Shorewall users - Jun 2011 - multi-ISP and masq

Hi,

I had a typical multi-ISP setup with just 1 LAN. Now I have the same thing
except I added a DMZ and both subnets (LAN & DMZ) need to be masqueraded in
order to reach the web.

Ping tests from DMZ to NET fail (LOC to NET work as usual):
icmp requests seem to go out to the correct ISP and icmp replies are received
from the same interface and reach the shorewall system but are not sent back to
the DMZ host. So the failing fragment is the ICMP reply from $FW to DMZ.
It could be a routing issue but I don''t see it.

Please have a look at:

http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_shorewall_dump.gz
http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_tcpdump_eth1.txt
http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_tcpdump_eth5.txt

Any ideas?

Thanks,

Vieri

------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

On Wed, 2011-06-15 at 07:09 -0700, Vieri Di Paola wrote:
> Hi,
> 
> I had a typical multi-ISP setup with just 1 LAN. Now I have the same thing
except I added a DMZ and both subnets (LAN & DMZ) need to be masqueraded in
order to reach the web.
> 
> Ping tests from DMZ to NET fail (LOC to NET work as usual):
> icmp requests seem to go out to the correct ISP and icmp replies are
received from the same interface and reach the shorewall system but are not sent
back to the DMZ host. So the failing fragment is the ICMP reply from $FW to DMZ.
> It could be a routing issue but I don''t see it.
> 
> Please have a look at:
> 
>
http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_shorewall_dump.gz
>
http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_tcpdump_eth1.txt
>
http://213.96.91.201/temp/from_192.168.228.2_to_209.85.229.99_tcpdump_eth5.txt
> 
> Any ideas?
You forgot to add eth1 to the COPY column in your providers file.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

--- On Wed, 6/15/11, Tom Eastep <teastep@shorewall.net> wrote:
> You forgot to add eth1 to the COPY column in your providers
> file.
Ah... thanks!

Vieri


------------------------------------------------------------------------------
EditLive Enterprise is the world''s most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev