>>> From: Tom Eastep <[email protected]> >>> >>> >>> You can nevertheless do what you want by adding a provider for interface >>> enp4s1. Make it the 'primary' provider (if your version of Shorewall >>> doesn't support the 'primary' option, use 'balance'). Then use the >>> mangle rules that I suggested to balance traffic to the private network. >> >> >> >> I've added the "internet" primary provider as suggested: >> >> WAN 1 1 - $IF_WAN $ADDR_GW_WAN >> loose,track,primary >> CAIB 2 2 - $IF_CAIB $ADDR_GW_CAIB loose,track >> IBS 3 3 - $IF_IBS $ADDR_GW_IBS loose,track >> >> Note: I'm supposing CAIB and IBS do not require "fallback" or "balance". I >> also tried adding "fallback" to both and saw how $ADDR_GW_CAIB and >> $ADDR_GW_IBS were added to "table default" but it did not change the outcome >> of my test (see below). >> >> I then defined NOTHING in "routes" and "rtrules" and as you >> suggested I only set up marking in "mangle": >> >> MARK(2):P 10.215.144.0/22 10.215.224.0/20 all >> MARK(2):P 10.215.248.0/24 10.215.224.0/20 all >> MARK(3):P 10.215.247.194 10.215.236.221 all >> >> Traffic to WAN seems to work but connections to CAIB or IBS fail >> (10.215.224.0/20). >> >> eg. ping from 10.215.144.48 ("lan" zone) to 10.215.237.237 ("caib" >> zone) fails and a traceroute shows that it reaches the shorewall>> firewall >> but is not routed out the CAIB provider. >> >> I'm attaching the shorewall dump. >> >> According to it, the default gateway to internet is in "table >> balance" and not in "main" anymore (good). Also, according to the routing >> rules >> and "mangle", packets sent from 10.215.144.48 to 10.215.237.237 should >> be marked "2" and should route out via "10001: from all fwmark 0x2/0xff >> lookup CAIB" (right?). However, traceroute from 10.215.144.48 does not >> indicate access to $ADDR_GW_CAIB. >> >> What's wrong or what am I missing? > > Please try a 'shorewall iptrace' of the failing traffic.
Not sure how to use iptrace and where to look for the log messages (can't find TRACE messages in system log files). I did the following: # shorewall iptrace --destination 10.215.237.237 I then ping'ed from 10.215.246.24 to 10.215.237.237 after a shorewall reset and saved a shorewall dump (attached). I noticed this in conntrack table: icmp 1 27 src=10.215.246.24 dst=10.215.237.237 type=8 code=0 id=512 packets=7 bytes=420 src=10.215.237.237 dst=10.215.246.24 type=0 code=0 id=512 packets=2 bytes=120 mark=2 use=2 Mark 2 is CAIB as expected. However, ping fails. I need to find out why I can't see any TRACE log messages and I'll post them asap (syslog-ng). Vieri
dump.gz
Description: application/gzip
------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
