Hi, I have configured my router with 2 ppp interfaces (ppp0 and ppp1 connected to 2 adsl connections) And Shorewall''s "providers" file is configured like: kocnet1 1 1 main ppp0 - track,balance,optional br0 kocnet2 2 2 main ppp1 - track,balance,optional br0 Both connections are masquareding the outgoing packets with their IP addresses: br0-> ppp0 (nat) br0-> ppp1 (nat) It is working as expected. I am running vpnc packet to start a vpn (Cisco) to my company. When vpnc is run, a new interface (tun0) is created and because of its split tunnel feature, my linux router receives some routes to its default routing table. Ok; now my problem begins: How can I make my client on the br0 interface use the tun0 interface and connect to the servers which are in the received routes ? I must masquarade br0 to tun0 but I should also use the received routes as prioritized. How can I do that ? Thanks. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Mekabe Ramein wrote:> Hi, > > I have configured my router with 2 ppp interfaces (ppp0 and ppp1 > connected to 2 adsl connections) > And Shorewall''s "providers" file is configured like: > kocnet1 1 1 main ppp0 - track,balance,optional br0 > kocnet2 2 2 main ppp1 - track,balance,optional br0 > > Both connections are masquareding the outgoing packets with their IP > addresses: > br0-> ppp0 (nat) > br0-> ppp1 (nat) > > It is working as expected. > > I am running vpnc packet to start a vpn (Cisco) to my company. When vpnc > is run, a new interface (tun0) is created and because of its split > tunnel feature, my linux router receives some routes to its default > routing table. > > Ok; now my problem begins: > How can I make my client on the br0 interface use the tun0 interface and > connect to the servers which are in the received routes ? > > I must masquarade br0 to tun0 but I should also use the received routes > as prioritized.Masquerading to tun0 works just like masquerading to any other device.> > How can I do that ?Have you read the ''Multi-ISP and VPN'' section of http://www.shorewall.net/MultiISP.html? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Hi Tom, In fact, prior to using Multi ISP, masquarading to Tun0 was working just fine. But now it does not work. I guess because I can''t use the injected routes (from vpn) to the Linux main routing table. Is that right ? According to ''Multi-ISP and VPN'' , I have to add the injected routes to the "route_rules" file manually. Is this what I should do ? But this file requires a "provider" field and I didn''t define the tun0 interface as a provider. How can I do that ? Define it just like my 2 providers ? But tun0 is not active always; I activate it when I need. Thanks. On Sun, Apr 12, 2009 at 7:00 PM, Tom Eastep <teastep@shorewall.net> wrote:> > > Masquerading to tun0 works just like masquerading to any other device. > > > > > How can I do that ? > > Have you read the ''Multi-ISP and VPN'' section of > http://www.shorewall.net/MultiISP.html? > > -Tom >------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Mekabe Ramein wrote:> Hi Tom, > > In fact, prior to using Multi ISP, masquarading to Tun0 was working just > fine. > But now it does not work. I guess because I can''t use the injected > routes (from vpn) to the Linux main routing table. > Is that right ?Yes.> > According to ''Multi-ISP and VPN'' , I have to add the injected routes to > the "route_rules" file manually. Is this what I should do ?That is an incredible question. You asked how to fix your problem. I referred you to the relevant part of the documentation. And now you are asking me if you really should follow that part of the documentation? Unbelievable!> > But this file requires a "provider" field and I didn''t define the tun0 > interface as a provider. > How can I do that ? Define it just like my 2 providers ? But tun0 is not > active always; I activate it when I need.Your ''tun0'' device should not be mentioned in your provider file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
What really incredible is what you offer to me. I am receiving around 30 routes each time I connect to VPN and included routes may differ from time to time, because new servers may be added that are reachable through VPN. How can I enter them manually ? Maybe I can add a few of them which are really urgent, but when I need to reach a new server I have to edit conf again. I like your way of dealing with questions.(?) Please remember that everyone on the list is not as skilled as you are when it comes to ip tables on Linux. If I were that skilled I wouldn''t need Shorewall anyway; I''d write my own iptables script. When I asked that question again, I had really not believed that this was the right way. Please keep in mind that everyone''s brain is not working same way as yours. Also, I''d like to mention that I had read the MultiISP docuentation before asking my question here. However, I couldn''t understand what I really should do. That''s the reason of my question. Btw, is there a way to see the dynamic routes that are routed to each provider ? Thanks. On Sun, Apr 12, 2009 at 11:01 PM, Tom Eastep <teastep@shorewall.net> wrote:> > > According to ''Multi-ISP and VPN'' , I have to add the injected routes to > > the "route_rules" file manually. Is this what I should do ? > > That is an incredible question. You asked how to fix your problem. I > referred you to the relevant part of the documentation. And now you are > asking me if you really should follow that part of the documentation? > Unbelievable! > >------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Mekabe Ramein wrote:> What really incredible is what you offer to me. > I am receiving around 30 routes each time I connect to VPN and included > routes may differ from time to time, because new servers may be added > that are reachable through VPN. > How can I enter them manually ? Maybe I can add a few of them which are > really urgent, but when I need to reach a new server I have to edit conf > again.Mekabe -- we only know the facts that you give us. Your initial report said "I have a VPN and it doesn''t work since I moved to a Multi-ISP configuration". I pointed you to the solution to the problem that I had in that situation. Then you responded "Should I really do that?" What do you expect? So let''s do this the right way. Please forward the output of "shorewall dump" captured while the VPN is active. And please describe exactly what "doesn''t work". Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Hi, I''ve been observing my ip_conntrack_count for a while. It never reaches the upper limit defined as 16384 in /proc/sys/net/ipv4/netfilter/ip_conntrack_max The problem occurs when it is around 400-500. So this does not seem to be related to conntrack table being filled up. But it is resolving with "conntrack -F" command. Very interesting. What else can I do to understand the nature of this problem ? Below you are referring to CONNLIMIT. I didn''t define anything like that but where it is being defined ? Maybe it is defined by default. I am desperately looking for help. This issue is really very disturbing. Thanks for any replies. Regards, ilker Re: [Shorewall-users] YNT: YNT: YNT: YNT: YNT: connection trackingproblem Tom Eastep Mon, 06 Apr 2009 13:31:51 -0700 İlker Aktuna (Koç.net) wrote:> So you are 100% sure that it''s not caused by Shorewall or > misconfiguration of it ?Given that Shorewall is nothing but a configuration tool, problems where the firewall works for a while then stops working can''t possibly be traced to Shorewall. Once ''shorewall start'' has completed, there is no Shorewall code left running in your system at all. Unless you are using CONNLIMIT, there isn''t any way that I know of that Shorewall could be mis-configured such that your problem could be resolved by ''conntrack -F''. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
İlker Aktuna (Koç.net) wrote:> Hi, > > I''ve been observing my ip_conntrack_count for a while. > It never reaches the upper limit defined as 16384 in > /proc/sys/net/ipv4/netfilter/ip_conntrack_max > The problem occurs when it is around 400-500. > > So this does not seem to be related to conntrack table being filled up. > But it is resolving with "conntrack -F" command. > Very interesting. What else can I do to understand the nature of this > problem ?My only suggestion is that if you are loading the SIP helpers (which Shorewall does by default), then try NOT loading them. Others have reported problems with the modules but those problems usally consist of one-way audio. The modules are named nf_conntrack_sip and nf_nat_sip in current kernels; they were called ip_conntrack_nat and ip_nat_sip in earlier versions. See the DONT_LOAD option in shorewall.conf.> > Below you are referring to CONNLIMIT. I didn''t define anything like that but > where it is being defined ? Maybe it is defined by default.No.> > I am desperately looking for help. This issue is really very disturbing.I''m afraid that you are looking for help in the wrong place -- you need to be talking to the Netfilter developers on the netfilter-devel mailing list. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Hi, Thanks for your email. How can I see the loaded modules ? And, where is the right address for netfilter-development mailing list ? Thanks, ilker -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, April 14, 2009 5:33 PM To: Shorewall Users Subject: Re: [Shorewall-users] connection trackingproblem İlker Aktuna (Koç.net) wrote:> Hi, > > I''ve been observing my ip_conntrack_count for a while. > It never reaches the upper limit defined as 16384 in > /proc/sys/net/ipv4/netfilter/ip_conntrack_max > The problem occurs when it is around 400-500. > > So this does not seem to be related to conntrack table being filled up. > But it is resolving with "conntrack -F" command. > Very interesting. What else can I do to understand the nature of this > problem ?My only suggestion is that if you are loading the SIP helpers (which Shorewall does by default), then try NOT loading them. Others have reported problems with the modules but those problems usally consist of one-way audio. The modules are named nf_conntrack_sip and nf_nat_sip in current kernels; they were called ip_conntrack_nat and ip_nat_sip in earlier versions. See the DONT_LOAD option in shorewall.conf.> > Below you are referring to CONNLIMIT. I didn''t define anything like > that but where it is being defined ? Maybe it is defined by default.No.> > I am desperately looking for help. This issue is really very disturbing.I''m afraid that you are looking for help in the wrong place -- you need to be talking to the Netfilter developers on the netfilter-devel mailing list. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
İlker Aktuna (Koç.net) wrote:> How can I see the loaded modules ?lsmod> > And, where is the right address for netfilter-development mailing list ? >netfilter-devel@vger.kernel.org The Linux Answer Man -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Hi, Sorry for my late reply. I am sending the "shorewall dump" output as you requested. In this state Cisco VPN is connected and there is a tun0 interface. My LAN client 192.168.254.1 is trrying to access an address at 195.87.232.X which is available through tun0. Unfortunately the client can''t connect. I hope it is clear enough. Thanks, Re: [Shorewall-users] 2 providers and 1 vpnc tunnel Tom Eastep Sun, 12 Apr 2009 13:50:21 -0700 Mekabe Ramein wrote:> What really incredible is what you offer to me. > I am receiving around 30 routes each time I connect to VPN and included > routes may differ from time to time, because new servers may be added > that are reachable through VPN. > How can I enter them manually ? Maybe I can add a few of them which are > really urgent, but when I need to reach a new server I have to edit conf > again.Mekabe -- we only know the facts that you give us. Your initial report said "I have a VPN and it doesn''t work since I moved to a Multi-ISP configuration". I pointed you to the solution to the problem that I had in that situation. Then you responded "Should I really do that?" What do you expect? So let''s do this the right way. Please forward the output of "shorewall dump" captured while the VPN is active. And please describe exactly what "doesn''t work". Thanks, -Tom ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Mekabe Ramein wrote:> Hi, > > Sorry for my late reply. I am sending the "shorewall dump" output as > you requested. > In this state Cisco VPN is connected and there is a tun0 interface. My > LAN client 192.168.254.1 is trrying to access an address at > 195.87.232.X which is available through tun0. Unfortunately the client > can''t connect. > > I hope it is clear enough.I don''t see anything wrong with the Shorewall configuration. Packets are being sent out of tun0 but no packets are being received on tun0. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p