Thaths wrote:
Hi,
I have the following set up:
LAN --> Gateway 1 --> ISP1
LAN --> Gateway 2 --> ISP2
Gateway2 is running Shorewall. Both gateways are doing SNAT.
I have a server on the public side of Gateway1 (i.e. on a global IP
belonging to ISP1). People using Gateway2 currently have to go
upstream to ISP2, through the public internet and back in through ISP1
to reach the said server. Obviously, this is a waste of time and
bandwidth.
I have added a static route on gateway 2 like so:
/sbin/route add -host ip.of.server.on.isp1 gw ip.of.gateway.2
^^^^^^^^^^^^^^^
I assume you mean ip.of.gateway.1 here
From gateway2 itself I am able to ping my server. However, I am unable
to ping server from any desktop on the LAN which is using Gateway2 as
its gateway. I suspect this is due to some rule in Shorewall. Any
clues as to how I can wrangle shorewall into allowing this packet?
I also assume that the LAN side of Gateway 1 & Gateway 2 have IPs from a
common subnet and that ip.of.gateway.1 refers to the IP on the LAN side.
If so, Gateway 2 would send an ICMP redirect to the clients, and when
they try to reach the server on ISP 1. If those specific clients cannot
reach Gateway 1 due to some restriction [e.g. they are on a separate
physical network/VLAN], you would get a Destination Host Unreachable.
A few points:
-> The above is pure conjecture. You'll have to provide more details
[specically physical interconnections and some other stuff mentioned below].
-> What are the desktops running?
-> What is Gateway 1 running? Linux?
-> In the Destination Host Unreachable message, do you have a "From" IP?
Is so, what is this IP?
-> Can you post the result of "ifconfig" "ip rule show" and "ip route
show" from the Gateways? [IP addresses to be obfuscated, of-course].
This, prima-facie, does not seem a firewalling problem, since then you
get an Administratively Prohibited [if you are rejecting packets] or
Request Time Out [if you are dropping packets].
--
Regards,
Varun Varma
---------------------------------------
Mindframe Software & Services Pvt. Ltd.
http://www.mindsw.com
---------------------------------------
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
linux-india-help mailing list
linux-india-help@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-india-help
