Running shorewall 4.4.23.3. I''m trying to add another internal
interface to
my firewall to segregate visitors onto. Our current internal network is
10.10.0.0/16 on interface em1. The visitor interface is 10.11.0.0/24 on
interface p1p1:
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP
qlen 1000
link/ether 00:b0:d0:df:e3:1d brd ff:ff:ff:ff:ff:ff
inet 10.10.0.1/16 brd 10.10.255.255 scope global em1
inet6 fe80::2b0:d0ff:fedf:e31d/64 scope link
valid_lft forever preferred_lft forever
4: p1p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP
qlen 1000
link/ether 00:90:27:9d:49:63 brd ff:ff:ff:ff:ff:ff
inet 10.11.0.1/24 brd 10.11.0.255 scope global p1p1
inet6 fe80::290:27ff:fe9d:4963/64 scope link
valid_lft forever preferred_lft forever
I added a visit zone and have setup some rules and policy.
The first issue I''m seeing though is that traffic from 10.10. to
10.11.1 is
going out the p2p2 interface which is our default route to the internet:
listening on p2p2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:51:24.773229 IP 4.28.99.98.47728 > 10.11.0.2.http: Flags [S], seq
1735808391, win 14600, options [mss 1460,sackOK,TS val 266593917 ecr
0,nop,wscale 4], length 0
# ip route
default via 4.28.99.97 dev p2p2
4.28.99.96/30 dev p2p2 proto kernel scope link src 4.28.99.98
4.28.99.97 dev p2p2 scope link src 4.28.99.98
4.28.99.160/27 dev em2 proto kernel scope link src 4.28.99.161
10.10.0.0/16 dev em1 proto kernel scope link src 10.10.0.1
10.11.0.0/24 dev p1p1 proto kernel scope link src 10.11.0.1
65.44.101.160/27 dev p2p1 proto kernel scope link src 65.44.101.162
65.44.101.161 dev p2p1 scope link src 65.44.101.162
65.44.101.179 dev em2 scope link
65.44.101.180 dev em2 scope link
65.44.101.182 dev em2 scope link
65.44.101.184 dev em2 scope link
65.44.101.187 dev em2 scope link
65.44.101.190 dev em2 scope link
169.254.0.0/16 dev em1 scope link metric 1002
169.254.0.0/16 dev em2 scope link metric 1003
169.254.0.0/16 dev p1p1 scope link metric 1004
169.254.0.0/16 dev p2p1 scope link metric 1005
169.254.0.0/16 dev p2p2 scope link metric 1006
192.168.201.0/29 dev em2 proto kernel scope link src 192.168.201.1
Shouldn''t the route of 10.11.0.0/24 dev p1p1 send traffic there?
I first thought it was the masq setting and so did:
p2p2:!10.0.0.0/8 10.0.0.0/8 4.28.99.98
but it still routes it out p2p2:
11:22:02.561155 IP 10.10.20.2.53011 > 10.11.0.2.http: Flags [S], seq
2539220996, win 14600, options [mss 1460,sackOK,TS val 268431706 ecr
0,nop,wscale 4], length 0
dump is attached.
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane orion@nwra.com
Boulder, CO 80301 http://www.nwra.com
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
On 4/12/12 10:57 AM, Orion Poplawski wrote: here?> > I first thought it was the masq setting and so did: > > p2p2:!10.0.0.0/8 10.0.0.0/8 4.28.99.98 > > but it still routes it out p2p2:Entries in /etc/shorewall/masq *never* change the routing of a packet.> > 11:22:02.561155 IP 10.10.20.2.53011 > 10.11.0.2.http: Flags [S], seq > 2539220996, win 14600, options [mss 1460,sackOK,TS val 268431706 ecr > 0,nop,wscale 4], length 0 > > dump is attached.Looks like you forgot to add p1p1 to the COPY column in your providers file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/12/2012 12:11 PM, Tom Eastep wrote:> On 4/12/12 10:57 AM, Orion Poplawski wrote: > here? >> >> I first thought it was the masq setting and so did: >> >> p2p2:!10.0.0.0/8 10.0.0.0/8 4.28.99.98 >> >> but it still routes it out p2p2: > > Entries in /etc/shorewall/masq *never* change the routing of a packet. >Yeah, it didn''t make sense, but I was desperate :)>> >> 11:22:02.561155 IP 10.10.20.2.53011> 10.11.0.2.http: Flags [S], seq >> 2539220996, win 14600, options [mss 1460,sackOK,TS val 268431706 ecr >> 0,nop,wscale 4], length 0 >> >> dump is attached. > > Looks like you forgot to add p1p1 to the COPY column in your providers file. >Indeed. I''ll have to try to remember that. Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 http://www.nwra.com ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
On 04/12/2012 11:21 AM, Orion Poplawski wrote:> On 04/12/2012 12:11 PM, Tom Eastep wrote:>> Looks like you forgot to add p1p1 to the COPY column in your providers file. > > Indeed. I''ll have to try to remember that. Thanks! >Setting USE_DEFAULT_RT=Yes can eliminate that issue. Looks like you have static IPs on your provider interfaces, so you can use that setting without hassle. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2