Hello,
I have a very simple router/firewall setup with 3 Ethernet interfaces..
The setup is used to share an Internet connection between 2 unrelated
group of people. The setup is:
- eth0 connects to the Internet (net zone) via ADSL modem (IP address is
DHCP assigned by provider).
- eth1 connects to a local network (loc zone).
- eth2 connects to an another local network (cus zone).
Traffice shaping is not configured nor any other packet limit option.
The "cus" zone is not a "DMZ" and there is NAT implemented between eth0
and eth1,eth2.
Everything is working as planned (routing, Nat, filtering etc.) except
for the following problem:
1.- Ping from a PC in the "loc" zone to any address (active) in the
Internet miss some (aprox. 1% to 20% ) packets.
2.- Ping from a PC in the "cus" zone to any address (active) in the
Internet miss some (aprox. 1% to 20% ) packets.
I have performed the following test:
1.- Pinging from inside the router/firewall (fw zone) to the same
addresses at the Internet does **not** miss packets.
2.- Pinging from a PC in the "loc" zone to the router/firewall does
**not** miss packets.
3.- Pinging from a PC in the "cus" zone to the router/firewall does
**not** miss packets.
4.- Pinging from a PC in the "loc" zone to a PC in the "cus" zone does
**not** miss packets.
5.- Pinging from a PC in the "cus" zone to a PC in the "loc" zone does
**not** miss packets.
6.- Connecting a PC directly to the ADSL modem and pinging the same
addresses at the Internet does **not** miss packets.
Additional information:
1.- All the router/firewall hardware, including the network cards has
been replaced and the problem persists.
2.- The ADSL modem was replaced and the problem persist.
2.- The network interfaces (eth0, eth1 and eth2) does **not** report any
error (frame, overruns, drops etc.).
3.- The problems first show itself with a Gentoo based router/firewall
and then with a Ubuntu based one. The Gentoo system was compiled without
IPV6 support.
4.- The missing packet problem shows with other protocols (Browsing,
VoIP, ftp etc.) to any valid site.
5.- With VoIP, the problem shows as intermittent audio silences on
outgoing audio (from the loc/cus zones to the Internet), while incoming
audio (from the Internet to the loc/cus zones) does **not** shows problems.
6.- The logs does not shows any dropped or rejected packet aside proper
"net2fw" filtered packets.
The weird part:
1.- Disabling one of the internal network interfaces ("ifdown eth1" or
"ifdown eth2") fix the problem for the other one.
2.- While pinging from inside the router/firewall to the Internet, the
packet loss, when pinging from a PC in the "loc" or "cus" zones, are
reduced considerably (at almost 1% packed loss on an 10 minute ping
period). Actually, I keep a console session on the router/firewall
pinging the default gateway at the Internet to have things working (more
or less).
The system information:
/sbin/shorewall version
4.4.6
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 40:61:86:78:73:5f brd ff:ff:ff:ff:ff:ff
inet 201.208.134.118/19 brd 201.208.159.255 scope global eth0
inet6 fe80::4261:86ff:fe78:735f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:e0:4c:36:c6:0e brd ff:ff:ff:ff:ff:ff
inet 192.168.30.1/24 brd 192.168.30.255 scope global eth1
inet6 fe80::2e0:4cff:fe36:c60e/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UNKNOWN qlen 1000
link/ether 00:00:21:f1:50:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.249.1/24 brd 192.168.249.255 scope global eth2
inet6 fe80::200:21ff:fef1:50d0/64 scope link
valid_lft forever preferred_lft forever
ip route show
192.168.30.0/24 dev eth1 proto kernel scope link src 192.168.30.1
192.168.249.0/24 dev eth2 proto kernel scope link src 192.168.249.1
201.208.128.0/19 dev eth0 proto kernel scope link src 201.208.134.118
default via 201.208.128.1 dev eth0 metric 100
Any help you could provide to resolve this problem will be appreciated.
Thank you.
Regards,
Carlos Siso
--
--
Carlos Siso
------------------------------------------------------------------------------
Sell apps to millions through the Intel(R) Atom(Tm) Developer Program
Be part of this innovative community and reach millions of netbook users
worldwide. Take advantage of special opportunities to increase revenue and
speed time-to-market. Join now, and jumpstart your future.
http://p.sf.net/sfu/intel-atom-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
