Shorewall users - Jul 2012 - Multi ISP and DNAT

Hi there,
I have some strange problem with a multi-isp configuration.

I have installed shorewall 4.4.11.,6 on debian squeeze.

I have two providers connected on eth1 (ISP1) and eth2 (ISP2) by two
routers (not modem); both the connections have static public ip
address. The eth0 is the local lan interface.

In the local lan there is a videoconference system with a local ip
address (192.168.2.10); to reach the system from outside (net) I wrote
these rules in the shorewall file rules:

DNAT	net	loc:192.168.2.10		tcp	1720
DNAT	net	loc:192.168.2.10		tcp	60000:64999
DNAT	net	loc:192.168.2.10		udp	60000:64999


I want that the videoconference use the ISP2 for the connections and I
wrote these lines in the shorewall tcrules file

2	192.168.2.0/24	0.0.0.0/0		tcp	1720
2	192.168.2.0/24	0.0.0.0/0		tcp	60000:64999
2	192.168.2.0/24	0.0.0.0/0		udp	60000:64999

(MARK_IN_FORWARD_CHAIN=No in the shorewall.conf)

And now the problems:
- sometimes I''m not be able to call: the connection starts but frezees
during handshake fase
- when I make a call there are many retransmission errors on receive,
but when I receive a call the retransmission errors are many less or
nothing.
-  sometimes (random) when I make a call the receiver see my local ip
(not my public ip)


Is my shorewall configuration correct or I forgot something?

I have a similar system but with only one ISP and there are not
problems at all.


Thanks in advance for your answer...
and sorry for my little english.

A. Santoro


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/13/2012 03:09 AM, A.Santoro wrote:
> Hi there,
> I have some strange problem with a multi-isp configuration.
>
> I have installed shorewall 4.4.11.,6 on debian squeeze.
>
> I have two providers connected on eth1 (ISP1) and eth2 (ISP2) by two
> routers (not modem); both the connections have static public ip
> address. The eth0 is the local lan interface.
>
> In the local lan there is a videoconference system with a local ip
> address (192.168.2.10); to reach the system from outside (net) I wrote
> these rules in the shorewall file rules:
>
> DNAT	net	loc:192.168.2.10		tcp	1720
> DNAT	net	loc:192.168.2.10		tcp	60000:64999
> DNAT	net	loc:192.168.2.10		udp	60000:64999
>
>
> I want that the videoconference use the ISP2 for the connections and I
> wrote these lines in the shorewall tcrules file
>
> 2	192.168.2.0/24	0.0.0.0/0		tcp	1720
> 2	192.168.2.0/24	0.0.0.0/0		tcp	60000:64999
> 2	192.168.2.0/24	0.0.0.0/0		udp	60000:64999
>
> (MARK_IN_FORWARD_CHAIN=No in the shorewall.conf)
>
> And now the problems:
> - sometimes I''m not be able to call: the connection starts but
frezees
> during handshake fase
> - when I make a call there are many retransmission errors on receive,
> but when I receive a call the retransmission errors are many less or
> nothing.
> -  sometimes (random) when I make a call the receiver see my local ip
> (not my public ip)
>
>
> Is my shorewall configuration correct or I forgot something?
>
> I have a similar system but with only one ISP and there are not
> problems at all.

Please send me the output of ''shorewall dump'' as an
attachment. You can
send it to me personally so it doesn''t go to all 1000 list subscribers.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/