> : ----- Original Message -----
> : From: "Mike Lander" <[EMAIL PROTECTED]>
> : To: "Shorewall Users" <[email protected]>
> : Sent: Thursday, August 30, 2007 1:32 PM
> : Subject: Re: [Shorewall-users] Multi-Isp Masqerade ?
> :
> :
> :: Mike Lander wrote:
> :: > Mike Lander wrote:
> :: >
> :: >> : /etc/shorewall/masq
> :: >> : eth0 10.194.79.181 66.224.62.120
> :: >> : eth1 66.224.62.120 10.194.79.181
> :: >> : eth0 eth1 66.224.62.120
> :: >> : eth1 eth0 10.194.79.181
> :: >
> :: > The last two entries appear to me to be totally silly.
> :: >
> :: > Please stop and think a minute about what those entries are asking
> the
> :: > firewall to do. The first one says that "any traffic from a host with
> a
> :: > route out of eth1 that is being forwarded out of eth0 should have its
> :: > source
> :: > address rewritten to 66.224.62.120". Why would any traffic be taking
> : that
> :: > path at all? The second rule is similar...
> :: >
> :: > Am I missing something?
> :: >
> :: > -Tom
> :: >
> :: > Well in the mulit-Isp setup this is the convention
> :: > to take with two isp two nics FQip
> :: > That is why I am confused on how to masq
> :: > from loc to the net with one nic FQip 66.224.62.120
> :: > and the other fowarding to the gw 10.194.79.254
> :: > on the internal lan. My thought about the lan
> :: > is not to masq at all, any ideas?
> :: > But you answer sure make me think about
> :: > it more clear.
> ::
> :: If there is a local LAN here, which interface is it connected to? All
> you
> :: have shown us is eth0 and eth1 which appear to go to the two providers.
> :: Please don't tell me that 'the LAN' is also accessed through one of
> those
> :: interfaces....
> ::
> :: -Tom
> :: --
> :: Well I thought I could access both T-1's in this config in my previous
> :: post, the admin led me to believe.
> :: But as it turns out both these ISP's (two full T-1's are in seperate
> :: buildings)
> :: and connected by one run of Fiber. So Jerry seemed optimistic this
> config
> :: would work as his does.
> :: I have two nics in a test enviroment with the same setup at my place.
> ::
> :: eth0 66.224.62.120/27--gw 66.224.62.97
> :: eth1 10.194.79.181- gw 10.194.79.254
> :: I will send dump if you like.
> ::
> :: Mike
> ::
> :: Here is the dump
> : Thanks
> : Mike
> ::
> Now I am thinking that does not make sense
> at all my thought is the traffic coming from
> the natted gateway is already masqeraded/
> just masqerade the eth1 to eth0 traffic
> so maybe its simple as below
> /etc/shorewall masqerade
> eth0 eth1
>
> Does that make sense?
No.
a) You have two interfaces on this firewall.
b) You are using multi-ISP so I'm forced to believe that one NIC goes to one
ISP and one NIC goes to the other. This seems to be supported by the routing
configuration you posted.
c) You say that there is a LAN somewhere that you want to masquerade but you
seem to not want to tell me how it is reached.
d) You keep showing us rules that masquerade traffic received from one ISP
that is being sent via the other ISP. That makes no sense to me and
Shorewall will complain loudly when processing the masq rules you have been
posting.
Mike, please explain in simple English what you are trying to accomplish.
Until I understand that, I can't comment intelligently on your config files,
on a Shorewall dump, or on individual file entries.
I'm sorry but I don't have the time to go back through the long email trail
between you and Jerry; I might be able to dig this information out myself if
I did...
-Tom
PS So you can follow building reference
building 1 Full T-1 under my control with /29 non-routed
building 2 Full T-1 under Toyota's Control. natted with
a cisco router with lan ip10.5.198.238
Note: In my test environment the practice ip 10.194.79.254
will emulate like 10.5.198.238
Tom,
I was just eating lunch and thought I should explain this better instead
of assuming you followed our post. I built these guys a shorewall box
in 2003 as you have seen. It has redhat 8 and shorewall 3.0.2.
and its been serving as a file server as well. When I checked this place
the admin thought the T-1's where in the same building as the old
shorewall box is now. The old box is accessing the 10.5.198.238
gateway only for networks 63.90.860/24.
PS old box is still at the location being used.
Since the old shoreall box was built the natted gateway that
is out of my control has beenupgraded to a Full T-1 in building 2
where currently there is no shorewall box. Just the Toyota Cisco.
I was going to use three nic box with two nics for Ips's
But the two buildings are connected with fiber on the
lan 10.5.198.0/24 So now a dual nic that Jerry has
working sounded attractive.
I will put the old shorewall box in building 2 (after rebuild)_
for a backup file server is what its primary purpose is.
They have liked it so much, they want a bigger
better box built for redirecting mydocments on their Xp boxes to a
Samba share. So I built a Dell 2900 quad zeon 2gb ram to handle
being a domain controller for their network to knock out the
old shorewall box.
The natted T-1 is hardly being used they wish to load
balance to take advantage of the T-1's and maybe down the
road use as failover. I am not opposed to a better idea than
the two nics if you have an idea. Because in a simular situation
I asked you aways back I need customer wireless to a 2nd building
slaved with fiber on a lan and you suggested to vpn to the wireless
to seperateh the lan traffic from customer wireless router
and that worked great. Getting lengthy so hope this helps.
Thanks Tom
Mike
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
