[Shorewall-users] MultiISP - local to net issue

Sun, 19 Nov 2006 00:55:02 -0800 

Hello list,
I have two ISP connections (different providers), both with dynamic IP 
addresses.
I have three interfaces, two external and one internal and am trying to balance 
traffic over the two ppp connections.
Shorewall Version: Shorewall-3.2.4
The Problem:
Using a browser on the firewall (braveheart), traffic is balanced over both 
links, but clients (geronimo) behind the server are unable to connect to 
external hosts, e.g. to connect to an external POP3 server.
I have gone through  the Shorewall MultiISP document a number of times, but am 
unable to make things work correctly.
Please see configs/logs below for more detail - is there a  glaring omission or 
misconception on my part?
Many thanks for any assistance.
Gero.
..............................................................................................................................................
/etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            detect          dhcp,routefilter,norfc1918,tcpflags
net     ppp1            detect          dhcp,routefilter,norfc1918,tcpflags
loc     eth2            detect          tcpflags
mob     tun0            detect          tcpflags

.............................................................................................................................................
/etc/shorewall/masq
INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S)
#eth0                   eth2
#eth1                   eth2
ppp0                   $PPP1        $PPP0
ppp1                   $PPP0        $PPP1
ppp0                   eth2             $PPP0
ppp1                   eth2             $PPP1
.............................................................................................................................................
/etc/shorewall/providers
NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS  
       COPY
ADSL    1       1       -            ppp0              detect          
track,balance    eth2
IBURST  2       2       -            ppp1              detect          
track,balance    eth2
.............................................................................................................................................
braveheart shorewall # ip route ls
10.8.0.2 dev tun0  proto kernel  scope link  src 10.8.0.1
196.2.112.1 dev ppp1  proto kernel  scope link  src 196.2.113.182
41.242.64.1 dev ppp0  proto kernel  scope link  src 41.242.68.98
10.8.0.0/24 via 10.8.0.2 dev tun0
10.100.10.0/24 dev eth2  proto kernel  scope link  src 10.100.10.1
127.0.0.0/8 dev lo  scope link
default
        nexthop via 41.242.64.1  dev ppp0 weight 1
        nexthop via 196.2.112.1  dev ppp1 weight 1
.............................................................................................................................................

braveheart shorewall # ip rule ls
0:      from all lookup local
10001:  from all fwmark 0x1 lookup ADSL
10002:  from all fwmark 0x2 lookup IBURST
20000:  from 165.145.127.86 lookup ADSL
20000:  from 165.145.124.131 lookup ADSL
20000:  from 41.242.68.98 lookup ADSL
20256:  from 196.2.104.214 lookup IBURST
20256:  from 41.208.195.204 lookup IBURST
20256:  from 196.2.126.97 lookup IBURST
20256:  from 196.2.113.182 lookup IBURST
32766:  from all lookup main
32767:  from all lookup default
.............................................................................................................................................
braveheart shorewall # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.0.2        0.0.0.0         255.255.255.255 UH        0 0          0 tun0
196.2.112.1     0.0.0.0         255.255.255.255 UH        0 0          0 ppp1
41.242.64.1     0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.8.0.0        10.8.0.2        255.255.255.0   UG        0 0          0 tun0
10.100.10.0     0.0.0.0         255.255.255.0   U         0 0          0 eth2
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         41.242.64.1     0.0.0.0         UG        0 0          0 ppp0
.............................................................................................................................................
Pinging from a client behind the firewall results in the below - packets are 
rejected for some reason.
geronimo # ping 196.4.160.2
PING 196.4.160.2 (196.4.160.2) 56(84) bytes of data.

/var/log/messages:
Nov 19 08:18:52 braveheart kernel: Shorewall:FORWARD:REJECT:IN=ppp1 OUT=ppp1 
SRC=196.4.160.2 DST=10.100.10.50 LEN=84 TOS=0x00 PREC=0x00 TTL=55 ID=38403 DF 
PROTO=ICMP TYPE=0 CODE=0 ID=47879 SEQ=8
.............................................................................................................................................

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to