Johannes Graumann wrote: > Thanks for your time and help! > > Tom Eastep wrote: >>> Thanks, So I did as the trouble shootung page requests: >>> - first ssh 10.31.0.69 (works) >>> - second ssh 10.4.0.38 (fails) >> You ssh'ed from where? The firewall? > Correct. > >> And what does "fails" mean? > ssh 10.4.0.38 > ssh: connect to host 10.4.0.38 port 22: Connection timed out > >> From the dump, it looks like you have a providers file that looks >> something like this: >> >> #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> ICA 1 1 main eth1 141.61.79.1 loose eth0 >> LAN 2 2 main eth0 10.31.0.1 loose eth1 > You are correct again. > >> There are a number of things wrong with this: >> a) You don't want the 'loose' option. > Agreed. >> b) You do want the 'balance' option. > Is this really true? Doesn't that imply that I try to use both connections > equally? In truth I'm trying to route everything but the 10.* and 192.* > networks through eth1 ...
From the MultiISP howto: ----------------------- Important If you are using /etc/shorewall/providers because you have multiple internet connections, we recommend that you specify 'balance' even if you don't need it. You can still use entries in /etc/shorewall/tcrules (and /etc/shorewall/route_rules) to force all traffic to one provider or another. Note If you don't heed this advice then be prepared to read FAQ 57 and FAQ 58. ------------------------ We don't make these recommendations because we're idiots; we make them because we've found that most people can't make multi-ISP work without 'balance'. >> c) You don't want to copy eth1 routes to the ICA routing table. >> d) You don't want to copy eth0 routes to the LAN routing table. >> e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables. > All agreed. > >> So you need a providers file more on the order of: >> #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY >> ICA 1 1 main eth1 141.61.79.1 balance >> vmnet0,vmnet8 >> LAN 2 2 main eth0 10.31.0.1 balance >> vmnet0,vmnet8 > Adapted. > > And /etc/shorewall masq has: > eth0 $ETH1_IP $ETH0_IP > eth1 $ETH0_IP $ETH1_IP Sorry -- I must have been asleep. > >> Now about the test you performed. I suspect that 10.4.0.38 is only >> accessible via eth0 but your main routing table doesn't reflect that. >> So you must add routes via 10.31.0.1 to those non-local networks that >> are only accessible through eth0. > > I tried to achieve that with the following /etc/shorewall/route_rules: > - 192.168.0.0/16 LAN 26000 > - 0.0.0.0/0 ICA 26000 > - 10.0.0.0/8 LAN 26000 > ... but according to your analysis this doesn't seem to work ... I also > tried this with "lo" as the source ... I'm sorry but I'm not going to try to visualize what your configuration now looks like after you've made all of these changes; I'll need to see another dump. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
