, for example routing roules. Please follow the guidelines at http://www.shorewall.net/support.htm#Guidelines . Regards, Christian ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
I think I happened upon a similar problem last night that this explanation solved for me :) I had a loc zone on the vlan2 interface that had access to my net zone. I added the vlan3 interface and put it in a wifi zone, and put what I needed into interfaces, zone, masq, rules, etc. I could get traffic between local zones but could not get net access for some reason. It never occurred to me that I had to add something to providers to give the new interface/zone net access. Having never seen an example that listed more than one interface in the COPY field I thought the one I had set up initially was all I ever needed. Sure enough, as soon as I added vlan3 to the COPY field things started working exactly as I thought they should. Just to make sure I have not done something foolish (as I often do), would a good explanation of the COPY field for most users be that it should contain a list of the interfaces that you would like to give internet access to? Brad C On Thu, Mar 5, 2009 at 3:05 AM, Christian Vieser <vieser@opti-serv.de> wrote:> Hi Tal, > > I can only give a hint to your point 1: > > 1. Communicate between VLANxx to LAN & outside. >> >> providers: >> >> bzq1 1 1 main ppp0 - track,balance vlan10 >> bzq2 2 2 main ppp1 - track,balance vlan20 >> zhav1 3 3 main ppp2 - track,balance vlan30 >> netv1 4 4 main ppp3 - track,balance vlan100 > > Your providers file is missing the other interfaces in the COPY option. > So no routing roules are created for them. > > bzq1 1 1 main ppp0 - track,balance > eth9,vlan10,vlan20,vlan30,vlan100 > bzq2 2 2 main ppp1 - track,balance > eth9,vlan10,vlan20,vlan30,vlan100 > zhav1 3 3 main ppp2 - track,balance > eth9,vlan10,vlan20,vlan30,vlan100 > netv1 4 4 main ppp3 - track,balance > eth9,vlan10,vlan20,vlan30,vlan100 > > And why four different zones for net? In most cases all interfaces to > providers should be in a common "net" zone. > > # NET > net0 ipv4 > net1 ipv4 > net2 ipv4 > net3 ipv4 > > To give you further hints, we should know more about your system, for > example routing roules. Please follow the guidelines at > http://www.shorewall.net/support.htm#Guidelines . > > Regards, > > Christian > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Brad Clarke wrote:> I think I happened upon a similar problem last night that this > explanation solved for me :) > > I had a loc zone on the vlan2 interface that had access to my net > zone. I added the vlan3 interface and put it in a wifi zone, and put > what I needed into interfaces, zone, masq, rules, etc. I could get > traffic between local zones but could not get net access for some > reason. It never occurred to me that I had to add something to > providers to give the new interface/zone net access. Having never seen > an example that listed more than one interface in the COPY field I > thought the one I had set up initially was all I ever needed. Sure > enough, as soon as I added vlan3 to the COPY field things started > working exactly as I thought they should. > > Just to make sure I have not done something foolish (as I often do), > would a good explanation of the COPY field for most users be that it > should contain a list of the interfaces that you would like to give > internet access to?I think that a better explaination is that it should include all interfaces that do not themselves have an entry in the providers file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H