Shorewall users - Nov 2013 - Two ISPs setup: sometimes wrong source IP on one Interface

Hi,

in my two ISPs Setup every package except that for aaa.117.77.217 should be 
routed via the ppp0 (tcom) interface.

provider:
tcom    1       0x100   -               ppp0            -               
balance=2       -
netco   2       0x200   -               eth4            aaa.117.77.217  
balance=1       -

tcrules:
#alles über tcom:
0x100:P 0.0.0.0/0
0x100   $FW
#Meb via netco
0x200   -              aaa.117.77.202

shorewall show ip:
3: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
    inet aaa.117.77.218/29 brd aaa.117.77.223 scope global eth4
    inet aaa.117.77.222/29 brd aaa.117.77.223 scope global secondary eth4:0
    inet aaa.117.77.219/29 brd aaa.117.77.223 scope global secondary eth4:1
92: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc
pfifo_fast
state UNKNOWN qlen 3
    inet bbb.152.162.192 peer 217.0.117.221/32 scope global ppp0


As far as I can see the routing via ppp0 is ok, but not so is the source IP. 
It''s switching between the ppp0 and the eth4 IP. And obviously there
are no
answer packages for the aaa.117.77.218 sourced ones.


tshark -i ppp0:
0.473136 bbb.152.162.192 -> 141.76.2.4   TCP 68 43768 > http [ACK]
Seq=2848
Ack=2262 Win=27392 Len=0 TSval=279996039 TSecr=2412064345
1.001138 aaa.117.77.218 -> 195.20.242.89 TCP 76 35771 > http [SYN] Seq=0 
Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=279996171 TSecr=0 WS=64


What''s wrong with the shorewall config?


Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

I forgot to say that this is only the case for packages originating from the 
firewall itself. SNATed packages from the local network are handled correctly.

Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

On 11/12/2013 2:34 PM, Axel Zöllich wrote:
> I forgot to say that this is only the case for packages originating from
the
> firewall itself. SNATed packages from the local network are handled
correctly.
Look carefully at http://www.shorewall.org/MultiISP.html#idp1955662608.
You are missing two entries.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

> > I forgot to say that this is only the case for packages originating
from
> > the firewall itself. SNATed packages from the local network are
handled
> > correctly.
> Look carefully at http://www.shorewall.org/MultiISP.html#idp1955662608.
> You are missing two entries.
As i''ve got no public subnet behind the firewall (but outside) I
thought this
is sufficient:

masq:
ppp0    192.168.122.0/24        bbb.152.162.192
eth4    192.168.122.0/24        aaa.117.77.218
ppp0    192.168.222.0/24        bbb.152.162.192
eth4    192.168.222.0/24        aaa.117.77.218
ppp0    192.168.223.0/24        bbb.152.162.192
eth4    192.168.223.0/24       aaa.117.77.218
ppp0    10.8.0.0/16             bbb.152.162.192
eth4    10.8.0.0/16             aaa.117.77.218




Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

On 11/12/2013 3:25 PM, Axel Zöllich wrote:
>>> I forgot to say that this is only the case for packages originating
from
>>> the firewall itself. SNATed packages from the local network are
handled
>>> correctly.
>> Look carefully at http://www.shorewall.org/MultiISP.html#idp1955662608.
>> You are missing two entries.
> 
> As i''ve got no public subnet behind the firewall (but outside) I
thought this
> is sufficient:
> 
> masq:
> ppp0    192.168.122.0/24        bbb.152.162.192
> eth4    192.168.122.0/24        aaa.117.77.218
> ppp0    192.168.222.0/24        bbb.152.162.192
> eth4    192.168.222.0/24        aaa.117.77.218
> ppp0    192.168.223.0/24        bbb.152.162.192
> eth4    192.168.223.0/24       aaa.117.77.218
> ppp0    10.8.0.0/16             bbb.152.162.192
> eth4    10.8.0.0/16             aaa.117.77.218
It''s not. Why don''t you simply have this?

ppp0	0.0.0.0/0	bbb.142.152.192
eth4	0.0.0.0/0	aaaa.117.77.218

That way, any packet leaving either interface will always have the
proper source IP.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

> It''s not. Why don''t you simply have this?
>
> ppp0	0.0.0.0/0	bbb.142.152.192
> eth4	0.0.0.0/0	aaaa.117.77.218
>
> That way, any packet leaving either interface will always have the
> proper source IP.
I changed my configuration to:

masq:
ppp0    0.0.0.0/0               bbb.152.162.192
eth4    0.0.0.0/0               aaa.117.77.218

providers:
tcom    1       0x100   -               ppp0            -               
balance=2       -
netco   2       0x200   -               eth4            aaa.117.77.217  
balance=1       -

tcrules:
0x100:P 0.0.0.0/0
0x100   $FW
0x200:P -               aaa.117.77.202
0x200   $FW             aaa.117.77.202


but there are packets with source IP bbb.152.162.192 and destination 
aaa.117.77.202 leaving eth4.

(by the way: is it packet or package?)

Axel



------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

On 11/13/2013 3:47 AM, Axel Zöllich wrote:
>> It''s not. Why don''t you simply have this?
>>
>> ppp0	0.0.0.0/0	bbb.142.152.192
>> eth4	0.0.0.0/0	aaaa.117.77.218
>>
>> That way, any packet leaving either interface will always have the
>> proper source IP.
> 
> I changed my configuration to:
> 
> masq:
> ppp0    0.0.0.0/0               bbb.152.162.192
> eth4    0.0.0.0/0               aaa.117.77.218
> 
> providers:
> tcom    1       0x100   -               ppp0            -               
> balance=2       -
> netco   2       0x200   -               eth4            aaa.117.77.217  
> balance=1       -
> 
> tcrules:
> 0x100:P 0.0.0.0/0
> 0x100   $FW
> 0x200:P -               aaa.117.77.202
> 0x200   $FW             aaa.117.77.202
> 
> 
> but there are packets with source IP bbb.152.162.192 and destination 
> aaa.117.77.202 leaving eth4.
You will need to purge the wrong conntrack entries before it will work
correctly.

Either reboot, or:

- Install the ''conntrack'' utility.
- Then, either:
	- Use that utility to delete the incorrect table entries; or
	- ''shorewall restart -p''

''restart -p'' will purge the entire table, which may result in
connections being broken.
> 
> (by the way: is it packet or package?)
In the US, it is ''packet'' -- in Europe, it is
''package'' :-)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

> You will need to purge the wrong conntrack entries before it will work
> correctly.
Thank you, looks very well now.

But I don''t really understand my configurations gaps. Every used local
network
was SNATed and this isn''t enough?
> > (by the way: is it packet or package?)
> 
> In the US, it is ''packet'' -- in Europe, it is
''package'' :-)
In german it''s Paket therefore the US version is more accustomed for me
:)

Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk