Thanks for your time and help! Tom Eastep wrote: >> Thanks, So I did as the trouble shootung page requests: >> - first ssh 10.31.0.69 (works) >> - second ssh 10.4.0.38 (fails) > > You ssh'ed from where? The firewall? Correct.
> And what does "fails" mean? ssh 10.4.0.38 ssh: connect to host 10.4.0.38 port 22: Connection timed out > From the dump, it looks like you have a providers file that looks > something like this: > > #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ICA 1 1 main eth1 141.61.79.1 loose eth0 > LAN 2 2 main eth0 10.31.0.1 loose eth1 You are correct again. > There are a number of things wrong with this: > a) You don't want the 'loose' option. Agreed. > b) You do want the 'balance' option. Is this really true? Doesn't that imply that I try to use both connections equally? In truth I'm trying to route everything but the 10.* and 192.* networks through eth1 ... > c) You don't want to copy eth1 routes to the ICA routing table. > d) You don't want to copy eth0 routes to the LAN routing table. > e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables. All agreed. > So you need a providers file more on the order of: > #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ICA 1 1 main eth1 141.61.79.1 balance > vmnet0,vmnet8 > LAN 2 2 main eth0 10.31.0.1 balance > vmnet0,vmnet8 Adapted. > You are also missing the entries in /etc/shorewall/masq recommended by > the MultiISP documentation (http://www.shorewall.net/3.0/MultiISP.html). > See the paragraph that begins "Regardless of whether you have > masqueraded hosts or not,...". No, I'm not ... /etc/shorewall params reads: ETH0_IP=$(python -c 'import os;print os.popen("ifconfig eth0").readlines( [1].split(":")[1].split(" ")[0].strip()') ETH1_IP=$(python -c 'import os;print os.popen("ifconfig eth1").readlines( [1].split(":")[1].split(" ")[0].strip()') And /etc/shorewall masq has: eth0 $ETH1_IP $ETH0_IP eth1 $ETH0_IP $ETH1_IP > Now about the test you performed. I suspect that 10.4.0.38 is only > accessible via eth0 but your main routing table doesn't reflect that. > So you must add routes via 10.31.0.1 to those non-local networks that > are only accessible through eth0. I tried to achieve that with the following /etc/shorewall/route_rules: - 192.168.0.0/16 LAN 26000 - 0.0.0.0/0 ICA 26000 - 10.0.0.0/8 LAN 26000 ... but according to your analysis this doesn't seem to work ... I also tried this with "lo" as the source ... Thanks again for your insight, Joh ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
