Shorewall users - Aug 2013 - DMZ using proxyarp

Hey guys,

Here''s the situation, I''ve 3 networks, the host with IP, say
145.166.235.252  is connected to FW''s interface eth2 (dmz) and the
hosts
attached via eth0 (net) are able to access it using that address.

interfaces
net     eth0            detect
loc     eth1            detect
dmz     eth2            detect


Here''s fw''s routing table, and 145.166.235.1 would be the
ISP''s router
0.0.0.0         145.166.236.1   0.0.0.0         UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
145.166.235.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
145.166.235.224 0.0.0.0         255.255.255.224 U     0      0        0 eth2
145.166.235.252 0.0.0.0         255.255.255.255 UH    0      0        0 eth2

/etc/shorewall/proxyarp
145.166.235.252  eth2         eth0          No

>From the host 145.166.235.252 I can access the firewall, the IPSs gateway,
 but I can''t get beyond it.

host''s routing table
145.166.235.224 0.0.0.0         255.255.255.224 U     0      0        0 eth1
0.0.0.0         145.166.235.253 0.0.0.0         UG    0      0        0 eth1

253 would be fw''s eth2

######from the host to the ISP #########
PING 145.166.235.1 (145.166.235.1) 56(84) bytes of data.
64 bytes from 145.166.235.1: icmp_req=1 ttl=254 time=0.854 ms
#############################

I think it doesn''t have anything to do with shorewall misconfig but I
hope
you guys can give me some pointers here on what I''m missing... ip
forwarding is enabled, I tried to use NAT and it worked using masq on a
192.168.0.0/24 local network, through fw''s eth1.

The ping is not being rejected either.

I''ll still try a traceroute from outside later...

Any help would be appreciated.


Regards,
- Ismael


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

On 08/13/2013 08:10 AM, Ismael Milach wrote:
> Hey guys,
> 
> Here''s the situation, I''ve 3 networks, the host with IP,
say
> 145.166.235.252  is connected to FW''s interface eth2 (dmz) and the
hosts
> attached via eth0 (net) are able to access it using that address.
> 
> interfaces
> net     eth0            detect
> loc     eth1            detect
> dmz     eth2            detect
> 
> 
> Here''s fw''s routing table, and 145.166.235.1 would be the
ISP''s router
> 0.0.0.0         145.166.236.1   0.0.0.0         UG    0      0        0
eth0
> 192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0
eth1
> 145.166.235.0   0.0.0.0         255.255.255.0   U     0      0        0
eth0
> 145.166.235.224 0.0.0.0         255.255.255.224 U     0      0        0
eth2
> 145.166.235.252 0.0.0.0         255.255.255.255 UH    0      0        0
eth2
> 
> /etc/shorewall/proxyarp
> 145.166.235.252  eth2         eth0          No
> 
> 
> From the host 145.166.235.252 I can access the firewall, the IPSs
> gateway,  but I can''t get beyond it. 
> 
> host''s routing table
> 145.166.235.224 0.0.0.0         255.255.255.224 U     0      0        0
eth1
> 0.0.0.0         145.166.235.253 0.0.0.0         UG    0      0        0
eth1
> 
> 253 would be fw''s eth2
> 
> ######from the host to the ISP #########
> PING 145.166.235.1 (145.166.235.1) 56(84) bytes of data.
> 64 bytes from 145.166.235.1 <http://145.166.235.1>: icmp_req=1
ttl=254
> time=0.854 ms
> #############################
> 
> I think it doesn''t have anything to do with shorewall misconfig
but I
> hope you guys can give me some pointers here on what I''m
missing... ip
> forwarding is enabled, I tried to use NAT and it worked using masq on a
> 192.168.0.0/24 <http://192.168.0.0/24> local network, through
fw''s eth1.
> 
> The ping is not being rejected either. 
> 
> I''ll still try a traceroute from outside later...
> 
> Any help would be appreciated.
> 
You need to look at the ping traffic on eth0. That will show you if the
upstream router has the correct MAC address for the DMZ host.

tcpdump -nei eth0 icmp

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

> You need to look at the ping traffic on eth0. That will show you if the
> upstream router has the correct MAC address for the DMZ host.
>
> tcpdump -nei eth0 icmp
>

Here''s what it does, first the ping to the ISP"s router.
#####
14:09:04.857621 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
(0x0800), length 98: 145.166.235.252 > 145.166.235.1: ICMP echo request, id
16576, seq 1, length 64
14:09:04.858157 00:04:96:27:ae:41 > 9c:8e:99:2c:e3:1c, ethertype IPv4
(0x0800), length 98: 145.166.235.1 > 145.166.235.252: ICMP echo reply, id
16576, seq 1, length 64

14:09:05.856573 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
(0x0800), length 98: 145.166.235.252 >
145.166.235.1: ICMP echo request, id 16576, seq 2, length 64
14:09:05.857062 00:04:96:27:ae:41 > 9c:8e:99:2c:e3:1c, ethertype IPv4
(0x0800), length 98: 145.166.235.1 > 145.166.235.252: ICMP echo reply, id
16576, seq 2, length 64
#######


then while pinging to the internet with no reply
####
14:09:15.829227 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
(0x0800), length 98: 145.166.235.252 > 8.8.8.8: ICMP echo request, id
16577, seq 1, length 64
14:09:16.835848 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
(0x0800), length 98: 145.166.235.252 > 8.8.8.8: ICMP echo request, id
16577, seq 2, length 64
####

9c:8e:99:2c:e3:1c is the firewall''s eth2.  So I commented out the
proxyarp
line and it didn''t change anything, indeed.

Thanks again Tom, I''ll look at it later, probably doing it from the
scratch.

Ismael





> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It''s a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
>
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

Well, it worked by using the same address on both eth0 and eth2 (as Tom did
here:
http://shorewall.net/XenMyWay.html ). I think that''ll do it for me,
just
have to tweak some other stuff.

Ismael
ps - btw sir, that''s an outstanding piece of network documentation,
thank
you.


2013/8/13 Ismael Milach <milach@gmail.com>
>
> You need to look at the ping traffic on eth0. That will show you if the
>> upstream router has the correct MAC address for the DMZ host.
>>
>> tcpdump -nei eth0 icmp
>>
>
>
> Here''s what it does, first the ping to the ISP"s router.
> #####
> 14:09:04.857621 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
> (0x0800), length 98: 145.166.235.252 > 145.166.235.1: ICMP echo request,
> id 16576, seq 1, length 64
> 14:09:04.858157 00:04:96:27:ae:41 > 9c:8e:99:2c:e3:1c, ethertype IPv4
> (0x0800), length 98: 145.166.235.1 > 145.166.235.252: ICMP echo reply,
id
> 16576, seq 1, length 64
>
> 14:09:05.856573 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
> (0x0800), length 98: 145.166.235.252 >
> 145.166.235.1: ICMP echo request, id 16576, seq 2, length 64
> 14:09:05.857062 00:04:96:27:ae:41 > 9c:8e:99:2c:e3:1c, ethertype IPv4
> (0x0800), length 98: 145.166.235.1 > 145.166.235.252: ICMP echo reply,
id
> 16576, seq 2, length 64
> #######
>
>
> then while pinging to the internet with no reply
> ####
> 14:09:15.829227 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
> (0x0800), length 98: 145.166.235.252 > 8.8.8.8: ICMP echo request, id
> 16577, seq 1, length 64
> 14:09:16.835848 9c:8e:99:2c:e3:1c > 00:04:96:27:ae:41, ethertype IPv4
> (0x0800), length 98: 145.166.235.252 > 8.8.8.8: ICMP echo request, id
> 16577, seq 2, length 64
> ####
>
> 9c:8e:99:2c:e3:1c is the firewall''s eth2.  So I commented out the
proxyarp
> line and it didn''t change anything, indeed.
>
> Thanks again Tom, I''ll look at it later, probably doing it from
the
> scratch.
>
> Ismael
>
>
>
>
>
>
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It''s a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>>
>>
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It''s a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk