Francesco Saverio Giudice wrote:
----- Original Message ----- From: "Tom Eastep" <[EMAIL PROTECTED]>To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Friday, February 22, 2008 8:42 PM Subject: Re: [Shorewall-users] MultiISP and fixed routesThis should fix both issues. Note that these are horrible hacks which will open a window where you will have no default route in the main routing table. ------------- I have seen $DEFAULT_ROUTE in your patch. I have to declare it in some point or it is auto detected ?Because I'm working in remote (!) and I have fear to loose connection (and in this moment firewall is alone, no one at its side) I think that is better to try on Monday.Thanks for patch In meanwhile I'm checking some info for 2nd problem. As you wrote in previous email: ------------ I'm sorry but 'route not works' isn't enough to let me know what the problem is. I need to know what the source IP address is, what the destination IP address is and where the packet gets routed. ------------ the scenario is: firewall: eth0 intranet (loc in zones) eth1 ISP1 (new provider defined as net in zones) eth2 ISP2 (old provider defined as net in zones)eth3 DMZ (dmz in zones - server in zones uses public ips from ISP2 and defined in proxyarp)the problem is that there are some web sites on net that check source ip to allow access to some pages and accepts ip only from ISP2 address range. if I run browser from any server on dmz (that uses ip from ISP2 range) it works instead if I run browser from local lan it happens that connetion doesn't work. Surely it happens because, having a balanced connection in providers file, I get randomic route path between the two providers. If I force a heavy balance to ISP2 (setting balance=100 in providers) it works also from local lan. So my idea was to add a route to force use of ISP2 for connection going towards above sites and I have added a route in route_rules like:#SOURCE DEST PROVIDER PRIORITY$DMZ_IF - ISP2 1000$INT_IF $PROTECTED_SITE_LAN ISP2 1000 - $ISP2_IP_RANGE main 1000 but also so, resetting balance to 1 to both providers, it doesn't work.Probably I have not explained well or I have misunderstood what you need, but tell me what I can write to clarify.
The above will do exactly what it is intended to do. But apparently that isn't what you want it to do. So I need to know:
a) What is the source IP address of packets that "don't work"? b) what is the destination IP address of packets that "don't work"? c) Where do you want those packets to go? Incidentally, you actually have three routing rules, not two.
May I send directly to you my shorewall configuration files ?
Sure -- in fact there is an email address ([EMAIL PROTECTED]) dedicated to that purpose.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
