Shorewall users - Sep 2014 - Changed ISP and DNAT stopped working for external IP addresses

Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) 
that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP 
addresses.
I've reconfigured shorewall with the new addresses and since then we no 
longer have functioning DNAT for boxes that are forwarded from IP 
different from the main IP address.

As far as I could see, for doing the provider change we only needed to 
edit the params (params for main IP and ekstra IPs)and  masq file (main 
IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf

Having done those changes everything works OK, even DNAT from the main 
IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes 
forwarded to from other IPs in the address range are not working at all 
(ssh: connect to host 89.233.14.37 port 22: Connection timed out)

I hope you can help me find a way to further troubleshoot this.

I've re-read the section regarding the 3-interface setup: 
http://shorewall.net/three-interface.htm
and the
DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b

The routes I'm troubleshooting all show 0 packets in the output of 
'shorewall show nat', however the ISP ensures me that they are not 
dropping anything (this is a 200Mb/sec symmetric connection).

The output of 'shorewal show nat' for one of the hosts in question is:
      0     0 DNAT       tcp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37
      0     0 DNAT       udp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 5001,22,3306 to:192.168.37.37

where doing 'ssh 89.233.14.37' from a  host outside of this network 
should connect me to my box on 192.168.37.37 in the local network.
If I set up a Windows PC with static address 89.233.14.37 and connect it 
to the switch of my provider I can ping it from outside, but if I try 
and connect to my box on 192.168.37.37 I only get "Connection timed
out"

Do you have any idea of what might be going wrong and/or how I can move 
forward in troubleshooting this issue?

I have attached a dump file.

Many thanks, Paolo




------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/