Trent O'Callaghan wrote: > MASQ/SNAT and ARP are interacting in a way that is causing outbound > connectivity issues in periods of low traffic (when ARP entries timeout). > Tcpdump of ARP packets shows who-has packets with the SNAT IP address when I > need them to have the Firewall's Interface IP address as their source. > > I have modified MASQ to SNAT to the Firewall's Interface IP address for the > Peering network (via 198.32.212.73), but outbound traffic is normally to > more distant networks and my default route is to the Paid Internet (via > 121.200.226.210). > > I have seen some have scripted ARP watchers that could assist but I believe > this is something Shorewall can cope with, but I am lacking in the > knowledge. > > r...@per-r1:/etc/shorewall# ifconfig -a > eth0 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 > inet addr:121.200.226.210 Bcast:121.200.226.211 > Mask:255.255.255.252 > eth0:1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 > inet addr:198.32.212.73 Bcast:198.32.212.255 Mask:255.255.255.0 > eth0:2 Link encap:Ethernet HWaddr 00:15:17:cc:dd:90 > inet addr:180.233.131.7 Bcast:180.233.131.255 Mask:255.255.255.0 > eth1 Link encap:Ethernet HWaddr 00:15:17:cc:dd:91 > inet addr:10.240.0.1 Bcast:10.240.0.255 Mask:255.255.255.0 > > r...@per-r1:/etc/shorewall# ip route show table main | grep -v zebra > 121.200.226.208/30 dev eth0 proto kernel scope link src 121.200.226.210 > 198.32.212.0/24 dev eth0 proto kernel scope link src 198.32.212.73 > 180.233.131.0/24 dev eth0 proto kernel scope link src 180.233.131.7 > 10.240.1.0/24 dev eth1 proto kernel scope link src 10.240.1.1 > default via 121.200.226.209 dev eth0 metric 100 > > # > # Shorewall version 4 - Masq file > # > eth0:!198.32.212.0/24 eth1:!10.240.1.7 180.233.131.7
Ah! I took one more look at your report and I seriously doubt that the above rule does what you expect. Rewrite it as: eth0:!198.32.212.0/24 10.240.0.0/24!10.240.1.7 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
