Matthew Excell
2010-Jun-09 19:07 UTC
Multiple providers (ISPs), IP addresses, and multiple masqueraded networks
I have used Shorewall for a good number of years, but I have run into something I can''t seem to crack. I have searched the docs, Google, etc., but I was hoping someone here has already solved this one: I have 2 RFC1918 networks - we''ll call them A and B - attached to separate interfaces behind the firewall. In addition, I have 2 providers delivered by standard Ethernet to different interfaces. One only has one IP address that is shared by both internal networks - we''ll call it X, the other has 2 IPs - one for each internal network - we''ll call it Y. The tcrules configuration is such that certain destination ports from A and B go out X and certain ports go out Y. The masq file is used to handle sending the correct traffic on Y with the correct source IPs. That seemed to be working well. The user of network B decided that they needed their own router - not something I have control over. It gets an IP in the B network via static assignment through DHCP - which works fine. I set up a nat entry for them to send their IP from Y to the statically assigned address on B. (All interfaces and local are true.) This works fine so long as they are configured in tcrules to ONLY use provider Y. Now the fun part: If I change their tcrules settings to allow some of their bulk traffic to go out of provider X, those ports don''t work. No rejects in the logs, no errors in the logs at all - they just dissolve into the ether. Switch tcrules to only use provider Y for them, and it works fine. I am using DNAT rules in the rules file to send a few ports on the other Y''s other IP to machines in A. No entry in the nat file for that, obviously. It works just fine - tcrules does what I would expect, and I can control what goes where. Wow - I''m probably missing something simple somewhere, but I can''t see it. Thoughts? Matthew Excell ------------------------------------------------------------------------------ ThinkGeek and WIRED''s GeekDad team up for the Ultimate GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo