Shorewall users - Oct 2011 - IPv6 source-based routing

I run a firewall with dual ISP connections, and get my IPv6 through a tunnel at 
Hurricane Electric.  Today HE added new filtering which prevents cross-traffic 
between tunnels, which pointed out a problem with my setup in that queries on 
one tunnel are indiscriminately being answered through the other tunnel.  I was 
told that the solution to this situation lies in source-based routing...

Now this seems to point out an issue which I have found few solutions to, and 
even what I have configured now is something I would consider a poor hack.  So I
am looking for a proper solution for multi-ISP setups, whereby any packets 
routed through my firewall to a local server will have the output sent back 
through the *same* ISP interface.  Surely there is some simple configuration 
within shorewall (and shorewall6) that I have not discovered which will provide 
this?  From what little I have discovered, I would assume the answer lies back 
in the originally mentioned source-based routing, but I can''t seem to
find any
info on configuring this under shorewall.

Any help, please?

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Thu, 2011-10-20 at 00:21 -0600, Jeff Taylor wrote:
> I run a firewall with dual ISP connections, and get my IPv6 through a
tunnel at
> Hurricane Electric.  Today HE added new filtering which prevents
cross-traffic
> between tunnels, which pointed out a problem with my setup in that queries
on
> one tunnel are indiscriminately being answered through the other tunnel.  I
was
> told that the solution to this situation lies in source-based routing...
> 
> Now this seems to point out an issue which I have found few solutions to,
and
> even what I have configured now is something I would consider a poor hack. 
So I
> am looking for a proper solution for multi-ISP setups, whereby any packets 
> routed through my firewall to a local server will have the output sent back
> through the *same* ISP interface.  Surely there is some simple
configuration
> within shorewall (and shorewall6) that I have not discovered which will
provide
> this?  From what little I have discovered, I would assume the answer lies
back
> in the originally mentioned source-based routing, but I can''t seem
to find any
> info on configuring this under shorewall.
> 
> Any help, please?
http://www.shorewall.net/MultiISP.html. Note that there is no separate
IPv6 documentation and that ''balance'' isn''t available
with IPv6.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

I visited that page several times last night, but it didn''t get me any
closer to
a solution.  I have been using the providers table on my ipv4 setup for awhile 
now, but that doesn''t seem to actually keep a connection associated
with the ISP
it came in on.  For example, if a query comes in to my DNS server, the reply has
a 50/50 chance of coming back through either ISP.  The only way I''ve
been able
to control the flow of packets is through a set of DNAT rules and masq entries 
on the firewall pushing to dedicated secondary IP''s on each server,
coupled with
bind9 views set to respond specifically to queries on those IP addresses.

I have also been trying to set up the providers file under shorewall6, but every
time I enable the entries, shorewall6 bombs on restart.  Note again that I do 
use the providers entries under shorewall with no failures...

Providers:
ISP1   10      10      main            sit1    2001:470:8388::1        track 
eth1,eth2,eth3,eth5
ISP2   20      20      main            sit2    2001:470:f032::1        track 
eth1,eth2,eth3,eth5

When restarting, I get the following error in the log:
09:13:09 Adding Providers...
RTNETLINK answers: No route to host
ERROR: Command "ip -6 route add default via 2001:470:8388::1 src 
2001:470:8388::1 dev sit1 table 10" Failed

Note that I tried doing this with the tunnel device (sit1) and the ethernet 
device (eth0), making the appropriate changes to providers and interfaces. 
I''m
just completely lost here, I don''t know what I''m missing.


On 10/20/2011 07:12 AM, Tom Eastep wrote:
>
> http://www.shorewall.net/MultiISP.html. Note that there is no separate
> IPv6 documentation and that ''balance'' isn''t
available with IPv6.
>
> -Tom
>
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Thu, 2011-10-20 at 09:39 -0600, Jeff Taylor wrote:
> 
> I have also been trying to set up the providers file under shorewall6, but
every
> time I enable the entries, shorewall6 bombs on restart.  Note again that I
do
> use the providers entries under shorewall with no failures...
> 
> Providers:
> ISP1   10      10      main            sit1    2001:470:8388::1       
track
> eth1,eth2,eth3,eth5
> ISP2   20      20      main            sit2    2001:470:f032::1       
track
> eth1,eth2,eth3,eth5
> 
> When restarting, I get the following error in the log:
> 09:13:09 Adding Providers...
> RTNETLINK answers: No route to host
> ERROR: Command "ip -6 route add default via 2001:470:8388::1 src 
> 2001:470:8388::1 dev sit1 table 10" Failed
Looks like your default gateway has the same IP address as sit1!
> 
> Note that I tried doing this with the tunnel device (sit1) and the ethernet
> device (eth0), making the appropriate changes to providers and interfaces. 
I''m
> just completely lost here, I don''t know what I''m missing.
I just allocated a second tunnel from HE and set up providers:

#NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY			OPTIONS		COPY
HE1	1	-	main		sit1		2001:470:a:227::1	track		mac,br0,eth1,eth2
HE2	2	-	-		sit2		2001:470:a:787::1	track

and route_rules:

#NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY			OPTIONS		COPY
HE1	1	-	main		sit1		2001:470:a:227::1	track		mac,br0,eth1,eth2
HE2	2	-	-		sit2		2001:470:a:787::1	track

I only encountered one problem in that I had to remove the word
''cache''
from the output of ''ip -6 route ls'' when copying routes from
main to
table 1. Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

I''m trying to figure out here... did you accidentally copy your
providers
example under the route_rules as well, or is your configuration just that vastly
different from what I have here?  I''m running shorewall 4.4.6, it
appears there
are no further updates in my distro.  I''m trying to dig up more info on
the
route_rules file, beyond the man page which doesn''t give any examples
to work
from, and hopefully can do some testing with that later this evening.

Also, the IPv6 addresses you specified lead me to believe that you may have both
addresses coming from the same HE server.  In my case, because I am connected 
under two different providers, my tunnels are coming from two different servers 
(fmt2 and lax1).  This is the particular scenario that they added filtering 
against yesterday.  If both of your test connections are coming from the same 
source, there is no filtering against crossovers between those, so it
wouldn''t
be a valid test.


On 10/20/2011 11:11 AM, Tom Eastep wrote:
> On Thu, 2011-10-20 at 09:39 -0600, Jeff Taylor wrote:
>
>> I have also been trying to set up the providers file under shorewall6,
but every
>> time I enable the entries, shorewall6 bombs on restart.  Note again
that I do
>> use the providers entries under shorewall with no failures...
>>
>> Providers:
>> ISP1   10      10      main            sit1    2001:470:8388::1       
track
>> eth1,eth2,eth3,eth5
>> ISP2   20      20      main            sit2    2001:470:f032::1       
track
>> eth1,eth2,eth3,eth5
>>
>> When restarting, I get the following error in the log:
>> 09:13:09 Adding Providers...
>> RTNETLINK answers: No route to host
>> ERROR: Command "ip -6 route add default via 2001:470:8388::1 src
>> 2001:470:8388::1 dev sit1 table 10" Failed
> Looks like your default gateway has the same IP address as sit1!
>
>> Note that I tried doing this with the tunnel device (sit1) and the
ethernet
>> device (eth0), making the appropriate changes to providers and
interfaces.  I''m
>> just completely lost here, I don''t know what I''m
missing.
> I just allocated a second tunnel from HE and set up providers:
>
> #NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY			OPTIONS		COPY
> HE1	1	-	main		sit1		2001:470:a:227::1	track		mac,br0,eth1,eth2
> HE2	2	-	-		sit2		2001:470:a:787::1	track
>
> and route_rules:
>
> #NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY			OPTIONS		COPY
> HE1	1	-	main		sit1		2001:470:a:227::1	track		mac,br0,eth1,eth2
> HE2	2	-	-		sit2		2001:470:a:787::1	track
>
> I only encountered one problem in that I had to remove the word
''cache''
> from the output of ''ip -6 route ls'' when copying routes
from main to
> table 1. Patch attached.
>
> -Tom
>
>
>
------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Oct 20, 2011, at 3:45 PM, Jeff Taylor wrote:
> I''m trying to figure out here... did you accidentally copy your
providers example under the route_rules as well, or is your configuration just
that vastly different from what I have here?  I''m running shorewall
4.4.6, it appears there are no further updates in my distro.
Which distro -- Gentoo?
> I''m trying to dig up more info on the route_rules file, beyond the
man page which doesn''t give any examples to work from, and hopefully
can do some testing with that later this evening.
> 
> Also, the IPv6 addresses you specified lead me to believe that you may have
both addresses coming from the same HE server.  In my case, because I am
connected under two different providers, my tunnels are coming from two
different servers (fmt2 and lax1).  This is the particular scenario that they
added filtering against yesterday.  If both of your test connections are coming
from the same source, there is no filtering against crossovers between those, so
it wouldn''t be a valid test.

I''m not getting any crosstalk - I''ve verified that.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Oct 20, 2011, at 3:45 PM, Jeff Taylor wrote:
> I''m trying to figure out here... did you accidentally copy your
providers example under the route_rules as well, or is your configuration just
that vastly different from what I have here?
Yes -- here''s my route_rules:

#SOURCE			DEST			PROVIDER	PRIORITY
2001:470:B:227::1/64	::/0			HE1		11000
2001:470:B:787::1/64	::/0			HE2		11000

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________





------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

Ubuntu Lucid.

I applied the patch to Providers.pm that you gave, and I tried to use the Server
IPv6 Address provided by HE as the gateway in the providers file, but I still 
getting the same failure when I try to enable the providers entries.  It should 
be noted that I don''t think I''m actually using shorewall-perl
on my setup.

Here''s my providers file as it sits now:
ISP1   3       -       main            sit1    2001:470:1f04:262::1    track  
eth1,eth2,eth3,eth5
ISP2   4       -       main            sit2    2001:470:c:316::1       track  
eth1,eth2,eth3,eth5

And here''s the error I get when I try to restart shorewall6:
21:39:59 Adding Providers...
RTNETLINK answers: No route to host
    ERROR: Command "ip -6 route add default via 2001:470:1f04:262::1 src 
2001:470:8388::1 dev sit1 table 3" Failed

So... any thoughts as to what I''m doing wrong at this point?



On 10/20/2011 05:19 PM, Tom Eastep wrote:
>
> On Oct 20, 2011, at 3:45 PM, Jeff Taylor wrote:
>
>> I''m trying to figure out here... did you accidentally copy
your providers
>> example under the route_rules as well, or is your configuration just
that
>> vastly different from what I have here?  I''m running shorewall
4.4.6, it
>> appears there are no further updates in my distro.
>
> Which distro -- Gentoo?
>
>> I''m trying to dig up more info on the route_rules file, beyond
the man page
>> which doesn''t give any examples to work from, and hopefully
can do some
>> testing with that later this evening.
>>
>> Also, the IPv6 addresses you specified lead me to believe that you may
have
>> both addresses coming from the same HE server.  In my case, because I
am
>> connected under two different providers, my tunnels are coming from two
>> different servers (fmt2 and lax1).  This is the particular scenario
that they
>> added filtering against yesterday.  If both of your test connections
are
>> coming from the same source, there is no filtering against crossovers
between
>> those, so it wouldn''t be a valid test.
>
> I''m not getting any crosstalk - I''ve verified that.
>
> -Tom
>
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net 
>
<http://shorewall.net/>\________________________________________________
>
>
>
>
>
------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Cisco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

Interesting... it DOES work if I leave the gateway field blank (-).  My 
connection still seems to work, and the results of "ip -6 rule ls"
show that my
route_rules are being entered... And yet my pings to the sit1 subnet are failing
while pings to the sit2 subnet are working fine.  So it appears I still have not
made any progress.


On 10/20/2011 09:41 PM, Jeff Taylor wrote:
> Ubuntu Lucid.
>
> I applied the patch to Providers.pm that you gave, and I tried to use the 
> Server IPv6 Address provided by HE as the gateway in the providers file,
but I
> still getting the same failure when I try to enable the providers entries. 
It
> should be noted that I don''t think I''m actually using
shorewall-perl on my setup.
>
> Here''s my providers file as it sits now:
> ISP1   3       -       main            sit1    2001:470:1f04:262::1   
track
> eth1,eth2,eth3,eth5
> ISP2   4       -       main            sit2    2001:470:c:316::1      
track
> eth1,eth2,eth3,eth5
>
> And here''s the error I get when I try to restart shorewall6:
> 21:39:59 Adding Providers...
> RTNETLINK answers: No route to host
>    ERROR: Command "ip -6 route add default via 2001:470:1f04:262::1
src
> 2001:470:8388::1 dev sit1 table 3" Failed
>
> So... any thoughts as to what I''m doing wrong at this point?
>
>
>
> On 10/20/2011 05:19 PM, Tom Eastep wrote:
>>
>> On Oct 20, 2011, at 3:45 PM, Jeff Taylor wrote:
>>
>>> I''m trying to figure out here... did you accidentally copy
your providers
>>> example under the route_rules as well, or is your configuration
just that
>>> vastly different from what I have here?  I''m running
shorewall 4.4.6, it
>>> appears there are no further updates in my distro.
>>
>> Which distro -- Gentoo?
>>
>>> I''m trying to dig up more info on the route_rules file,
beyond the man page
>>> which doesn''t give any examples to work from, and
hopefully can do some
>>> testing with that later this evening.
>>>
>>> Also, the IPv6 addresses you specified lead me to believe that you
may have
>>> both addresses coming from the same HE server.  In my case, because
I am
>>> connected under two different providers, my tunnels are coming from
two
>>> different servers (fmt2 and lax1).  This is the particular scenario
that
>>> they added filtering against yesterday.  If both of your test
connections
>>> are coming from the same source, there is no filtering against
crossovers
>>> between those, so it wouldn''t be a valid test.
>>
>> I''m not getting any crosstalk - I''ve verified that.
>>
>> -Tom
>>
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net 
>>
<http://shorewall.net/>\________________________________________________
>>
>>
>>
>>
>>
------------------------------------------------------------------------------
>> The demand for IT networking professionals continues to grow, and the
>> demand for specialized networking skills is growing even more rapidly.
>> Take a complimentary Learning@Cisco Self-Assessment and learn
>> about Cisco certifications, training, and career opportunities.
>> http://p.sf.net/sfu/cisco-dev2dev
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Cisco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Thu, 2011-10-20 at 21:41 -0600, Jeff Taylor wrote:
> Ubuntu Lucid.
> 
> I applied the patch to Providers.pm that you gave, and I tried to use
> the Server IPv6 Address provided by HE as the gateway in the providers
> file, but I still getting the same failure when I try to enable the
> providers entries.  It should be noted that I don''t think
I''m actually
> using shorewall-perl on my setup.
> 
> Here''s my providers file as it sits now:
> ISP1   3       -       main            sit1    2001:470:1f04:262::1
> track  eth1,eth2,eth3,eth5
> ISP2   4       -       main            sit2    2001:470:c:316::1
> track  eth1,eth2,eth3,eth5
> 
> And here''s the error I get when I try to restart shorewall6:
> 21:39:59 Adding Providers...
> RTNETLINK answers: No route to host
>    ERROR: Command "ip -6 route add default via 2001:470:1f04:262::1
> src 2001:470:8388::1 dev sit1 table 3" Failed
> 
> So... any thoughts as to what I''m doing wrong at this point?
Shorewall 4.4.6 is almost two years old and had not been tried on IPv6.
So it isn''t surprising that it doesn''t work. If I look at the
history of
changes to the Providers module, much of the IPv6 code was added/changed
in April/May of this year. 

I see that Oneiric has 4.4.21 which should work much better for you.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

All right, so I have spent the evening upgrading my firewall to Natty, then 
installing the deb packages for shorewall 4.4.23.3.  I''ve made a few
changes in
my shorewall config that were needed for the newer versions, and I made your 
changes to Providers.pm again after my last update, so now both shorewall and 
shorewall6 are starting without errors and everything seems to be working as 
expected... except I am still not getting the correct routing of IPv6 traffic.  
For example...

# ping6 2001:470:8388:10::9
does not work
# ping6 2001:470:f032:10::9
DOES work

Try doing a traceroute6 of each, and you''ll see where the packets
appear to hop
across my tunnels, and always end up on sit2 (2001:470:f032::1).

My providers files (under shorewall6):
ISP1    1       10      main            sit1    2001:470:1f04:262::1    track  
eth1,eth2,eth3,eth5
ISP2    2       20      main            sit2    2001:470:c:316::1       track  
eth1,eth2,eth3,eth5

My route_rules file:
2001:470:1f04:262::1/64 ::/0                    ISP1            11000
2001:470:c:316::1/64    ::/0                    ISP2            11001

At this point I''ve been working on the computer for way too many hours
and need
to get some sleep, but if you can possibly think of anything else for me to 
check, I would be very appreciative.  Are there any files that should or should 
not be used under shorewall6 (masq, tc*, or others)?


On 10/21/2011 07:49 AM, Tom Eastep wrote:
> On Thu, 2011-10-20 at 21:41 -0600, Jeff Taylor wrote:
>> Ubuntu Lucid.
>>
>> I applied the patch to Providers.pm that you gave, and I tried to use
>> the Server IPv6 Address provided by HE as the gateway in the providers
>> file, but I still getting the same failure when I try to enable the
>> providers entries.  It should be noted that I don''t think
I''m actually
>> using shorewall-perl on my setup.
>>
>> Here''s my providers file as it sits now:
>> ISP1   3       -       main            sit1    2001:470:1f04:262::1
>> track  eth1,eth2,eth3,eth5
>> ISP2   4       -       main            sit2    2001:470:c:316::1
>> track  eth1,eth2,eth3,eth5
>>
>> And here''s the error I get when I try to restart shorewall6:
>> 21:39:59 Adding Providers...
>> RTNETLINK answers: No route to host
>>     ERROR: Command "ip -6 route add default via
2001:470:1f04:262::1
>> src 2001:470:8388::1 dev sit1 table 3" Failed
>>
>> So... any thoughts as to what I''m doing wrong at this point?
> Shorewall 4.4.6 is almost two years old and had not been tried on IPv6.
> So it isn''t surprising that it doesn''t work. If I look at
the history of
> changes to the Providers module, much of the IPv6 code was added/changed
> in April/May of this year.
>
> I see that Oneiric has 4.4.21 which should work much better for you.
>
> -Tom
>
>
>
------------------------------------------------------------------------------
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Cisco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

On Sat, 2011-10-22 at 01:35 -0600, Jeff Taylor wrote:
> All right, so I have spent the evening upgrading my firewall to Natty,
> then installing the deb packages for shorewall 4.4.23.3.  I''ve
made a
> few changes in my shorewall config that were needed for the newer
> versions, and I made your changes to Providers.pm again after my last
> update, so now both shorewall and shorewall6 are starting without
> errors and everything seems to be working as expected... except I am
> still not getting the correct routing of IPv6 traffic.  For example...
> 
> # ping6 2001:470:8388:10::9
> does not work
> # ping6 2001:470:f032:10::9
> DOES work
> 
> Try doing a traceroute6 of each, and you''ll see where the packets
> appear to hop across my tunnels, and always end up on sit2
> (2001:470:f032::1).
> 
> My providers files (under shorewall6):
> ISP1    1       10      main            sit1    2001:470:1f04:262::1
> track  eth1,eth2,eth3,eth5
> ISP2    2       20      main            sit2    2001:470:c:316::1
> track  eth1,eth2,eth3,eth5
> 
> My route_rules file:
> 2001:470:1f04:262::1/64 ::/0                    ISP1            11000
> 2001:470:c:316::1/64    ::/0                    ISP2            11001
> 
> At this point I''ve been working on the computer for way too many
hours
> and need to get some sleep, but if you can possibly think of anything
> else for me to check, I would be very appreciative.  Are there any
> files that should or should not be used under shorewall6 (masq, tc*,
> or others)?
Please forward the output of ''shorewall6 dump'' as a compressed
attachment. 

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev

File is attached...


On 10/22/2011 07:17 AM, Tom Eastep wrote:
>
> Please forward the output of ''shorewall6 dump'' as a
compressed
> attachment.
>
> Thanks,
> -Tom
>

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev