from:"effemme"

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

2015-11-17 Thread effemme

> I notice in the dump that the MAC address of the gateway out of that
> interface is unknown:
> 
> ARP
> 
> ? (10.1.1.15) at 38:60:77:f1:48:db [ether] on eth0
> ? (89.96.153.137) at  on eth1.89 <
> ? (10.1.1.129) at 9c:ad:97:6a:66:9d [ether] on eth0
> 
> Does 'ping -I eth1.89 89.96.153.137' work?
> 
> -Tom

Yes, it seems an L2 issue, not concerning shorewall itself.
I am gonna investigate in this direction. Thank you very much

Federico

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

2015-11-16 Thread effemme

Il 2015-11-13 17:39 Tom Eastep ha scritto:
> On 11/13/2015 7:20 AM, effemme wrote:
>> Il 2015-11-13 01:50 Tom Eastep ha scritto:
>>> On 11/12/2015 3:09 AM, effemme wrote:
>>>> Hello Tom,
>>>> yes it is enabled, either in shorewall.conf and in sysctl.conf.
>>>> This firewall actually worked without vlan on eth1.
>>>> 
>>> 
>>> Then we need to see the output of 'shorewall dump, collected as
>>> described at http://www.shorewall.org/support.htm#Guidelines
>>> 
>>> -Tom
>> 
>> Thanks for reply Tom,
>> attached is gzip of dump.
>> The connection attempt was from lan host 10.1.1.129 to ping google dns
>> 8.8.8.8
>> 
> 
> On eth1.89, you are SNATting to the network address (89.96.53.140).
> 
> -Tom

I am actually SNATting to 89.96.153.140 , which is the ip address of 
eth1.89.
Is this wrong ?


--
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a 
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

2015-11-13 Thread effemme


Il 2015-11-13 01:50 Tom Eastep ha scritto:

On 11/12/2015 3:09 AM, effemme wrote:

Hello Tom,
yes it is enabled, either in shorewall.conf and in sysctl.conf.
This firewall actually worked without vlan on eth1.



Then we need to see the output of 'shorewall dump, collected as
described at http://www.shorewall.org/support.htm#Guidelines

-Tom


Thanks for reply Tom,
attached is gzip of dump.
The connection attempt was from lan host 10.1.1.129 to ping google dns 
8.8.8.8




dump.tgz
Description: GNU Zip compressed data
--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

2015-11-12 Thread effemme

Hello Tom,
yes it is enabled, either in shorewall.conf and in sysctl.conf.
This firewall actually worked without vlan on eth1.

> 
> Is IP_FORWARDING set to 'Yes'?
> 
> -Tom
> --
> 
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] syntax for configuring multi ISP with vlan

2015-11-10 Thread effemme

Hello,
I have shorewall 4.55 on CentOS 6.5 machine.
I have two nics , eth0 is internal lan and eth1 uses vlan tagging to 
connect to two ISP (with reported fake addresses of course)

   /eth1.5 -- ISP1 (1.1.1.1)
 some lans --- eth0 --FW-- eth1
   \eth1.89 -- ISP2 (2.2.2.2)

[root@FW shorewall]# cat /proc/net/vlan/config
VLAN Dev name| VLAN ID
Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
eth1.5 | 5  | eth1
eth1.89| 89  | eth1

[root@FW shorewall]# cat /proc/net/vlan/config
[-- omitted output]
default
 nexthop via 89.96.153.137  dev eth1.89 weight 2
 nexthop via 2.32.75.193  dev eth1.5 weight 1


/etc/shorewall/interfaces
#ZONE   INTERFACE   BROADCAST   OPTIONS
-   eth0   detect
net eth1.5
net eth1.89
vpn tun+


/etc/shorewall/providers
#NAME  NUMBER   MARKDUPLICATE   INTERFACE   
GATEWAY OPTIONS COPY
ISP111   maineth1.89 2.2.2.2 
track,balance   eth0
ISP222   maineth1.5  1.1.1.1 
track,balance   eth0

/etc/shorewall/masq
eth1.5  10.1.1.0/24 1.1.1.x
eth1.89 10.1.1.0/24 2.2.2.y


[root@FW shorewall]# shorewall show zones
Shorewall 4.5.4 Zones at FW - Tue Nov 10 15:13:29 CET 2015

fw (firewall)
loc (ipv4)
eth0:10.1.1.0/24
vpn (ipv4)
tun+:0.0.0.0/0
net (ipv4)
eth1.5:0.0.0.0/0
eth1.89:0.0.0.0/0


I used the rules file of another shorewall running with single ISP, plus 
I addes a first rule ito explicitly allow ping from lan to internet.

ACCEPT  locnet  icmp

When i ping from lan to internet, firewall replies with "Destination 
host unreachable"

Any help would be appreciated.
Thanks in advance.
Federico Maccioni


--
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

[Shorewall-users] syntax for configuring multi ISP with vlan

5 matches

Site Navigation

Mail list logo

Footer information