Folks, I have a situation that needs clarification. I am able to get the wired side of my network running just fine, however, the wireless access point that I have set up is malfunctioning. According to the docs for Adding a Wireless Segment to your Two-Interface Firewall (http://www.shorewall.net/two-interface.htm) The only changes that needed to be made were to add a line to the interfaces file and one to the masq file. The entries I have are: the interfaces entries - net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians loc eth3 detect tcpflags,nosmurfs loc eth4 detect dhcp the masq entries - eth0 eth3 eth0 eth4 The eth4 lines were the ones I added when I set up the wireless access point last year. I was running Shorewall 4.0.6 then. Now I am running Shorewall 4.4.6, are they still valid or should they be the ones below? According to the //http:www.shorewall.net/LennyToSqueeze.html the masq entries should now read: eth0 192.168.139.0/28 eth0 192.168.139.32/28 and the interfaces entries should be: net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians loc eth3 detect tcpflags,nosmurfs,routefilter,logmartians loc eth4 detect dhcp The behavior that I am getting is when the firewall system is first booted I am able to get to everything but after some period of time the wireless (eth4) part quits, even with NO ACTIVITY. I thing that is a leases problem, since I can reset the wireless access point and all is well again... for a while. -- Jay Ridgley jridgley2@austin.rr.com Registered Linux User ID - 9115 Registered Ubuntu User ID - 23320 ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
Jay, On 3/13/11 3:11 AM, Jay Ridgley wrote:> > According to the docs for Adding a Wireless Segment to your Two-Interface > Firewall (http://www.shorewall.net/two-interface.htm) > > The only changes that needed to be made were to add a line to the interfaces > file and one to the masq file. > > The entries I have are: > > the interfaces entries - > net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians > loc eth3 detect tcpflags,nosmurfs > loc eth4 detect dhcp > > the masq entries - > eth0 eth3 > eth0 eth4 > > The eth4 lines were the ones I added when I set up the wireless access point > last year. I was running Shorewall 4.0.6 then. Now I am running Shorewall 4.4.6, > are they still valid or should they be the ones below?That form is deprecated; I should update the two-interface doc.> > According to the //http:www.shorewall.net/LennyToSqueeze.html the masq entries > should now read: > eth0 192.168.139.0/28 > eth0 192.168.139.32/28That is preferable to what you had previously. You can also just have: eth0 0.0.0.0/0> > and the interfaces entries should be: > net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians > loc eth3 detect tcpflags,nosmurfs,routefilter,logmartians > loc eth4 detect dhcp >Either interfaces config is fine.> > The behavior that I am getting is when the firewall system is first booted I am > able to get to everything but after some period of time the wireless (eth4) part > quits, even with NO ACTIVITY. I think that is a leases problem, since I can > reset the wireless access point and all is well again... for a while.Problems where a configuration works for a while and then stops working generally can''t be laid at the feet of the Shorewall configuration; once ''shorewall start/restart'' has completed, the configuration is fixed and doesn''t change unless one of your cron jobs is doing something unexpected. You could see that by comparing the output of ''shorewall dump'' when the wireless segment is behaving with similar output obtained when it is not; pay particular attention to entries having to do with eth4. Otherwise, I think you need to understand exactly why the connections suddenly stop working. If it is a leases problem, you might see wireless clients switch from a 192.168.139.32/28 address to one in 169.154.0.0/16. Which box runs the DHCP server for the wireless segment? The AP or the Shorewall box? If it is the Shorewall box, then the DHCP server''s log should tell you if clients are renewing their leases or not. When it stops working, can you still ping the AP? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d
Tom, Thanks for the reply. I will use the V 4.4 versions of masq and interfaces that I currently am using. The FW provides the DHCP server functionality. I didn''t think that Shorewall was at fault, however, I was concerned that the configuration files I was using were not correct and were therefore somehow involved. After some investigation of the DHCP3 logs (daemon.log) it may be something in there. I will snip most of the prior message. Cheers, Jay On 03/13/2011 09:24 AM, Tom Eastep wrote:> Jay, > > On 3/13/11 3:11 AM, Jay Ridgley wrote: >-- snip -->> According to the //http:www.shorewall.net/LennyToSqueeze.html the masq entries >> should now read: >> eth0 192.168.139.0/28 >> eth0 192.168.139.32/28 > > That is preferable to what you had previously. You can also just have: > > eth0 0.0.0.0/0 > >> >> and the interfaces entries should be: >> net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians >> loc eth3 detect tcpflags,nosmurfs,routefilter,logmartians >> loc eth4 detect dhcp >> > > Either interfaces config is fine. >-- snip --> > Which box runs the DHCP server for the wireless segment? The AP or the > Shorewall box? If it is the Shorewall box, then the DHCP server''s log > should tell you if clients are renewing their leases or not. When it > stops working, can you still ping the AP?I can ping the APs fixed ip (192.168.139.33). Cheers, Jay -- Jay Ridgley jridgley2@austin.rr.com Registered Linux User ID - 9115 Registered Ubuntu User ID - 23320 ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d