Shorewall users - Nov 2013 - have to clear + start shorewall in order masquerading to work

Hello everyone,

I use shorewall for years. I''m installing a new server today and have 
some troubles having Shorewall working exactly the way I want.
I have the following Network:

FTTH (Orange) == ONT (fiber to ethernet) ==[eth0->vlan835->ppp0] Server 
(Linux Debian Wheezy) [br0 (eth2/wlan0)]== switch == LAN

I want to allow my LAN to go on internet. I used the "two-interfaces" 
example as startup base.

At boot, masquerading does not work. To make it work, I have to do: 
shorewall clear && shorewall start
After these commands, everything works fine.

I have several bridges and VLANs set up :

# brctl show
bridge name     bridge id               STP enabled interfaces
br0             8000.78542e06ca4e       no eth2
wlan0
video           8000.002590c50933       no eth3
vlan838
vlan839
vlan840
vlan841

br0 provides network for both wireless and wired clients.
video is a very specific bridge to enable Orange TV without their 
proprietary box.

/etc/shorewall/masq:
ppp0                    192.168.1.0/24

part of /etc/network/interfaces:
iface vlan835 inet manual
         vlan-raw-device eth0

My ppp connection:
# egrep -v "^$|^#" /etc/ppp/peers/orange
pty "/usr/sbin/pppoe -I vlan835 -T 80 -m 1452"
noipdefault
usepeerdns
defaultroute
hide-password
lcp-echo-interval 20
lcp-echo-failure 3
connect /bin/true
noauth
persist
mtu 1492
noaccomp
default-asyncmap
plugin rp-pppoe.so
user "myusername_here"

I compared results of following commands, they have the same output 
before and after the clear & start.
  - iptables -L -n
  - netstat -rtp
  - lsmod

What should I check to identify why Shorewall does not behave the same 
way at boot and after the full boot process occured?

Best regards.
Jerome Blion.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

On 11/12/2013 3:50 PM, Jérôme Blion wrote:
> Hello everyone,
> 
> I use shorewall for years. I''m installing a new server today and
have
> some troubles having Shorewall working exactly the way I want.
> I have the following Network:
> 
> FTTH (Orange) == ONT (fiber to ethernet) ==[eth0->vlan835->ppp0]
Server
> (Linux Debian Wheezy) [br0 (eth2/wlan0)]== switch == LAN
> 
> I want to allow my LAN to go on internet. I used the
"two-interfaces"
> example as startup base.
> 
> At boot, masquerading does not work. To make it work, I have to do: 
> shorewall clear && shorewall start
> After these commands, everything works fine.
> 
> I have several bridges and VLANs set up :
> 
> # brctl show
> bridge name     bridge id               STP enabled interfaces
> br0             8000.78542e06ca4e       no eth2
> wlan0
> video           8000.002590c50933       no eth3
> vlan838
> vlan839
> vlan840
> vlan841
> 
> br0 provides network for both wireless and wired clients.
> video is a very specific bridge to enable Orange TV without their 
> proprietary box.
> 
> /etc/shorewall/masq:
> ppp0                    192.168.1.0/24
> 
> part of /etc/network/interfaces:
> iface vlan835 inet manual
>          vlan-raw-device eth0
> 
> My ppp connection:
> # egrep -v "^$|^#" /etc/ppp/peers/orange
> pty "/usr/sbin/pppoe -I vlan835 -T 80 -m 1452"
> noipdefault
> usepeerdns
> defaultroute
> hide-password
> lcp-echo-interval 20
> lcp-echo-failure 3
> connect /bin/true
> noauth
> persist
> mtu 1492
> noaccomp
> default-asyncmap
> plugin rp-pppoe.so
> user "myusername_here"
> 
> I compared results of following commands, they have the same output 
> before and after the clear & start.
>   - iptables -L -n
>   - netstat -rtp
>   - lsmod
> 
> What should I check to identify why Shorewall does not behave the same 
> way at boot and after the full boot process occured?
That is Shorewall FAQ 78.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

Le 13/11/2013 01:00, Tom Eastep a écrit :
> On 11/12/2013 3:50 PM, Jérôme Blion wrote:
>> Hello everyone,
>>
>> I use shorewall for years. I''m installing a new server today
and have
>> some troubles having Shorewall working exactly the way I want.
>> I have the following Network:
>>
>> FTTH (Orange) == ONT (fiber to ethernet) ==[eth0->vlan835->ppp0]
Server
>> (Linux Debian Wheezy) [br0 (eth2/wlan0)]== switch == LAN
>>
>> I want to allow my LAN to go on internet. I used the
"two-interfaces"
>> example as startup base.
>>
>> At boot, masquerading does not work. To make it work, I have to do:
>> shorewall clear && shorewall start
>> After these commands, everything works fine.
>>
>> I have several bridges and VLANs set up :
>>
>> # brctl show
>> bridge name     bridge id               STP enabled interfaces
>> br0             8000.78542e06ca4e       no eth2
>> wlan0
>> video           8000.002590c50933       no eth3
>> vlan838
>> vlan839
>> vlan840
>> vlan841
>>
>> br0 provides network for both wireless and wired clients.
>> video is a very specific bridge to enable Orange TV without their
>> proprietary box.
>>
>> /etc/shorewall/masq:
>> ppp0                    192.168.1.0/24
>>
>> part of /etc/network/interfaces:
>> iface vlan835 inet manual
>>           vlan-raw-device eth0
>>
>> My ppp connection:
>> # egrep -v "^$|^#" /etc/ppp/peers/orange
>> pty "/usr/sbin/pppoe -I vlan835 -T 80 -m 1452"
>> noipdefault
>> usepeerdns
>> defaultroute
>> hide-password
>> lcp-echo-interval 20
>> lcp-echo-failure 3
>> connect /bin/true
>> noauth
>> persist
>> mtu 1492
>> noaccomp
>> default-asyncmap
>> plugin rp-pppoe.so
>> user "myusername_here"
>>
>> I compared results of following commands, they have the same output
>> before and after the clear & start.
>>    - iptables -L -n
>>    - netstat -rtp
>>    - lsmod
>>
>> What should I check to identify why Shorewall does not behave the same
>> way at boot and after the full boot process occured?
> That is Shorewall FAQ 78.
>
> -Tom
Hello Tom,

Thank you, that did the trick.
It''s strange that Google did not find this FAQ''s entry;

Anyway, it works like a charm now !
Thank you.

Best regards.
Jerome Blion.

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk