Hi, I''ve a configuration that is working pretty well, except for a few things. I have two ISP, ISP01 and ISP02, so three network interface, plus a ppp vpn going through ISP01. I can route client packets through the firewall perfectly. But packets originating from the firewall choose a gateway without following what''s in tcrules: /cat tcrules #1:ISP01 #2:ISP02 #3 VPN #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER # PORT(S) PORT(S) 2 $FW - 1:P 10.0.0.0/24 - 2:P 10.0.0.0/24 192.168.1.0/24 2:P 10.0.0.2/32 - tcp 53 2:P 10.0.0.2/32 - udp 53 ########VPN - FAKE DEST IP######### 3:P 10.0.0.0/24 4.4.4.4 ################### #2:P 10.0.0.2/32 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE/ shorewall version: 4.4.6 With this setting $FW can go on internet from any connection, it choose it when shorewall restart and then keep it till next reboot... Any help is welcomed. Thanks, David Leroux ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/30/2012 09:29 AM, David LEROUX wrote:> Hi, > > I''ve a configuration that is working pretty well, except for a few things. > I have two ISP, ISP01 and ISP02, so three network interface, plus a ppp > vpn going through ISP01. > I can route client packets through the firewall perfectly. But packets > originating from the firewall choose a gateway without following what''s > in tcrules: > > /cat tcrules > #1:ISP01 > #2:ISP02 > #3 VPN > #MARK SOURCE DEST PROTO DEST SOURCE USER > TEST LENGTH TOS CONNBYTES HELPER > # PORT(S) PORT(S) > 2 $FW - > 1:P 10.0.0.0/24 - > 2:P 10.0.0.0/24 192.168.1.0/24 > 2:P 10.0.0.2/32 - tcp 53 > 2:P 10.0.0.2/32 - udp 53 > ########VPN - FAKE DEST IP######### > 3:P 10.0.0.0/24 4.4.4.4 > ################### > #2:P 10.0.0.2/32 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE/ > > shorewall version: 4.4.6 > > With this setting $FW can go on internet from any connection, it choose > it when shorewall restart and then keep it till next reboot... > Any help is welcomed.Please see http://www.shorewall.net/MultiISP.html#Local; applications on the firewall don''t always obey the entries in tcrules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 08/30/2012 06:51 PM, Tom Eastep wrote:> On 08/30/2012 09:29 AM, David LEROUX wrote: >> Hi, >> >> I''ve a configuration that is working pretty well, except for a few things. >> I have two ISP, ISP01 and ISP02, so three network interface, plus a ppp >> vpn going through ISP01. >> I can route client packets through the firewall perfectly. But packets >> originating from the firewall choose a gateway without following what''s >> in tcrules: >> >> /cat tcrules >> #1:ISP01 >> #2:ISP02 >> #3 VPN >> #MARK SOURCE DEST PROTO DEST SOURCE USER >> TEST LENGTH TOS CONNBYTES HELPER >> # PORT(S) PORT(S) >> 2 $FW - >> 1:P 10.0.0.0/24 - >> 2:P 10.0.0.0/24 192.168.1.0/24 >> 2:P 10.0.0.2/32 - tcp 53 >> 2:P 10.0.0.2/32 - udp 53 >> ########VPN - FAKE DEST IP######### >> 3:P 10.0.0.0/24 4.4.4.4 >> ################### >> #2:P 10.0.0.2/32 >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE/ >> >> shorewall version: 4.4.6 >> >> With this setting $FW can go on internet from any connection, it choose >> it when shorewall restart and then keep it till next reboot... >> Any help is welcomed. > Please see http://www.shorewall.net/MultiISP.html#Local; applications on > the firewall don''t always obey the entries in tcrules. > > -Tom > >Thanks a lot Tom. David ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/