Hello,
I use Shorewall version 4.0.6.
Our LAN is composed of 2 subnetworks. One 192.9.200.x is "local",
directly connected to our firewall (192.9.200.200).
Acces from this sublan to internet works fine (zone named "LAN")
192.9.200.0 -> 192.9.200.200 (fw) -> NET
The other LAN is distant (10.44.40.0/24), connected through a WAN (local
router address is 192.9.200.100, remote router address is 10.44.40.250)
I''ve followed the "Routing on one interface" web page.
I''ve added the
routes on both sides, and tested:
(remote LAN to router) Ping from 10.44.40.105 to 10.44.40.250: OK
(remote LAN to LAN) Ping from 10.44.40.105 to 192.9.200.150; OK
(remote LAN to firewall) Ping from 10.44.40.105 to 192.9.200.200: OK
(firewall to remote LAN): Ping from 192.9.200.200 to 10.44.40.105: OK:
(LAN to internet) Ping from 192.9.200.150 to www.google.fr: OK
(remote LAN to internet): Ping from 10.44.40.105 to www.google.fr: NOK
(nslookup is fine)
Default route from 10.44.40.105 is 192.9.200.200
Static route from 10.44.40.105 to 192.9.*.* is 10.44.40.250
File RULES:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
lan ipv4
net ipv4
road ipv4
File ZONES:
#ZONE INTERFACE BROADCAST OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
road tun+
lan eth0 detect routeback
net eth2 detect
netstat from firewall:
root@firewall:/etc/shorewall# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.8.1.2 0.0.0.0 255.255.255.255 UH 0 0 0
tun0
62.160.136.184 0.0.0.0 255.255.255.248 U 0 0 0
eth2
10.44.40.0 192.9.200.100 255.255.255.0 UG 0 0 0
eth0
10.8.1.0 10.8.1.2 255.255.255.0 UG 0 0 0
tun0
192.9.200.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 62.160.136.190 0.0.0.0 UG 0 0 0
eth2
root@firewall:/etc/shorewall# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:bf:06:78:69
inet addr:192.9.200.200 Bcast:192.9.200.255 Mask:255.255.255.0
inet6 addr: fe80::250:bfff:fe06:7869/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44191853 errors:0 dropped:0 overruns:0 frame:0
TX packets:36440307 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2210954261 (2.0 GB) TX bytes:110852404 (105.7 MB)
Interrupt:9 Base address:0xd400
root@firewall:/etc/shorewall# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:0d:88:72:2b:e6
inet addr:62.160.136.185 Bcast:62.160.136.191
Mask:255.255.255.248
inet6 addr: fe80::20d:88ff:fe72:2be6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32992212 errors:0 dropped:0 overruns:0 frame:0
TX packets:23638157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4280032358 (3.9 GB) TX bytes:612454004 (584.0 MB)
Interrupt:9 Base address:0x2e00
Any idea what could be wrong? Is the default route = firewall correct
for the remote PCs? There aren''t any "reject" on the firewall
logs.I
think a route is missing somewhere. I don''t want to have a separate
zone
for each subnet, and as far as I have red the documentation, I don''t
have to?
Thanks in advance for any help,
Regards,
Laurent Blin
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
Tom Eastep
2009-Oct-12 19:33 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
Laurent Blin wrote:> Hello, > > I use Shorewall version 4.0.6. > > Our LAN is composed of 2 subnetworks. One 192.9.200.x is "local", > directly connected to our firewall (192.9.200.200). > Acces from this sublan to internet works fine (zone named "LAN") > 192.9.200.0 -> 192.9.200.200 (fw) -> NET > > The other LAN is distant (10.44.40.0/24), connected through a WAN (local > router address is 192.9.200.100, remote router address is 10.44.40.250) > I''ve followed the "Routing on one interface" web page. I''ve added the > routes on both sides, and tested: > > (remote LAN to router) Ping from 10.44.40.105 to 10.44.40.250: OK > (remote LAN to LAN) Ping from 10.44.40.105 to 192.9.200.150; OK > (remote LAN to firewall) Ping from 10.44.40.105 to 192.9.200.200: OK > (firewall to remote LAN): Ping from 192.9.200.200 to 10.44.40.105: OK: > (LAN to internet) Ping from 192.9.200.150 to www.google.fr: OK > (remote LAN to internet): Ping from 10.44.40.105 to www.google.fr: NOK > (nslookup is fine)You need to masquerade 10.44.40.0/24 out of eth2. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Laurent Blin
2009-Oct-13 07:37 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
Le 12/10/2009 21:33, Tom Eastep a écrit :> Laurent Blin wrote: > >> (remote LAN to internet): Ping from 10.44.40.105 to www.google.fr: NOK >> (nslookup is fine) >> > You need to masquerade 10.44.40.0/24 out of eth2. > > -TomHello, Here is my new masq file: ############################################################################### #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE eth2 eth0 eth2 10.44.40.0/24 eth2 192.9.0.0/16 Shorewall has been restarted. But it still doesn''t work. Ping from remote LAN to internet still failes Yet, I still can''t see any log on the firewall when I attempt to access internet from the remote lan Any idea or any conf or log I could use? Regards, Laurent Blin ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Jerry Vonau
2009-Oct-13 12:40 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
On Tue, 2009-10-13 at 09:37 +0200, Laurent Blin wrote:> Le 12/10/2009 21:33, Tom Eastep a écrit : > > Laurent Blin wrote: > > > >> (remote LAN to internet): Ping from 10.44.40.105 to www.google.fr: NOK > >> (nslookup is fine) > >> > > You need to masquerade 10.44.40.0/24 out of eth2. > > > > -Tom > > Hello, > Here is my new masq file: > > ############################################################################### > #INTERFACE SUBNET ADDRESS PROTO PORT(S) > IPSEC > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > eth2 eth0 > eth2 10.44.40.0/24 > eth2 192.9.0.0/16 > > Shorewall has been restarted. But it still doesn't work. Ping from > remote LAN to internet still failes > Yet, I still can't see any log on the firewall when I attempt to access > internet from the remote lan > > Any idea or any conf or log I could use?Might want to move those new rules above #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE retest, if still not working please have a look at: http://www.shorewall.net/support.htm#Guidelines Jerry ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Laurent Blin
2009-Oct-13 13:43 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
>> Here is my new masq file: >> >> ############################################################################### >> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >> IPSEC >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> eth2 eth0 >> eth2 10.44.40.0/24 >> eth2 192.9.0.0/16 >> >> Shorewall has been restarted. But it still doesn''t work. Ping from >> remote LAN to internet still failes >> Yet, I still can''t see any log on the firewall when I attempt to access >> internet from the remote lan >> >> Any idea or any conf or log I could use? >> > Might want to move those new rules above > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > retest, if still not working please have a look at: > > http://www.shorewall.net/support.htm#GuidelinesHello, Still not better. See attached dump file I try to access from 10.44.40.105 to www.google.fr - (209.85.229.147) Regards, Laurent ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom Eastep
2009-Oct-13 14:16 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
Laurent Blin wrote:> >>> Here is my new masq file: >>> >>> ############################################################################### >>> >>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>> IPSEC >>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >>> eth2 eth0 >>> eth2 10.44.40.0/24 >>> eth2 192.9.0.0/16 >>> >>> Shorewall has been restarted. But it still doesn''t work. Ping from >>> remote LAN to internet still failes >>> Yet, I still can''t see any log on the firewall when I attempt to access >>> internet from the remote lan >>> >>> Any idea or any conf or log I could use? >>> >> Might want to move those new rules above >> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE >> >> retest, if still not working please have a look at: >> >> http://www.shorewall.net/support.htm#Guidelines > > Hello, > > Still not better. > See attached dump file > > I try to access from 10.44.40.105 to www.google.fr - (209.85.229.147)In your original post, you reported that:> Default route from 10.44.40.105 is 192.9.200.200192.9.200.200 is the IP address of eth0 on the firewall so that default route is not possible unless the router at 192.9.200.100 is doing Proxy ARP. I would think that the default route at 10.44.40.105 is rather via 10.44.40.250. Try pinging 62.160.136.185 (IP address of eth2) from 10.44.40.105. I suspect that won''t work and indicates that the default route in the router at 192.9.200.100 is not through 192.9.200.200. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Laurent Blin
2009-Oct-22 14:51 UTC
Re: 2 subnets, 1 zone, can''t access internet from subnet
Le 13/10/2009 16:16, Tom Eastep a écrit :
Laurent Blin wrote:
In your original post, you reported that:
Default route from 10.44.40.105 is 192.9.200.200
192.9.200.200 is the IP address of eth0 on the firewall so that default
route is not possible unless the router at 192.9.200.100 is doing Proxy
ARP. I would think that the default route at 10.44.40.105 is rather via
10.44.40.250.
Thanks for you help. indeed, the default route for the remote pc should
have been the local routeur, and the default route for the remote
routeur should have been the firewall.
It works better now.
regards,
Laurent Blin
Try pinging 62.160.136.185 (IP address of eth2) from 10.44.40.105. I
suspect that won''t work and indicates that the default route in the
router at 192.9.200.100 is not through 192.9.200.200.
-Tom
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Laurent BLIN
Responsable
Informatique
email l.blin@isosel.fr
ISOSEL
ANCENIS
Tel
02 40 83 18 41 - Fax 02 40 83 19 75
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference