Shorewall users - Oct 2009 - Multi-Isp Route port 25

I have a two Isp''s setup that send mail to another two Isp firewall.
For Ilustration I will call the firewall with the mail server in its dmz using
proxy arp,
(Firewall A). I will call the dependant firewall which sends mail to Firewall A,
(Firewall B.)
These two Firewall''s have a openvpn tunnel between them. Firewall B is
loc:10.5.198.0/24.
    What I would like to do is route any port 25 traffic from Firewall B through
openvpn,
to Firewall A''s mail server in its Dmz.
I am thinking that Firewall A will know to reply to 10.5.198.0/24 (Firewall B)
because of the entry in Firewall A''s route rules entry below.
-        		10.5.198.0/24   	main          	1000

If this where possible with the below statement may make things clear,
what I want to do. As a reminder the mail server is in Firewall A Dmz.

In tcrules with eth1 local on Firewall B

tun4     eth1:<local subnet>      <mail servers FQIP>   tcp     25
I know the above wont work, What Will?


Thanks
Mike
 





------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

> 
> I have a two Isp''s setup that send mail to another two Isp
firewall.
> For Ilustration I will call the firewall with the mail server in its dmz
using proxy arp,
> (Firewall A). I will call the dependant firewall which sends mail to
Firewall A, (Firewall B.)
> These two Firewall''s have a openvpn tunnel between them. Firewall
B is loc:10.5.198.0/24.
>     What I would like to do is route any port 25 traffic from Firewall B
through openvpn,
> to Firewall A''s mail server in its Dmz.
> I am thinking that Firewall A will know to reply to 10.5.198.0/24 (Firewall
B)
> because of the entry in Firewall A''s route rules entry below.
> -        		10.5.198.0/24   	main          	1000
> 
> If this where possible with the below statement may make things clear,
> what I want to do. As a reminder the mail server is in Firewall A Dmz.
> 
> In tcrules with eth1 local on Firewall B
> 
> tun4     eth1:<local subnet>      <mail servers FQIP>   tcp    
25
> I know the above wont work, What Will?
> 
> 
> Thanks
> Mike
>  
I just thought of this instead of mangle tables maybe just add this route?
route add <65.42.53.203 mail server> 255.255.255.255 gw 172.16.1.2 (ip of
firewall B tun)
Just thought someone on this list may have done this through shorewall.

Not sure if routing 

Mike



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Mike Lander wrote:
> 
>> I have a two Isp''s setup that send mail to another two Isp
firewall.
>> For Ilustration I will call the firewall with the mail server in its
dmz using proxy arp,
>> (Firewall A). I will call the dependant firewall which sends mail to
Firewall A, (Firewall B.)
>> These two Firewall''s have a openvpn tunnel between them.
Firewall B is loc:10.5.198.0/24.
>>     What I would like to do is route any port 25 traffic from Firewall
B through openvpn,
>> to Firewall A''s mail server in its Dmz.
>> I am thinking that Firewall A will know to reply to 10.5.198.0/24
(Firewall B)
>> because of the entry in Firewall A''s route rules entry below.
>> -        		10.5.198.0/24   	main          	1000
>>
>> If this where possible with the below statement may make things clear,
>> what I want to do. As a reminder the mail server is in Firewall A Dmz.
>>
>> In tcrules with eth1 local on Firewall B
>>
>> tun4     eth1:<local subnet>      <mail servers FQIP>   tcp
25
>> I know the above wont work, What Will?
>>
>>
>> Thanks
>> Mike
>>  
> 
> I just thought of this instead of mangle tables maybe just add this route?
> route add <65.42.53.203 mail server> 255.255.255.255 gw 172.16.1.2
(ip of firewall B tun)
> Just thought someone on this list may have done this through shorewall.
> 
> Not sure if routing 
Without seeing the output of ''shorewall show routing, I won''t
even guess.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Mike Lander wrote:
> 
>> I have a two Isp''s setup that send mail to another two Isp
firewall.
>> For Ilustration I will call the firewall with the mail server in its
dmz using proxy arp,
>> (Firewall A). I will call the dependant firewall which sends mail to
Firewall A, (Firewall B.)
>> These two Firewall''s have a openvpn tunnel between them.
Firewall B is loc:10.5.198.0/24.
>>     What I would like to do is route any port 25 traffic from Firewall
B through openvpn,
>> to Firewall A''s mail server in its Dmz.
>> I am thinking that Firewall A will know to reply to 10.5.198.0/24
(Firewall B)
>> because of the entry in Firewall A''s route rules entry below.
>> -        		10.5.198.0/24   	main          	1000
>>
>> If this where possible with the below statement may make things clear,
>> what I want to do. As a reminder the mail server is in Firewall A Dmz.
>>
>> In tcrules with eth1 local on Firewall B
>>
>> tun4     eth1:<local subnet>      <mail servers FQIP>   tcp
25
>> I know the above wont work, What Will?
>>
>>
>> Thanks
>> Mike
>>  
> 
> I just thought of this instead of mangle tables maybe just add this route?
> route add <65.42.53.203 mail server> 255.255.255.255 gw 172.16.1.2
(ip of firewall B tun)
> Just thought someone on this list may have done this through shorewall.
You want to establish that route in the OpenVPN configuration using the
''route'' directive. Shorewall can''t do anything for
you since the OpenVPN
tunnel isn''t one of the provider interfaces.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

> Mike Lander wrote:
> > 
> >> I have a two Isp''s setup that send mail to another two
Isp firewall.
> >> For Ilustration I will call the firewall with the mail server in
its dmz using proxy arp,
> >> (Firewall A). I will call the dependant firewall which sends mail
to Firewall A, (Firewall B.)
> >> These two Firewall''s have a openvpn tunnel between them.
Firewall B is loc:10.5.198.0/24.
> >>     What I would like to do is route any port 25 traffic from
Firewall B through openvpn,
> >> to Firewall A''s mail server in its Dmz.
> >> I am thinking that Firewall A will know to reply to 10.5.198.0/24
(Firewall B)
> >> because of the entry in Firewall A''s route rules entry
below.
> >> -        		10.5.198.0/24   	main          	1000
> >>
> >> If this where possible with the below statement may make things
clear,
> >> what I want to do. As a reminder the mail server is in Firewall A
Dmz.
> >>
> >> In tcrules with eth1 local on Firewall B
> >>
> >> tun4     eth1:<local subnet>      <mail servers FQIP> 
tcp     25
> >> I know the above wont work, What Will?
> >>
> >>
> >> Thanks
> >> Mike
> >>  
> > 
> > I just thought of this instead of mangle tables maybe just add this
route?
> > route add <65.42.53.203 mail server> 255.255.255.255 gw
172.16.1.2 (ip of firewall B tun)
> > Just thought someone on this list may have done this through
shorewall.
> 
> You want to establish that route in the OpenVPN configuration using the
> ''route'' directive. Shorewall can''t do anything
for you since the OpenVPN
> tunnel isn''t one of the provider interfaces.
> 

Fixed with route add -net <FQIP Mail Host IP> 255.255.255.255 gw $5
in my vpn.conf

However had to adjust my <vpn> to <dmz> polices before it would
work.

Is it good practice to add vpn in providers?

Thanks 

Mike



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Mike Lander wrote:
>> Mike Lander wrote:
>>>> I have a two Isp''s setup that send mail to another two
Isp firewall.
>>>> For Ilustration I will call the firewall with the mail server
in its dmz using proxy arp,
>>>> (Firewall A). I will call the dependant firewall which sends
mail to Firewall A, (Firewall B.)
>>>> These two Firewall''s have a openvpn tunnel between
them. Firewall B is loc:10.5.198.0/24.
>>>>     What I would like to do is route any port 25 traffic from
Firewall B through openvpn,
>>>> to Firewall A''s mail server in its Dmz.
>>>> I am thinking that Firewall A will know to reply to
10.5.198.0/24 (Firewall B)
>>>> because of the entry in Firewall A''s route rules entry
below.
>>>> -        		10.5.198.0/24   	main          	1000
>>>>
>>>> If this where possible with the below statement may make things
clear,
>>>> what I want to do. As a reminder the mail server is in Firewall
A Dmz.
>>>>
>>>> In tcrules with eth1 local on Firewall B
>>>>
>>>> tun4     eth1:<local subnet>      <mail servers
FQIP>   tcp     25
>>>> I know the above wont work, What Will?
>>>>
>>>>
>>>> Thanks
>>>> Mike
>>>>  
>>> I just thought of this instead of mangle tables maybe just add this
route?
>>> route add <65.42.53.203 mail server> 255.255.255.255 gw
172.16.1.2 (ip of firewall B tun)
>>> Just thought someone on this list may have done this through
shorewall.
>> You want to establish that route in the OpenVPN configuration using the
>> ''route'' directive. Shorewall can''t do
anything for you since the OpenVPN
>> tunnel isn''t one of the provider interfaces.
>>
> 
> 
> Fixed with route add -net <FQIP Mail Host IP> 255.255.255.255 gw $5
> in my vpn.conf
> 
> However had to adjust my <vpn> to <dmz> polices before it would
work.
You really need to modify your OpenVPN configuration to add the route.
If the link goes down and then comes back up, the route will be gone
unless you make OpenVPN configure it.
> 
> Is it good practice to add vpn in providers?
Usually not.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Wow.  Just wow.  Started using the new Shorewall Multi-ISP features and
USE_DEFAULT_RT=Yes.  Was totally confused when running "ip route" and
seeing
there was no default route any more!

Reading the instructions though, "ip rule ls" and "shorewall show
routing"
both were clear that my routes were still there (and everything worked)!

Question:  I have an override in my tcrules for traffic with a certain
destination to ride through a specific "provider".  I see this
reflected
clearly in "ip rule ls" and to some extent in "shorewall show
routing", but
do I need to setup a specific hard route in the ...main?... Table for that
traffic to be directed via a specific interface?

I.e. Tcrules as below:

#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST
#                                               PORT(S) PORT(S)
256:P   192.168.1.0/24  10.254.0.4/24           all     -       -
256:P   192.168.1.0/24  10.254.0.5/24           all     -       -
#
512:P   0.0.0.0/0
512     $FW

I see the route exceptions in "ip rule ls", but no static route
reflection
in "ip route" or "shorewall show routing".

Is this the correct behavior?

-- 
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Work)
858-495-3540 (Fax)


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Keith Mitchell wrote:
> Wow.  Just wow.  Started using the new Shorewall Multi-ISP features and
> USE_DEFAULT_RT=Yes.  Was totally confused when running "ip route"
and seeing
> there was no default route any more!
> 
> Reading the instructions though, "ip rule ls" and "shorewall
show routing"
> both were clear that my routes were still there (and everything worked)!
> 
> Question:  I have an override in my tcrules for traffic with a certain
> destination to ride through a specific "provider".  I see this
reflected
> clearly in "ip rule ls" and to some extent in "shorewall
show routing", but
> do I need to setup a specific hard route in the ...main?... Table for that
> traffic to be directed via a specific interface?
> 
> I.e. Tcrules as below:
> 
> #MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER   
TEST
> #                                               PORT(S) PORT(S)
> 256:P   192.168.1.0/24  10.254.0.4/24           all     -       -
> 256:P   192.168.1.0/24  10.254.0.5/24           all     -       -
> #
> 512:P   0.0.0.0/0
> 512     $FW
> 
> I see the route exceptions in "ip rule ls", but no static route
reflection
> in "ip route" or "shorewall show routing".
> 
> Is this the correct behavior?
Yes.

a) "shorewall show mangle" will show how the packets get marked.

b) "ip rule ls" (or "shorewall show routing") shows how
marked packets
are sent to a particular table.

c) The default route in the specified provider table is all that is needed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

> > Mike Lander wrote:
> > > 
> > >> I have a two Isp''s setup that send mail to another
two Isp firewall.
> > >> For Ilustration I will call the firewall with the mail server
in its dmz using proxy arp,
> > >> (Firewall A). I will call the dependant firewall which sends
mail to Firewall A, (Firewall B.)
> > >> These two Firewall''s have a openvpn tunnel between
them. Firewall B is loc:10.5.198.0/24.
> > >>     What I would like to do is route any port 25 traffic from
Firewall B through openvpn,
> > >> to Firewall A''s mail server in its Dmz.
> > >> I am thinking that Firewall A will know to reply to
10.5.198.0/24 (Firewall B)
> > >> because of the entry in Firewall A''s route rules
entry below.
> > >> -        		10.5.198.0/24   	main          	1000
> > >>
> > >> If this where possible with the below statement may make
things clear,
> > >> what I want to do. As a reminder the mail server is in
Firewall A Dmz.
> > >>
> > >> In tcrules with eth1 local on Firewall B
> > >>
> > >> tun4     eth1:<local subnet>      <mail servers
FQIP>   tcp     25
> > >> I know the above wont work, What Will?
> > >>
> > >>
> > >> Thanks
> > >> Mike
> > >>  
> > > 
> > > I just thought of this instead of mangle tables maybe just add
this route?
> > > route add <65.42.53.203 mail server> 255.255.255.255 gw
172.16.1.2 (ip of firewall B tun)
> > > Just thought someone on this list may have done this through
shorewall.
> > 
> > You want to establish that route in the OpenVPN configuration using
the
> > ''route'' directive. Shorewall can''t do
anything for you since the OpenVPN
> > tunnel isn''t one of the provider interfaces.
> > 
> 
> 
> Fixed with route add -net <FQIP Mail Host IP> 255.255.255.255 gw $5
> in my vpn.conf
> 
> However had to adjust my <vpn> to <dmz> polices before it would
work.
> 
> Is it good practice to add vpn in providers?
> 
> Thanks 

< usually not

Tom

Thought I would wrap this up and tell the results came out very successful. 
Now I found the offending machines in Firewall B that where sending spam out 
I suspect from a virus or trojan. This way the mail is more secure and the mail
server logs the natted Ip so you can tell whats going on when you have mail from
different networks using your mail server. 
    I just monitor their firewall, their admins now have to find the offensive
machines.

Thank you,

Mike



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

I''m trying to connect a branch office to my main office.

I have data and voice that need to flow between the branch office and 
the main one.

I have a VPN setup for the data, and a dedicated fiber trunk between the 
two offices.

I thought I''d try to use the Multi-ISP setup to help segment the 
traffic, but I have run into a stupid.

                              eth1 - 10.253.0.1   eth3 - 10.253.0.254      
               eth0          /-----------------------\           eth0
192.168.1.1/24 --- Office A -                         - Office B --- 
10.254.0.1/24
                             \---------vpn-----------/
                              eth2               eth2

Shorewall is working in both offices, as well as the VPN.  I can ping 
across the VPN between the offices as well.

I can also ping bi-laterally between eth1 in Office A and eth3 in Office B.

I cannot, however, ping the private subnets in either office through the 
fiber tunnel, although (I think) I have the masq files setup correctly 
on both sides.  I don''t see errors in the syslog when I try this ping, 
which leads me to a routing or masq error, but I''ve tried several 
different stabs at the masq and tc* files, as well as static routes in 
an attempt to overcome the error.

I know I''m doing it wrong.  I probably also know after getting this far
into it that this may not be the best way to flow this traffic.

I''ve attached shorewall dumps from both sides of the tunnel(s).  If 
someone could point me in the right direction, I''d greatly appreciate 
it, as I have no local binar speakers I can bounce this off of.



Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Part B as attachments were too big.

Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Sigh.  Fixed my pretty little ascii art.


                              eth1 - 10.253.0.1   eth3 - 10.253.0.254      
               eth0          /-----------------------\           eth0
192.168.1.1/24 --- Office A -                         - Office B --- 
10.254.0.1/24
                             \---------vpn-----------/
                              eth2               eth2

Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

if you have dedicated fiber, why are you bothering with the overhead of 
vpn as well?

Keith Mitchell wrote:
> I''m trying to connect a branch office to my main office.
> 
> I have data and voice that need to flow between the branch office and 
> the main one.
> 
> I have a VPN setup for the data, and a dedicated fiber trunk between the 
> two offices.
> 
> I thought I''d try to use the Multi-ISP setup to help segment the 
> traffic, but I have run into a stupid.
> 
>                              eth1 - 10.253.0.1   eth3 - 
> 10.253.0.254                    eth0          
> /-----------------------\           eth0
> 192.168.1.1/24 --- Office A -                         - Office B --- 
> 10.254.0.1/24
>                             \---------vpn-----------/
>                              eth2               eth2
> 
> Shorewall is working in both offices, as well as the VPN.  I can ping 
> across the VPN between the offices as well.
> 
> I can also ping bi-laterally between eth1 in Office A and eth3 in Office B.
> 
> I cannot, however, ping the private subnets in either office through the 
> fiber tunnel, although (I think) I have the masq files setup correctly 
> on both sides.  I don''t see errors in the syslog when I try this
ping,
> which leads me to a routing or masq error, but I''ve tried several 
> different stabs at the masq and tc* files, as well as static routes in 
> an attempt to overcome the error.
> 
> I know I''m doing it wrong.  I probably also know after getting
this far
> into it that this may not be the best way to flow this traffic.
> 
> I''ve attached shorewall dumps from both sides of the tunnel(s). 
If
> someone could point me in the right direction, I''d greatly
appreciate
> it, as I have no local binar speakers I can bounce this off of.
> 
> 
> 
> Keith Mitchell
> CTO
> Productivity Associates, Inc.
> 5625 Ruffin Rd STE 220
> San Diego, CA 92123
> 858-495-3528 (Direct)
> 858-495-3540 (Fax)
> 
> 
> ------------------------------------------------------------------------
> 
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Christ Schlacta wrote:
> if you have dedicated fiber, why are you bothering with the overhead of 
> vpn as well?
> 
Probably an IPSec tunnel to encrypt the data?  Just a guess


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Actually neither.  The fiber is bandwidth-limited.  It''s a 6mb 
symmetrical, point-to-point switched fiber circuit (called t-lan by the 
vendor).

Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)



Larry wrote:
> Christ Schlacta wrote:
>> if you have dedicated fiber, why are you bothering with the overhead 
>> of vpn as well?
>>
>
> Probably an IPSec tunnel to encrypt the data?  Just a guess
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Keith Mitchell wrote:
> I''m trying to connect a branch office to my main office.
> 
> I have data and voice that need to flow between the branch office and
> the main one.
> 
> I have a VPN setup for the data, and a dedicated fiber trunk between the
> two offices.
> 
> I thought I''d try to use the Multi-ISP setup to help segment the
> traffic, but I have run into a stupid.
> 
>                              eth1 - 10.253.0.1   eth3 -
> 10.253.0.254                    eth0         
> /-----------------------\           eth0
> 192.168.1.1/24 --- Office A -                         - Office B ---
> 10.254.0.1/24
>                             \---------vpn-----------/
>                              eth2               eth2
> 
> Shorewall is working in both offices, as well as the VPN.  I can ping
> across the VPN between the offices as well.
> 
> I can also ping bi-laterally between eth1 in Office A and eth3 in Office B.
> 
> I cannot, however, ping the private subnets in either office through the
> fiber tunnel, although (I think) I have the masq files setup correctly
> on both sides.  I don''t see errors in the syslog when I try this
ping,
> which leads me to a routing or masq error, but I''ve tried several
> different stabs at the masq and tc* files, as well as static routes in
> an attempt to overcome the error.
> 
> I know I''m doing it wrong.  I probably also know after getting
this far
> into it that this may not be the best way to flow this traffic.
> 
> I''ve attached shorewall dumps from both sides of the tunnel(s). 
If
> someone could point me in the right direction, I''d greatly
appreciate
> it, as I have no local binar speakers I can bounce this off of.
The attached archive is corrupted so there are no dumps to look at.

Also, given your above description (with mangled ASCII art), I don''t
understand how you thought that Multi-ISP would help you.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Keith Mitchell wrote:
>> I''m trying to connect a branch office to my main office.
>>
>> I have data and voice that need to flow between the branch office and
>> the main one.
>>
>> I have a VPN setup for the data, and a dedicated fiber trunk between
the
>> two offices.
>>
>> I thought I''d try to use the Multi-ISP setup to help segment
the
>> traffic, but I have run into a stupid.
>>
>>                              eth1 - 10.253.0.1   eth3 -
>> 10.253.0.254                    eth0         
>> /-----------------------\           eth0
>> 192.168.1.1/24 --- Office A -                         - Office B ---
>> 10.254.0.1/24
>>                             \---------vpn-----------/
>>                              eth2               eth2
>>
>> Shorewall is working in both offices, as well as the VPN.  I can ping
>> across the VPN between the offices as well.
>>
>> I can also ping bi-laterally between eth1 in Office A and eth3 in
Office B.
>>
>> I cannot, however, ping the private subnets in either office through
the
>> fiber tunnel, although (I think) I have the masq files setup correctly
>> on both sides.  I don''t see errors in the syslog when I try
this ping,
>> which leads me to a routing or masq error, but I''ve tried
several
>> different stabs at the masq and tc* files, as well as static routes in
>> an attempt to overcome the error.
>>
>> I know I''m doing it wrong.  I probably also know after getting
this far
>> into it that this may not be the best way to flow this traffic.
>>
>> I''ve attached shorewall dumps from both sides of the
tunnel(s).  If
>> someone could point me in the right direction, I''d greatly
appreciate
>> it, as I have no local binar speakers I can bounce this off of.
> 
> The attached archive is corrupted so there are no dumps to look at.
My bad -- it is the networkb archive that you forwarded separately that
I cannot extract from.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Keith Mitchell wrote:
> Sigh.  Fixed my pretty little ascii art.
> 
> 
> eth1 - 10.253.0.1   eth3 - 10.253.0.254 eth0 
> /-----------------------\           eth0 192.168.1.1/24 --- Office A 
> -                         - Office B --- 10.254.0.1/24 
> \---------vpn-----------/ eth2               eth2
> 
Okay -- let''s back up a minute.

When you say ''vpn'', what exactly do you mean?

I only have access to the ''shorewall dump'' information from
Office A but
I can see that there are a number of IPSEC SPs (and SAs); is THAT what
you mean by ''vpn''?

And you say:
> I cannot, however, ping the private subnets in either office through 
> the fiber tunnel
Please give me an example; source address, destination address and what
you see.

And a fresh copy of the ''shorewall dump'' output from Office B
would be
helpful.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Keith Mitchell wrote:
>   
>> Sigh.  Fixed my pretty little ascii art.
>>
>>
>> eth1 - 10.253.0.1   eth3 - 10.253.0.254 eth0 
>> /-----------------------\           eth0 192.168.1.1/24 --- Office A 
>> -                         - Office B --- 10.254.0.1/24 
>> \---------vpn-----------/ eth2               eth2
>>
>>     
>
> Okay -- let''s back up a minute.
>
> When you say ''vpn'', what exactly do you mean?
>
> I only have access to the ''shorewall dump'' information
from Office A but
> I can see that there are a number of IPSEC SPs (and SAs); is THAT what
> you mean by ''vpn''?
>
> And you say:
>
>   
>> I cannot, however, ping the private subnets in either office through 
>> the fiber tunnel
>>     
>
> Please give me an example; source address, destination address and what
> you see.
>
> And a fresh copy of the ''shorewall dump'' output from
Office B would be
> helpful.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
Sorry about that.  My brain was a little fried last night.

Here''s the networkb uncorrupted.

Yes, the vpn is an ipsec vpn.  It works fine thanks to your excellent 
documentation and openswan.

If I do a "ping -I eth1 10.254.0.x" (any address) from the network a 
firewall, I get no return and nothing in the syslogs.  A ping -I eth1 
10.253.0.254 gets a return.

Likewise, a "ping -I eth3 192.168.1.x" (any address) from the network
b
firewall gives no return and nothing in syslogs.  A ping -I eth3 
10.253.0.1 gets a return.

If I run a tracert from inside network a to one of the IP''s
I''m trying
to direct through the 10.253.0.0 tlan (10.254.0.4 or 10.254.0.5), the 
return clearly shows the traffic transversed via the vpn and not the tlan.

C:\>tracert asterisk

Tracing route to asterisk.paisd.com [10.254.0.4]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  linus-int.paisd.com [192.168.1.1]
  2     3 ms     2 ms     2 ms  firewall.paisd.com [10.254.0.1]
  3     3 ms     2 ms     2 ms  asterisk.paisd.com [10.254.0.4]

Trace complete.

I would suspect that a correct transversal would include the 10.253.0 
addresses in the tracert values.  If I take the ipsec VPN down, the 
tracert above fails.

The first two sentences point me towards a masq''ing problem.  The
second
point me to a marking or routing problem.  It could be that trying to 
use multi-isp setup to do this could be trying to put the square peg in 
the round hole.

-- 
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)




------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Keith Mitchell wrote:
>>   
> Sorry about that.  My brain was a little fried last night.
> 
> Here''s the networkb uncorrupted.
> 
> Yes, the vpn is an ipsec vpn.  It works fine thanks to your excellent
> documentation and openswan.
> 
> If I do a "ping -I eth1 10.254.0.x" (any address) from the
network
Keith -- I''m sorry but I have neither the time nor the energy to solve
puzzles; technical problems are hard enough without having to decode
nebulous terms like "the network". Please give me the IP address of
the
host you were pinging from

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Keith Mitchell wrote:
>
>   
>>>   
>>>       
>> Sorry about that.  My brain was a little fried last night.
>>
>> Here''s the networkb uncorrupted.
>>
>> Yes, the vpn is an ipsec vpn.  It works fine thanks to your excellent
>> documentation and openswan.
>>
>> If I do a "ping -I eth1 10.254.0.x" (any address) from the
network
>>     
>
> Keith -- I''m sorry but I have neither the time nor the energy to
solve
> puzzles; technical problems are hard enough without having to decode
> nebulous terms like "the network". Please give me the IP address
of the
> host you were pinging from
>
> -Tom
>   
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
Sorry.  That should read "Office A Firewall Host" and "Office B
Firewall
Host"

If I do a "ping -I eth1 10.254.0.x" (any address on that subnet) from 
the Office A Firewall Host (source IP 10.253.0.1), I get no return and 
nothing in the syslogs.  A ping -I eth1 10.253.0.254 gets a return.

Likewise, a "ping -I eth3 192.168.1.x" (any address any address on
that
subnet) from the Office B Firewall Host (source IP 10.253.0.254) gives 
no return and nothing in syslogs.  A ping -I eth3 10.253.0.1 gets a return.

If I run a tracert from inside the Office A Network (192.168.1.x) to one 
of the IP''s I''m trying to direct through the 10.253.0.0 tlan
(10.254.0.4
or 10.254.0.5), the return clearly shows the traffic transversed via the 
vpn and not the tlan.

(Source IP in the example below was 192.168.1.169)

C:\>tracert asterisk

Tracing route to asterisk.paisd.com [10.254.0.4]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  linus-int.paisd.com [192.168.1.1]
  2     3 ms     2 ms     2 ms  firewall.paisd.com [10.254.0.1]
  3     3 ms     2 ms     2 ms  asterisk.paisd.com [10.254.0.4]

Trace complete.

-- 
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Mitchell wrote:
>>   
> Sorry.  That should read "Office A Firewall Host" and
"Office B Firewall
> Host"
> 
> If I do a "ping -I eth1 10.254.0.x" (any address on that subnet)
from
> the Office A Firewall Host (source IP 10.253.0.1), I get no return and
> nothing in the syslogs.  A ping -I eth1 10.253.0.254 gets a return.
You are marking all traffic originating on either firewall with mark
value 0x200.

- From your rules:

	10001:	from all fwmark 0x200 lookup SKY

And:

	Table SKY:

	66.146.173.97 dev eth2  scope link  src 66.146.173.98
	default via 66.146.173.97 dev eth2  src 66.146.173.98

Now:

	Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 	 pkts bytes target     prot opt in     out     source
destination
 	 198K   42M eth2_out   all  --  *      eth2    0.0.0.0/0
0.0.0.0/0

You have no SP for traffic from 10.253.0.1->10.254.0.* -- so:

	Chain eth2_out (1 references)
 	 pkts bytes target     prot opt in     out     source
destination
  	 196K   42M fw2net     all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none

Which accepts ping.

But now:

Nat Table:

Chain eth2_masq (1 references)
 pkts bytes target     prot opt in     out     source
destination
32532 2407K SNAT       all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir out pol none to:66.146.173.98

So these pings will be sent with source 66.146.173.98.

On the othr end:

	Chain FORWARD (policy DROP 0 packets, 0 bytes)
 	 pkts bytes target     prot opt in     out     source
destination
	...
 	 104K   23M eth2_fwd   all  --  eth2   *       0.0.0.0/0
0.0.0.0/0

	Chain eth2_fwd (1 references)
 	 pkts bytes target     prot opt in     out     source
destination
	...
	26516 4848K net_frwd   all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none

	Chain net_frwd (1 references)
 	 pkts bytes target     prot opt in     out     source
destination
	...
	26516 4848K net2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0           policy match dir out pol none

net2loc doesn''t accept ping.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkraG1kACgkQO/MAbZfjDLKq4ACgsdhT7oH02TdQ+2Df2dUyOcQF
47kAoJnok+7fm391GAzkFBU/xy9F6K3d
=iGpn
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Keith Mitchell wrote:
> 
>>>   
>> Sorry.  That should read "Office A Firewall Host" and
"Office B Firewall
>> Host"
> 
>> If I do a "ping -I eth1 10.254.0.x" (any address on that
subnet) from
>> the Office A Firewall Host (source IP 10.253.0.1), I get no return and
>> nothing in the syslogs.  A ping -I eth1 10.253.0.254 gets a return.
> 
> You are marking all traffic originating on either firewall with mark
> value 0x200.
> 
> - From your rules:
> 
> 	10001:	from all fwmark 0x200 lookup SKY
> 
> And:
> 
> 	Table SKY:
> 
> 	66.146.173.97 dev eth2  scope link  src 66.146.173.98
> 	default via 66.146.173.97 dev eth2  src 66.146.173.98
> 
> Now:
> 
> 	Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>  	 pkts bytes target     prot opt in     out     source
> destination
>  	 198K   42M eth2_out   all  --  *      eth2    0.0.0.0/0
> 0.0.0.0/0
> 
> You have no SP for traffic from 10.253.0.1->10.254.0.* -- so:
> 
> 	Chain eth2_out (1 references)
>  	 pkts bytes target     prot opt in     out     source
> destination
>   	 196K   42M fw2net     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           policy match dir out pol none
> 
> Which accepts ping.
> 
> But now:
> 
> Nat Table:
> 
> Chain eth2_masq (1 references)
>  pkts bytes target     prot opt in     out     source
> destination
> 32532 2407K SNAT       all  --  *      *       0.0.0.0/0
> 0.0.0.0/0           policy match dir out pol none to:66.146.173.98
> 
> So these pings will be sent with source 66.146.173.98.
There is no IPSEC SP for 66.146.173.98->10.254.0.*
> 
> On the othr end:
Sorry -- I was somehow thinking your were pinging a host in the Office B
local net. But that doesn''t matter, I don''t believe, since you
are
sending packets over the internet with an RFC 1918 destination IP address.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkraKvMACgkQO/MAbZfjDLKDcwCfUYwDRFgV9RIrWqPdTs1TnRSZ
8bQAoIrYj6UXCYHWq31hbL1T1gdluQsK
=G7C4
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tom Eastep wrote:
>   
>> Keith Mitchell wrote:
>>
>>     
>>>>   
>>>>         
>>> Sorry.  That should read "Office A Firewall Host" and
"Office B Firewall
>>> Host"
>>>       
>>> If I do a "ping -I eth1 10.254.0.x" (any address on that
subnet) from
>>> the Office A Firewall Host (source IP 10.253.0.1), I get no return
and
>>> nothing in the syslogs.  A ping -I eth1 10.253.0.254 gets a return.
>>>       
>> You are marking all traffic originating on either firewall with mark
>> value 0x200.
>>
>> - From your rules:
>>
>> 	10001:	from all fwmark 0x200 lookup SKY
>>
>> And:
>>
>> 	Table SKY:
>>
>> 	66.146.173.97 dev eth2  scope link  src 66.146.173.98
>> 	default via 66.146.173.97 dev eth2  src 66.146.173.98
>>
>> Now:
>>
>> 	Chain OUTPUT (policy DROP 0 packets, 0 bytes)
>>  	 pkts bytes target     prot opt in     out     source
>> destination
>>  	 198K   42M eth2_out   all  --  *      eth2    0.0.0.0/0
>> 0.0.0.0/0
>>
>> You have no SP for traffic from 10.253.0.1->10.254.0.* -- so:
>>
>> 	Chain eth2_out (1 references)
>>  	 pkts bytes target     prot opt in     out     source
>> destination
>>   	 196K   42M fw2net     all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           policy match dir out pol none
>>
>> Which accepts ping.
>>
>> But now:
>>
>> Nat Table:
>>
>> Chain eth2_masq (1 references)
>>  pkts bytes target     prot opt in     out     source
>> destination
>> 32532 2407K SNAT       all  --  *      *       0.0.0.0/0
>> 0.0.0.0/0           policy match dir out pol none to:66.146.173.98
>>
>> So these pings will be sent with source 66.146.173.98.
>>     
>
> There is no IPSEC SP for 66.146.173.98->10.254.0.*
>
>   
>> On the othr end:
>>     
>
> Sorry -- I was somehow thinking your were pinging a host in the Office B
> local net. But that doesn''t matter, I don''t believe,
since you are
> sending packets over the internet with an RFC 1918 destination IP address.
>
> - -Tom
> - --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkraKvMACgkQO/MAbZfjDLKDcwCfUYwDRFgV9RIrWqPdTs1TnRSZ
> 8bQAoIrYj6UXCYHWq31hbL1T1gdluQsK
> =G7C4
> -----END PGP SIGNATURE-----
>
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
I think I get it.  So for starters, I need to take the firewall rules 
out of the tcrules and route_rules files to make sure the firewall(s) 
can direct traffic appropriately.

(remove the LO lines from the route_rules and / or the "512     $FW" 
lines from the tcrules).

I''m assuming that should clear up the routing issue also, and then I 
just have to setup a policy or ruleset to allow the tlan (10.253.0.0) to 
ping into the private net(s) if desired, otherwise the NAT will be 
working so packets should flow correctly.

-- 
Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Mitchell wrote:

> I think I get it.  So for starters, I need to take the firewall rules
> out of the tcrules and route_rules files to make sure the firewall(s)
> can direct traffic appropriately.
> (remove the LO lines from the route_rules and / or the "512    
$FW"
> lines from the tcrules).
> I''m assuming that should clear up the routing issue also, and then
I
> just have to setup a policy or ruleset to allow the tlan (10.253.0.0) to
> ping into the private net(s) if desired, otherwise the NAT will be
> working so packets should flow correctly.
Keith,

Since the point when you hijacked Mike Lander''s thread, you have not
explained exactly what you are trying to accomplish. I have explained to
you what is happening but I can''t tell you how to fix it until you
explain to us what you want to have happen.

Until we know that, we can''t advise you about a fix until we understand
the problem being solved.

- -Tom

PS -- I assume that the "fiber tunnel" (your term) is the 10.253.0.*
net?
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkraMpUACgkQO/MAbZfjDLKFjgCfSWFGrR9iAPTPYlsJevty9in1
024An1evWl5mXUw/HfQh8N6raQC4lJVt
=+Uu3
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> Keith,
>
> Since the point when you hijacked Mike Lander''s thread, you have
not
> explained exactly what you are trying to accomplish. I have explained to
> you what is happening but I can''t tell you how to fix it until you
> explain to us what you want to have happen.
>
> Until we know that, we can''t advise you about a fix until we
understand
> the problem being solved.
>
> - -Tom
>
> PS -- I assume that the "fiber tunnel" (your term) is the
10.253.0.* net?
> - --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkraMpUACgkQO/MAbZfjDLKFjgCfSWFGrR9iAPTPYlsJevty9in1
> 024An1evWl5mXUw/HfQh8N6raQC4lJVt
> =+Uu3
> -----END PGP SIGNATURE-----
>
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
I''m attempting to connect a branch office (Office A - private lan 
192.168.1.0/24), to a main office (Office B - private lan 10.254.0.0/24) 
via two different connections for fail-over and data segregation.

Connection 1 - ipsec VPN, for traffic between the offices not flowing to 
or from 2 different phone servers in Office B (10.254.0.4 and 10.254.0.5)

Connection 2 - a point-to-point switched fibre circuit (called a tlan by 
my provider).  This circuit is essentially stateless - functionally 
equivalent to a VLAN on a switch.  All traffic flowing to or from 
10.254.0.4 and 10.254.0.5 should traverse this circuit.

Each office has a 3 card router - one card for internal network, on card 
for internet (and ipsec vpn), and one card for the fibre tlan.

Each office should have the ability to connect directly to the internet 
through their local router, pass data traffic over the ipsec vpn, and 
pass voip traffic over the fibre tlan.

Sorry for being unclear.  It''s difficult for me to explain all this 
stuff without a whiteboard.  I hope the above clears up my intent.

I''m also sorry for hijacking Mike''s thread.  I hit reply and
neglected
to remove the "Re: [Shorewall-users]" from my first messages.

PS - Fiber tunnel should refer to the fibre tlan which I have assigned 
the 10.253.0.* network, yes.
-- 

Keith Mitchell
CTO
Productivity Associates, Inc.
5625 Ruffin Rd STE 220
San Diego, CA 92123
858-495-3528 (Direct)
858-495-3540 (Fax)


------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keith Mitchell wrote:
> I''m attempting to connect a branch office (Office A - private lan 
> 192.168.1.0/24), to a main office (Office B - private lan 10.254.0.0/24) 
> via two different connections for fail-over and data segregation.
> 
> Connection 1 - ipsec VPN, for traffic between the offices not flowing to 
> or from 2 different phone servers in Office B (10.254.0.4 and 10.254.0.5)
> 
> Connection 2 - a point-to-point switched fibre circuit (called a tlan by 
> my provider).  This circuit is essentially stateless - functionally 
> equivalent to a VLAN on a switch.  All traffic flowing to or from 
> 10.254.0.4 and 10.254.0.5 should traverse this circuit.
> 
> Each office has a 3 card router - one card for internal network, on card 
> for internet (and ipsec vpn), and one card for the fibre tlan.
> 
> Each office should have the ability to connect directly to the internet 
> through their local router, pass data traffic over the ipsec vpn, and 
> pass voip traffic over the fibre tlan.
I don''t know a good way to do that. I can tell you that you cannot
control which path a particular connection takes using policy routing,
because the traffic that goes through the IPSEC tunnel is determined
solely by your IPSEC security policies. Routing has no effect.

If you want to select via policy routing, then I suggest replacing IPSEC
with OpenVPN.
> 
> Sorry for being unclear.  It''s difficult for me to explain all
this
> stuff without a whiteboard.  I hope the above clears up my intent.
> 
> I''m also sorry for hijacking Mike''s thread.  I hit reply
and neglected
> to remove the "Re: [Shorewall-users]" from my first messages.
Changing the subject has nothing to do with it. When you hit "reply",
your mailer inserts an "In-Reply-To" header that email clients use to
present a threaded view of a mailbox. Thread hijacking defeats that very
useful feature by causing the hyjacking thread to appear as if it is
part of the hyjacked thread.

Create a new message addressed to the list!!! -- Thanks
> 
> PS - Fiber tunnel should refer to the fibre tlan which I have assigned 
> the 10.253.0.* network, yes.
Okay.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkraQakACgkQO/MAbZfjDLJC4wCgijVcOTVq3cYsPBatvvCoBL7+
4hMAnRrB1Tze0F2xZxQmtNg6dkAUF+DO
=+jxh
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Keith Mitchell wrote:
> 
>> I''m attempting to connect a branch office (Office A - private
lan
>> 192.168.1.0/24), to a main office (Office B - private lan
10.254.0.0/24)
>> via two different connections for fail-over and data segregation.
>>
>> Connection 1 - ipsec VPN, for traffic between the offices not flowing
to
>> or from 2 different phone servers in Office B (10.254.0.4 and
10.254.0.5)
>>
>> Connection 2 - a point-to-point switched fibre circuit (called a tlan
by
>> my provider).  This circuit is essentially stateless - functionally 
>> equivalent to a VLAN on a switch.  All traffic flowing to or from 
>> 10.254.0.4 and 10.254.0.5 should traverse this circuit.
>>
>> Each office has a 3 card router - one card for internal network, on
card
>> for internet (and ipsec vpn), and one card for the fibre tlan.
>>
>> Each office should have the ability to connect directly to the internet
>> through their local router, pass data traffic over the ipsec vpn, and 
>> pass voip traffic over the fibre tlan.
> 
> I don''t know a good way to do that. I can tell you that you cannot
> control which path a particular connection takes using policy routing,
> because the traffic that goes through the IPSEC tunnel is determined
> solely by your IPSEC security policies. Routing has no effect.
> 
> If you want to select via policy routing, then I suggest replacing IPSEC
> with OpenVPN.
> 
>> Sorry for being unclear.  It''s difficult for me to explain all
this
>> stuff without a whiteboard.  I hope the above clears up my intent.
>>
>> I''m also sorry for hijacking Mike''s thread.  I hit
reply and neglected
>> to remove the "Re: [Shorewall-users]" from my first messages.
> 
> Changing the subject has nothing to do with it. When you hit
"reply",
> your mailer inserts an "In-Reply-To" header that email clients
use to
> present a threaded view of a mailbox. Thread hijacking defeats that very
> useful feature by causing the hyjacking thread to appear as if it is
> part of the hyjacked thread.
> 
> Create a new message addressed to the list!!! -- Thanks
> 
>> PS - Fiber tunnel should refer to the fibre tlan which I have assigned 
>> the 10.253.0.* network, yes.
> 
> Okay.
> 
> - -Tom
> - --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkraQakACgkQO/MAbZfjDLJC4wCgijVcOTVq3cYsPBatvvCoBL7+
> 4hMAnRrB1Tze0F2xZxQmtNg6dkAUF+DO
> =+jxh
> -----END PGP SIGNATURE-----
> 
>
------------------------------------------------------------------------------
> Come build with us! The BlackBerry(R) Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9 - 12, 2009. Register now!
> http://p.sf.net/sfu/devconference
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

You previously stated "Each office has a 3 card router - one card for 
internal network, on card for internet (and ipsec vpn), and one card for 
the fibre tlan."

Are you referring to an actual router such as a Cisco or Juniper box or 
are you really referring to a Linux box doing routing?

If you mean an actual router, then why not move the routing to where it 
belongs, on the router. I don''t have experience with Juniper but Cisco 
makes it fairly easy for you to create tunnels, including IPSec.



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Larry wrote:
> Tom Eastep wrote:
> If you want to select via policy routing, then I suggest replacing IPSEC
> with OpenVPN.
> You previously stated "Each office has a 3 card router - one card for
> internal network, on card for internet (and ipsec vpn), and one card for
> the fibre tlan."
> Are you referring to an actual router such as a Cisco or Juniper box or
> are you really referring to a Linux box doing routing?
- From the (finally readable) ASCII art and the ''shorewall
dump'' output,
I''m quite sure that Keith is referring to his Linux routers that run
Shorewall.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrabcUACgkQO/MAbZfjDLKi7QCeMVElFKzYNz8o2qN1+wiki7WP
xfcAnAorvViQSaCFvpOHv3Ug53bzqvx3
=M37r
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference

Mike Lander wrote:
> 
>>> Mike Lander wrote:
>>>>> I have a two Isp''s setup that send mail to another
two Isp firewall.
>>>>> For Ilustration I will call the firewall with the mail
server in its dmz using proxy arp,
>>>>> (Firewall A). I will call the dependant firewall which
sends mail to Firewall A, (Firewall B.)
>>>>> These two Firewall''s have a openvpn tunnel between
them. Firewall B is loc:10.5.198.0/24.
>>>>>     What I would like to do is route any port 25 traffic
from Firewall B through openvpn,
>>>>> to Firewall A''s mail server in its Dmz.
>>>>> I am thinking that Firewall A will know to reply to
10.5.198.0/24 (Firewall B)
>>>>> because of the entry in Firewall A''s route rules
entry below.
>>>>> -        		10.5.198.0/24   	main          	1000
>>>>>
>>>>> If this where possible with the below statement may make
things clear,
>>>>> what I want to do. As a reminder the mail server is in
Firewall A Dmz.
>>>>>
>>>>> In tcrules with eth1 local on Firewall B
>>>>>
>>>>> tun4     eth1:<local subnet>      <mail servers
FQIP>   tcp     25
>>>>> I know the above wont work, What Will?
>>>>>
>>>>>
>>>>> Thanks
>>>>> Mike
>>>>>  
>>>> I just thought of this instead of mangle tables maybe just add
this route?
>>>> route add <65.42.53.203 mail server> 255.255.255.255 gw
172.16.1.2 (ip of firewall B tun)
>>>> Just thought someone on this list may have done this through
shorewall.
>>> You want to establish that route in the OpenVPN configuration using
the
>>> ''route'' directive. Shorewall can''t do
anything for you since the OpenVPN
>>> tunnel isn''t one of the provider interfaces.
>>>
>>
>> Fixed with route add -net <FQIP Mail Host IP> 255.255.255.255 gw
$5
>> in my vpn.conf
>>
>> However had to adjust my <vpn> to <dmz> polices before it
would work.
>>
>> Is it good practice to add vpn in providers?
>>
>> Thanks 
> 
> 
> < usually not
> 
> Tom
> 
> Thought I would wrap this up and tell the results came out very successful.
> Now I found the offending machines in Firewall B that where sending spam
out
> I suspect from a virus or trojan. This way the mail is more secure and the
mail
> server logs the natted Ip so you can tell whats going on when you have mail
from
> different networks using your mail server. 
>     I just monitor their firewall, their admins now have to find the
offensive machines.
> 
> Thank you,
You''re welcome, Mike

Glad to hear that it is working for you.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference