On 9/9/2015 1:50 AM, Vieri Di Paola wrote: > > >> ----- Original Message ----- >> From: Tom Eastep <[email protected]> >> >> >> You can nevertheless do what you want by adding a provider for interface >> enp4s1. Make it the 'primary' provider (if your version of Shorewall >> doesn't support the 'primary' option, use 'balance'). Then use the >> mangle rules that I suggested to balance traffic to the private network. > > > > I've added the "internet" primary provider as suggested: > > WAN 1 1 - $IF_WAN $ADDR_GW_WAN > loose,track,primary > CAIB 2 2 - $IF_CAIB $ADDR_GW_CAIB loose,track > IBS 3 3 - $IF_IBS $ADDR_GW_IBS loose,track > > Note: I'm supposing CAIB and IBS do not require "fallback" or "balance". I > also tried adding "fallback" to both and saw how $ADDR_GW_CAIB and > $ADDR_GW_IBS were added to "table default" but it did not change the outcome > of my test (see below). > > I then defined NOTHING in "routes" and "rtrules" and as you > suggested I only set up marking in "mangle": > > MARK(2):P 10.215.144.0/22 10.215.224.0/20 all > MARK(2):P 10.215.248.0/24 10.215.224.0/20 all > MARK(3):P 10.215.247.194 10.215.236.221 all > > Traffic to WAN seems to work but connections to CAIB or IBS fail > (10.215.224.0/20). > > eg. ping from 10.215.144.48 ("lan" zone) to 10.215.237.237 ("caib" > zone) fails and a traceroute shows that it reaches the shorewall > firewall but is not routed out the CAIB provider. > > I'm attaching the shorewall dump. > > According to it, the default gateway to internet is in "table > balance" and not in "main" anymore (good). Also, according to the routing > rules > and "mangle", packets sent from 10.215.144.48 to 10.215.237.237 should > be marked "2" and should route out via "10001: from all fwmark 0x2/0xff > lookup CAIB" (right?). However, traceroute from 10.215.144.48 does not > indicate access to $ADDR_GW_CAIB.
> What's wrong or what am I missing? Please try a 'shorewall iptrace' of the failing traffic. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
