subject:"Re\: \[Shorewall\-users\] PBR and directly connected networks"

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 01:05 PM, Adam Cecile wrote:
> Nat can be disabled again for testing purpose. I m not sure to
> understand why you think it should work: client send packet to
> 10.13.70.138  and receive response from
> 192.168.195.227 . How is that supposed to work?
> 

Why is the response coming from 192.168.195.227 if there is no NAT on
the Shorewall box?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cecile

Nat can be disabled again for testing purpose. I m not sure to understand why 
you think it should work: client send packet to 10.13.70.138 and receive 
response from 192.168.195.227. How is that supposed to work?

Le 27 juillet 2017 22:01:30 GMT+02:00, Tom Eastep  a 
écrit :
>On 07/27/2017 12:57 PM, Adam Cecile wrote:
>> Eth1 will be killed. It has been added to provide an access through
>the
>> old address logging every client so they can be fixed to use the
>proper
>> address.
>> 
>> No it was not. 10.13.70.138  was reachable from
>any
>> network EXCEPT 192.168.195.0/24. 
>> 
>
>Then I don't understand why it wasn't reachable from 192.168.195.0/24,
>and with the NAT in place on the central firewall, we will probably
>never know. But once eth1 is removed, clearly traffic to
>192.168.195.0/24 WILL be routed out of eth0.
>
>-Tom
>-- 
>Tom Eastep\   Q: What do you get when you cross a mobster with
>Shoreline, \ an international standard?
>Washington, USA \ A: Someone who makes you an offer you can't
>http://shorewall.org \   understand
>  \___
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 12:57 PM, Adam Cecile wrote:
> Eth1 will be killed. It has been added to provide an access through the
> old address logging every client so they can be fixed to use the proper
> address.
> 
> No it was not. 10.13.70.138  was reachable from any
> network EXCEPT 192.168.195.0/24. 
> 

Then I don't understand why it wasn't reachable from 192.168.195.0/24,
and with the NAT in place on the central firewall, we will probably
never know. But once eth1 is removed, clearly traffic to
192.168.195.0/24 WILL be routed out of eth0.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cecile

Eth1 will be killed. It has been added to provide an access through the old 
address logging every client so they can be fixed to use the proper address.

No it was not. 10.13.70.138 was reachable from any network EXCEPT 
192.168.195.0/24.

Le 27 juillet 2017 21:46:12 GMT+02:00, Tom Eastep  a 
écrit :
>On 07/27/2017 12:38 PM, Adam Cecile wrote:
>> No NAT anywhere (actually there s one in the central firewall to make
>> packet coming from 192.168.195 to 10.13 looking like coming from
>10.13
>> so shorewall machine answer back through eth0, but thats a workaround
>> because I couldn't get PBR doing what I want).
>> 
>
>So when 192.168.195.227 "goes away", what will the configuration of
>eth1
>look like?
>
>And, before the NAT was added on the central firewall, did connections
>from 192.168.195.0/24 to 10.13.70.138 work, even though the routing was
>assymetric?
>
>-Tom
>-- 
>Tom Eastep\   Q: What do you get when you cross a mobster with
>Shoreline, \ an international standard?
>Washington, USA \ A: Someone who makes you an offer you can't
>http://shorewall.org \   understand
>  \___
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 12:38 PM, Adam Cecile wrote:
> No NAT anywhere (actually there s one in the central firewall to make
> packet coming from 192.168.195 to 10.13 looking like coming from 10.13
> so shorewall machine answer back through eth0, but thats a workaround
> because I couldn't get PBR doing what I want).
> 

So when 192.168.195.227 "goes away", what will the configuration of eth1
look like?

And, before the NAT was added on the central firewall, did connections
from 192.168.195.0/24 to 10.13.70.138 work, even though the routing was
assymetric?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cecile

No NAT anywhere (actually there s one in the central firewall to make packet 
coming from 192.168.195 to 10.13 looking like coming from 10.13 so shorewall 
machine answer back through eth0,  but thats a workaround because I couldn't 
get PBR doing what I want).

Le 27 juillet 2017 21:16:17 GMT+02:00, Tom Eastep  a 
écrit :
>On 07/27/2017 11:57 AM, Adam Cécile wrote:
>> On 07/27/2017 08:51 PM, Tom Eastep wrote:
>>> On 07/27/2017 10:12 AM, Adam Cécile wrote:
 On 07/27/2017 06:39 PM, Tom Eastep wrote:
>>  From the routing rules you posted above, the 'main' table is
>> traversed
>> before BPR is used, and the 'main' table will route packets to
>> 192.168.195.0 out of eth1.
 Sounds like the root of the issue to me !
>>> But do you really think that it is a problem?
>>>
>>> -Tom
>> Yes because any machine from 192.168.195.0/24 network cannot use the
>new
>> 10.13 address, and that the one that will stay, 192.168.195.227 must
>go
>> asap.
>> 
>
>Please ignore my last post. Replies to 192.168.195.0/24 from the 10.13
>address are being sent out of the 192.168.195.227 interface. Are they
>getting their source IP address rewritten by SNAT/MASQ? Is that the
>problem? Otherwise, I don't understand why communication is breaking.
>
>-Tom
>-- 
>Tom Eastep\   Q: What do you get when you cross a mobster with
>Shoreline, \ an international standard?
>Washington, USA \ A: Someone who makes you an offer you can't
>http://shorewall.org \   understand
>  \___
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cecile

I actually haven't think about that. You mean it's not an issue being 
assymetric on the shorewall box if the central firewall route the packets 
correctly ?
Make sense, but requires me to ask network team support to check that.I suppose 
it gets dropped because connection cannot be tracked.

Is there anything wrong killing the main table and doing PBR only ?

Le 27 juillet 2017 21:12:32 GMT+02:00, Tom Eastep  a 
écrit :
>On 07/27/2017 11:57 AM, Adam Cécile wrote:
>> On 07/27/2017 08:51 PM, Tom Eastep wrote:
>>> On 07/27/2017 10:12 AM, Adam Cécile wrote:
 On 07/27/2017 06:39 PM, Tom Eastep wrote:
>>  From the routing rules you posted above, the 'main' table is
>> traversed
>> before BPR is used, and the 'main' table will route packets to
>> 192.168.195.0 out of eth1.
 Sounds like the root of the issue to me !
>>> But do you really think that it is a problem?
>>>
>>> -Tom
>> Yes because any machine from 192.168.195.0/24 network cannot use the
>new
>> 10.13 address, and that the one that will stay, 192.168.195.227 must
>go
>> asap.
>
>So why isn't traffic from the 10.13 interface getting routed properly
>to
>the 192.168.195.0/24 subnet by your network outside of the Shorewall
>box? Clearly it is able to route in the other direction.
>
>-Tom
>-- 
>Tom Eastep\   Q: What do you get when you cross a mobster with
>Shoreline, \ an international standard?
>Washington, USA \ A: Someone who makes you an offer you can't
>http://shorewall.org \   understand
>  \___
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 11:57 AM, Adam Cécile wrote:
> On 07/27/2017 08:51 PM, Tom Eastep wrote:
>> On 07/27/2017 10:12 AM, Adam Cécile wrote:
>>> On 07/27/2017 06:39 PM, Tom Eastep wrote:
>  From the routing rules you posted above, the 'main' table is
> traversed
> before BPR is used, and the 'main' table will route packets to
> 192.168.195.0 out of eth1.
>>> Sounds like the root of the issue to me !
>> But do you really think that it is a problem?
>>
>> -Tom
> Yes because any machine from 192.168.195.0/24 network cannot use the new
> 10.13 address, and that the one that will stay, 192.168.195.227 must go
> asap.
> 

Please ignore my last post. Replies to 192.168.195.0/24 from the 10.13
address are being sent out of the 192.168.195.227 interface. Are they
getting their source IP address rewritten by SNAT/MASQ? Is that the
problem? Otherwise, I don't understand why communication is breaking.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 11:57 AM, Adam Cécile wrote:
> On 07/27/2017 08:51 PM, Tom Eastep wrote:
>> On 07/27/2017 10:12 AM, Adam Cécile wrote:
>>> On 07/27/2017 06:39 PM, Tom Eastep wrote:
>  From the routing rules you posted above, the 'main' table is
> traversed
> before BPR is used, and the 'main' table will route packets to
> 192.168.195.0 out of eth1.
>>> Sounds like the root of the issue to me !
>> But do you really think that it is a problem?
>>
>> -Tom
> Yes because any machine from 192.168.195.0/24 network cannot use the new
> 10.13 address, and that the one that will stay, 192.168.195.227 must go
> asap.

So why isn't traffic from the 10.13 interface getting routed properly to
the 192.168.195.0/24 subnet by your network outside of the Shorewall
box? Clearly it is able to route in the other direction.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cécile


On 07/27/2017 08:51 PM, Tom Eastep wrote:

On 07/27/2017 10:12 AM, Adam Cécile wrote:

On 07/27/2017 06:39 PM, Tom Eastep wrote:

 From the routing rules you posted above, the 'main' table is traversed
before BPR is used, and the 'main' table will route packets to
192.168.195.0 out of eth1.

Sounds like the root of the issue to me !

But do you really think that it is a problem?

-Tom
Yes because any machine from 192.168.195.0/24 network cannot use the new 
10.13 address, and that the one that will stay, 192.168.195.227 must go 
asap.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 10:12 AM, Adam Cécile wrote:
> On 07/27/2017 06:39 PM, Tom Eastep wrote:

>>> From the routing rules you posted above, the 'main' table is traversed
>>> before BPR is used, and the 'main' table will route packets to
>>> 192.168.195.0 out of eth1.
>

> Sounds like the root of the issue to me !

But do you really think that it is a problem?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cécile


On 07/27/2017 06:39 PM, Tom Eastep wrote:

On 07/27/2017 09:13 AM, Tom Eastep wrote:

On 07/27/2017 08:51 AM, Adam Cécile wrote:

Hi,

Here we go:

0:  from all lookup local
999:from all lookup main
1:  from all fwmark 0x1/0xff lookup 1
10001:  from all fwmark 0x2/0xff lookup 2
2:  from 10.13.70.138 lookup 1
2:  from 192.168.195.227 lookup 2
32765:  from all lookup 250
32767:  from all lookup default

Thanks


On 07/27/2017 05:10 PM, Tom Eastep wrote:

On 07/26/2017 11:34 PM, Adam Cécile wrote:

Hello,

I made a quick setup using PBR to migrate a server from an old network
to a new one.

Here is the provider file:

#NAME   NUMBER  MARKDUPLICATE   INTERFACE   GATEWAY
OPTIONS COPY
NEW 1   1   -   eth010.13.70.190
track
OLD 2   2   -   eth1192.168.195.254
track

And the interfaces:

eth0: flags=4163  mtu 1500
 inet 10.13.70.138  netmask 255.255.255.192  broadcast 10.13.70.191

eth1: flags=4163  mtu 1500
 inet 192.168.195.227  netmask 255.255.255.0  broadcast
192.168.195.255


Everything is working correctly except PBR seems to be overrided if the
client is directly connected on one of the local network.

For instance, if I ssh this server from another machine in
192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
eth0 but response sent through eth1.

I suspect that it's the other way around (requests arrive on eth1 but
responses sent through eth0)?
Nop, the way I told you: 192.168.195.1 send a packet to this machine 
using it's 10.13.70.190 address. Its default gateway knows about all 
networks and route it to 10.13.70.190 on eth0. Response is sent using 
eth1. I expect it to be sent back through eth0



What is the output of 'ip rule ls'?

I guess that I need to see the output of 'shorewall dump' (as an
attachment) then. You can send it to me privately, if you like.
Will do, in private in a few minutes, it's not home setup so I have to 
connect a few things before !

Maybe not. I take it that the machines in 192.168.195.0/24 don't know to
route packets to 110.13.70.138 via 192.168.195.227?
Sorry I don't get it. It's the same default gateway for everyone. No 
matter if we're talking about the client or the PBR-configured machine, 
both 10.13 and 192.168 are using the same firewall as default gateway.

If so, then I would
expect the requests to arrive on eth0 and the responses to be sent out
of eth1. While the routing in this case is asymmetric, it should work
correctly and I wouldn't try to "fix" it.

 From the routing rules you posted above, the 'main' table is traversed
before BPR is used, and the 'main' table will route packets to
192.168.195.0 out of eth1.

Sounds like the root of the issue to me !


-Tom



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 09:13 AM, Tom Eastep wrote:
> On 07/27/2017 08:51 AM, Adam Cécile wrote:
>> Hi,
>>
>> Here we go:
>>
>> 0:   from all lookup local 
>> 999: from all lookup main 
>> 1:   from all fwmark 0x1/0xff lookup 1 
>> 10001:   from all fwmark 0x2/0xff lookup 2 
>> 2:   from 10.13.70.138 lookup 1 
>> 2:   from 192.168.195.227 lookup 2 
>> 32765:   from all lookup 250 
>> 32767:   from all lookup default 
> 
> Thanks
> 
>>
>> On 07/27/2017 05:10 PM, Tom Eastep wrote:
>>> On 07/26/2017 11:34 PM, Adam Cécile wrote:
 Hello,

 I made a quick setup using PBR to migrate a server from an old network
 to a new one.

 Here is the provider file:

 #NAME   NUMBER  MARKDUPLICATE   INTERFACE   GATEWAY
 OPTIONS COPY
 NEW 1   1   -   eth010.13.70.190   
 track
 OLD 2   2   -   eth1192.168.195.254
 track

 And the interfaces:

 eth0: flags=4163  mtu 1500
 inet 10.13.70.138  netmask 255.255.255.192  broadcast 10.13.70.191

 eth1: flags=4163  mtu 1500
 inet 192.168.195.227  netmask 255.255.255.0  broadcast
 192.168.195.255


 Everything is working correctly except PBR seems to be overrided if the
 client is directly connected on one of the local network.

 For instance, if I ssh this server from another machine in
 192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
 eth0 but response sent through eth1.
> 
> I suspect that it's the other way around (requests arrive on eth1 but
> responses sent through eth0)?
> 

>>> What is the output of 'ip rule ls'?
> 
> I guess that I need to see the output of 'shorewall dump' (as an
> attachment) then. You can send it to me privately, if you like.

Maybe not. I take it that the machines in 192.168.195.0/24 don't know to
route packets to 110.13.70.138 via 192.168.195.227? If so, then I would
expect the requests to arrive on eth0 and the responses to be sent out
of eth1. While the routing in this case is asymmetric, it should work
correctly and I wouldn't try to "fix" it.

From the routing rules you posted above, the 'main' table is traversed
before BPR is used, and the 'main' table will route packets to
192.168.195.0 out of eth1.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/27/2017 08:51 AM, Adam Cécile wrote:
> Hi,
> 
> Here we go:
> 
> 0:from all lookup local 
> 999:  from all lookup main 
> 1:from all fwmark 0x1/0xff lookup 1 
> 10001:from all fwmark 0x2/0xff lookup 2 
> 2:from 10.13.70.138 lookup 1 
> 2:from 192.168.195.227 lookup 2 
> 32765:from all lookup 250 
> 32767:from all lookup default 

Thanks

> 
> On 07/27/2017 05:10 PM, Tom Eastep wrote:
>> On 07/26/2017 11:34 PM, Adam Cécile wrote:
>>> Hello,
>>>
>>> I made a quick setup using PBR to migrate a server from an old network
>>> to a new one.
>>>
>>> Here is the provider file:
>>>
>>> #NAME   NUMBER  MARKDUPLICATE   INTERFACE   GATEWAY
>>> OPTIONS COPY
>>> NEW 1   1   -   eth010.13.70.190   
>>> track
>>> OLD 2   2   -   eth1192.168.195.254
>>> track
>>>
>>> And the interfaces:
>>>
>>> eth0: flags=4163  mtu 1500
>>> inet 10.13.70.138  netmask 255.255.255.192  broadcast 10.13.70.191
>>>
>>> eth1: flags=4163  mtu 1500
>>> inet 192.168.195.227  netmask 255.255.255.0  broadcast
>>> 192.168.195.255
>>>
>>>
>>> Everything is working correctly except PBR seems to be overrided if the
>>> client is directly connected on one of the local network.
>>>
>>> For instance, if I ssh this server from another machine in
>>> 192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
>>> eth0 but response sent through eth1.

I suspect that it's the other way around (requests arrive on eth1 but
responses sent through eth0)?

>>>
>> What is the output of 'ip rule ls'?

I guess that I need to see the output of 'shorewall dump' (as an
attachment) then. You can send it to me privately, if you like.

Thanks,
-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Adam Cécile


Hi,

Here we go:

0:  from all lookup local
999:from all lookup main
1:  from all fwmark 0x1/0xff lookup 1
10001:  from all fwmark 0x2/0xff lookup 2
2:  from 10.13.70.138 lookup 1
2:  from 192.168.195.227 lookup 2
32765:  from all lookup 250
32767:  from all lookup default

Thanks,

Adam.



On 07/27/2017 05:10 PM, Tom Eastep wrote:

On 07/26/2017 11:34 PM, Adam Cécile wrote:

Hello,

I made a quick setup using PBR to migrate a server from an old network
to a new one.

Here is the provider file:

#NAME   NUMBER  MARKDUPLICATE   INTERFACE   GATEWAY
OPTIONS COPY
NEW 1   1   -   eth010.13.70.190
track
OLD 2   2   -   eth1192.168.195.254
track

And the interfaces:

eth0: flags=4163  mtu 1500
 inet 10.13.70.138  netmask 255.255.255.192  broadcast 10.13.70.191

eth1: flags=4163  mtu 1500
 inet 192.168.195.227  netmask 255.255.255.0  broadcast
192.168.195.255


Everything is working correctly except PBR seems to be overrided if the
client is directly connected on one of the local network.

For instance, if I ssh this server from another machine in
192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
eth0 but response sent throught eth1.


What is the output of 'ip rule ls'?

Thanks,
-Tom


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

2017-07-27 Thread Tom Eastep

On 07/26/2017 11:34 PM, Adam Cécile wrote:
> Hello,
> 
> I made a quick setup using PBR to migrate a server from an old network
> to a new one.
> 
> Here is the provider file:
> 
> #NAME   NUMBER  MARKDUPLICATE   INTERFACE   GATEWAY
> OPTIONS COPY
> NEW 1   1   -   eth010.13.70.190   
> track
> OLD 2   2   -   eth1192.168.195.254
> track
> 
> And the interfaces:
> 
> eth0: flags=4163  mtu 1500
> inet 10.13.70.138  netmask 255.255.255.192  broadcast 10.13.70.191
> 
> eth1: flags=4163  mtu 1500
> inet 192.168.195.227  netmask 255.255.255.0  broadcast
> 192.168.195.255
> 
> 
> Everything is working correctly except PBR seems to be overrided if the
> client is directly connected on one of the local network.
> 
> For instance, if I ssh this server from another machine in
> 192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
> eth0 but response sent throught eth1.
> 

What is the output of 'ip rule ls'?

Thanks,
-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

Re: [Shorewall-users] PBR and directly connected networks

16 matches

Site Navigation

Mail list logo

Footer information