Re: [Shorewall-users] syntax for configuring multi ISP with vlan
> I notice in the dump that the MAC address of the gateway out of that > interface is unknown: > > ARP > > ? (10.1.1.15) at 38:60:77:f1:48:db [ether] on eth0 > ? (89.96.153.137) at on eth1.89 < > ? (10.1.1.129) at 9c:ad:97:6a:66:9d [ether] on eth0 > > Does 'ping -I eth1.89 89.96.153.137' work? > > -Tom Yes, it seems an L2 issue, not concerning shorewall itself. I am gonna investigate in this direction. Thank you very much Federico -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] syntax for configuring multi ISP with vlan
Il 2015-11-13 17:39 Tom Eastep ha scritto: > On 11/13/2015 7:20 AM, effemme wrote: >> Il 2015-11-13 01:50 Tom Eastep ha scritto: >>> On 11/12/2015 3:09 AM, effemme wrote: >>>> Hello Tom, >>>> yes it is enabled, either in shorewall.conf and in sysctl.conf. >>>> This firewall actually worked without vlan on eth1. >>>> >>> >>> Then we need to see the output of 'shorewall dump, collected as >>> described at http://www.shorewall.org/support.htm#Guidelines >>> >>> -Tom >> >> Thanks for reply Tom, >> attached is gzip of dump. >> The connection attempt was from lan host 10.1.1.129 to ping google dns >> 8.8.8.8 >> > > On eth1.89, you are SNATting to the network address (89.96.53.140). > > -Tom I am actually SNATting to 89.96.153.140 , which is the ip address of eth1.89. Is this wrong ? -- Presto, an open source distributed SQL query engine for big data, initially developed by Facebook, enables you to easily query your data on Hadoop in a more interactive manner. Teradata is also now providing full enterprise support for Presto. Download a free open source copy now. http://pubads.g.doubleclick.net/gampad/clk?id=250295911=/4140 ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] syntax for configuring multi ISP with vlan
Il 2015-11-13 01:50 Tom Eastep ha scritto: On 11/12/2015 3:09 AM, effemme wrote: Hello Tom, yes it is enabled, either in shorewall.conf and in sysctl.conf. This firewall actually worked without vlan on eth1. Then we need to see the output of 'shorewall dump, collected as described at http://www.shorewall.org/support.htm#Guidelines -Tom Thanks for reply Tom, attached is gzip of dump. The connection attempt was from lan host 10.1.1.129 to ping google dns 8.8.8.8 dump.tgz Description: GNU Zip compressed data -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] syntax for configuring multi ISP with vlan
Hello Tom, yes it is enabled, either in shorewall.conf and in sysctl.conf. This firewall actually worked without vlan on eth1. > > Is IP_FORWARDING set to 'Yes'? > > -Tom > -- > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] syntax for configuring multi ISP with vlan
Hello, I have shorewall 4.55 on CentOS 6.5 machine. I have two nics , eth0 is internal lan and eth1 uses vlan tagging to connect to two ISP (with reported fake addresses of course) /eth1.5 -- ISP1 (1.1.1.1) some lans --- eth0 --FW-- eth1 \eth1.89 -- ISP2 (2.2.2.2) [root@FW shorewall]# cat /proc/net/vlan/config VLAN Dev name| VLAN ID Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD eth1.5 | 5 | eth1 eth1.89| 89 | eth1 [root@FW shorewall]# cat /proc/net/vlan/config [-- omitted output] default nexthop via 89.96.153.137 dev eth1.89 weight 2 nexthop via 2.32.75.193 dev eth1.5 weight 1 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS - eth0 detect net eth1.5 net eth1.89 vpn tun+ /etc/shorewall/providers #NAME NUMBER MARKDUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP111 maineth1.89 2.2.2.2 track,balance eth0 ISP222 maineth1.5 1.1.1.1 track,balance eth0 /etc/shorewall/masq eth1.5 10.1.1.0/24 1.1.1.x eth1.89 10.1.1.0/24 2.2.2.y [root@FW shorewall]# shorewall show zones Shorewall 4.5.4 Zones at FW - Tue Nov 10 15:13:29 CET 2015 fw (firewall) loc (ipv4) eth0:10.1.1.0/24 vpn (ipv4) tun+:0.0.0.0/0 net (ipv4) eth1.5:0.0.0.0/0 eth1.89:0.0.0.0/0 I used the rules file of another shorewall running with single ISP, plus I addes a first rule ito explicitly allow ping from lan to internet. ACCEPT locnet icmp When i ping from lan to internet, firewall replies with "Destination host unreachable" Any help would be appreciated. Thanks in advance. Federico Maccioni -- ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users