Shorewall Users,
I need your help.
I have 2 firewalls with the 2 ISPs each one.
I have a server in DMZ.
(IP addresses below are examples)
FW1
eth0 dmz 10.10.10.1/24
eth1 inet 1.1.1.1/24 gw 1.1.1.100 (ISP1)
eth2 inet 2.2.2.1/24 gw 2.2.2.100 (ISP2)
FW2
eth0 dmz 10.10.10.2/24
eth1 inet 1.1.1.2/24 gw 1.1.1.100 (ISP1)
eth2 inet 2.2.2.2/24 gw 2.2.2.100 (ISP2)
ROUTER ISP1 1.1.1.100
ROUTER ISP2 2.2.2.100
SERVER
eth0 dmz 10.10.10.10
I want that incoming connections from ISP1 FW1 port XX to be forwarded to SERVER
port XX, and the packet to be routed back to FW1 to reach internet
I want that incoming connections from ISP2 FW1 port XX to be forwarded to SERVER
port XX, and the packet to be routed back to FW1 to reach internet
I want that incoming connections from ISP1 FW2 port XX to be forwarded to SERVER
port XX, and the packet to be routed back to FW2 to reach internet
I want that incoming connections from ISP2 FW2 port XX to be forwarded to SERVER
port XX, and the packet to be routed back to FW2 to reach internet
What I should set in shorewall FW1, shorewall FW2, and shorewall SERVER ?
Regards.
Leandro.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
On Nov 18, 2011, at 6:31 AM, Leandro wrote:> I have 2 firewalls with the 2 ISPs each one. > I have a server in DMZ. > > (IP addresses below are examples) > > FW1 > eth0 dmz 10.10.10.1/24 > eth1 inet 1.1.1.1/24 gw 1.1.1.100 (ISP1) > eth2 inet 2.2.2.1/24 gw 2.2.2.100 (ISP2) > > > FW2 > eth0 dmz 10.10.10.2/24 > eth1 inet 1.1.1.2/24 gw 1.1.1.100 (ISP1) > eth2 inet 2.2.2.2/24 gw 2.2.2.100 (ISP2) > > > ROUTER ISP1 1.1.1.100 > ROUTER ISP2 2.2.2.100 > > > SERVER > eth0 dmz 10.10.10.10 > > > > I want that incoming connections from ISP1 FW1 port XX to be forwarded to SERVER port XX, and the packet to be routed back to FW1 to reach internet > I want that incoming connections from ISP2 FW1 port XX to be forwarded to SERVER port XX, and the packet to be routed back to FW1 to reach internet > > I want that incoming connections from ISP1 FW2 port XX to be forwarded to SERVER port XX, and the packet to be routed back to FW2 to reach internet > I want that incoming connections from ISP2 FW2 port XX to be forwarded to SERVER port XX, and the packet to be routed back to FW2 to reach internet > > > What I should set in shorewall FW1, shorewall FW2, and shorewall SERVER ? >Set ''track'' on all providers. FW1 and FW2 just need normal DNAT rules. The SERVER needs a multi-ISP configuration like is described at http://ipv6.shorewall.net/MultiISP.html#Shared. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d
Tom,
I had already set FW1, FW2 and DNAT in both, and everything worked and works
fine.
Could you detail the configuration of SERVER ?
I had set MultiISP configuration in SERVER but it didn''t work.
Is this a problem that its interface has a private IP ?
Regards.
Leandro.
----- Original Message -----
From: Tom Eastep
To: Shorewall Users
Sent: Sunday, November 20, 2011 6:09 PM
Subject: Re: [Shorewall-users] Two Firewalls Two ISP One DMZ Server
On Nov 18, 2011, at 6:31 AM, Leandro wrote:
I have 2 firewalls with the 2 ISPs each one.
I have a server in DMZ.
(IP addresses below are examples)
FW1
eth0 dmz 10.10.10.1/24
eth1 inet 1.1.1.1/24 gw 1.1.1.100 (ISP1)
eth2 inet 2.2.2.1/24 gw 2.2.2.100 (ISP2)
FW2
eth0 dmz 10.10.10.2/24
eth1 inet 1.1.1.2/24 gw 1.1.1.100 (ISP1)
eth2 inet 2.2.2.2/24 gw 2.2.2.100 (ISP2)
ROUTER ISP1 1.1.1.100
ROUTER ISP2 2.2.2.100
SERVER
eth0 dmz 10.10.10.10
I want that incoming connections from ISP1 FW1 port XX to be forwarded to
SERVER port XX, and the packet to be routed back to FW1 to reach internet
I want that incoming connections from ISP2 FW1 port XX to be forwarded to
SERVER port XX, and the packet to be routed back to FW1 to reach internet
I want that incoming connections from ISP1 FW2 port XX to be forwarded to
SERVER port XX, and the packet to be routed back to FW2 to reach internet
I want that incoming connections from ISP2 FW2 port XX to be forwarded to
SERVER port XX, and the packet to be routed back to FW2 to reach internet
What I should set in shorewall FW1, shorewall FW2, and shorewall SERVER ?
Set ''track'' on all providers. FW1 and FW2 just need normal
DNAT rules. The SERVER needs a multi-ISP configuration like is described at
http://ipv6.shorewall.net/MultiISP.html#Shared.
-Tom
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
On Mon, 2011-11-21 at 08:28 -0300, Leandro wrote:> I had already set FW1, FW2 and DNAT in both, and everything worked > and works fine. > > Could you detail the configuration of SERVER ? > > I had set MultiISP configuration in SERVER but it didn''t work. > Is this a problem that its interface has a private IP ?No. Please show us your configuration that doesn''t work and include the output of ''shorewall dump'' as an attachment (with shorewall started). Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d