Shorewall users - Oct 2012 - Port forwards on 1 of 2 ISP interfaces not functioning.

Hi, 

I''ve got 2 ISP shorewall setup I am trying to troubleshoot. The issue
is port forwards on 1 of 2 ISP interfaces are not functioning. The DNAT iptables
rules are being hit however the FORWARD chain is never touched by the DNATTED
traffic from that interface. This leads me to believe there is an issue during
the routing decision just prior to determining if forwarding is necessary. Port
forwards on the other ISP interface are functional. Currently, I am able to
route traffic out either ISP interface from any of my internal networks. Routing
to my internal public pools from the internet is also functional. Has anyone had
this issue? I am happy to provide configuration detail as needed.

Thanks, 




C ory Oldford 




------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/12/2012 07:19 AM, Cory Oldford wrote:
> Hi,
>
> I''ve got 2 ISP shorewall setup I am trying to troubleshoot. The
issue is
> port forwards on 1 of 2 ISP interfaces are not functioning. The DNAT
> iptables rules are being hit however the FORWARD chain is never touched
> by the DNATTED traffic from that interface. This leads me to believe
> there is an issue during the routing decision just prior to determining
> if forwarding is necessary. Port forwards on the other ISP interface are
> functional. Currently, I am able to route traffic out either ISP
> interface from any of my internal networks. Routing to my internal
> public pools from the internet is also functional. Has anyone had this
> issue? I am happy to provide configuration detail as needed.
>
Are the packets being dropped as Martians? (I assume that you have 
log_martians set on both interfaces?)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Log martians is enabled but I''m not seeing any such log messages. 




Cory Oldford 


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net> 
To: shorewall-users@lists.sourceforge.net 
Sent: Friday, October 12, 2012 11:33:58 AM GMT -06:00 US/Canada Central 
Subject: Re: [Shorewall-users] Port forwards on 1 of 2 ISP interfaces not
functioning.

On 10/12/2012 07:19 AM, Cory Oldford wrote: 
> Hi, 
> 
> I''ve got 2 ISP shorewall setup I am trying to troubleshoot. The
issue is
> port forwards on 1 of 2 ISP interfaces are not functioning. The DNAT 
> iptables rules are being hit however the FORWARD chain is never touched 
> by the DNATTED traffic from that interface. This leads me to believe 
> there is an issue during the routing decision just prior to determining 
> if forwarding is necessary. Port forwards on the other ISP interface are 
> functional. Currently, I am able to route traffic out either ISP 
> interface from any of my internal networks. Routing to my internal 
> public pools from the internet is also functional. Has anyone had this 
> issue? I am happy to provide configuration detail as needed. 
> 
Are the packets being dropped as Martians? (I assume that you have 
log_martians set on both interfaces?) 

-Tom 
-- 
Tom Eastep \ When I die, I want to go like my Grandfather who 
Shoreline, \ died peacefully in his sleep. Not screaming like 
Washington, USA \ all of the passengers in his car 
http://shorewall.net \________________________________________________ 

------------------------------------------------------------------------------ 
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly 
what is happening inside your Ruby, Python, PHP, Java, and .NET app 
Try New Relic at no cost today and get our sweet Data Nerd shirt too! 
http://p.sf.net/sfu/newrelic-dev2dev 
_______________________________________________ 
Shorewall-users mailing list 
Shorewall-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/shorewall-users 


------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/12/2012 10:07 AM, Cory Oldford wrote:
> Log martians is enabled but I''m not seeing any such log messages.
>
Okay -- please send me the output of ''shorewall dump''. You can
send it
privately if you like.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev