Re: [Shorewall-users] syntax for configuring multi ISP with vlan

Tom Eastep Tue, 10 Nov 2015 07:51:07 -0800

On 11/10/2015 05:33 AM, effemme wrote:
> Hello,
> I have shorewall 4.55 on CentOS 6.5 machine.
> I have two nics , eth0 is internal lan and eth1 uses vlan tagging to 
> connect to two ISP (with reported fake addresses of course)
> 
>                                /eth1.5 ------ ISP1 (1.1.1.1)
>      some lans --- eth0 --FW-- eth1
>                                \eth1.89 ------ ISP2 (2.2.2.2)
> 
> [root@FW shorewall]# cat /proc/net/vlan/config
> VLAN Dev name    | VLAN ID
> Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD
> eth1.5         | 5  | eth1
> eth1.89        | 89  | eth1
> 
> [root@FW shorewall]# cat /proc/net/vlan/config
> [-- omitted output]
> default
>          nexthop via 89.96.153.137  dev eth1.89 weight 2
>          nexthop via 2.32.75.193  dev eth1.5 weight 1
> 
> 
> /etc/shorewall/interfaces
> #ZONE   INTERFACE       BROADCAST       OPTIONS
> -       eth0   detect
> net     eth1.5
> net     eth1.89
> vpn     tun+
> 
> 
> /etc/shorewall/providers
> #NAME              NUMBER       MARK    DUPLICATE       INTERFACE       
> GATEWAY         OPTIONS         COPY
> ISP1        1            1       main            eth1.89         2.2.2.2 
>             track,balance   eth0
> ISP2        2            2       main            eth1.5          1.1.1.1 
>             track,balance   eth0
> 
> /etc/shorewall/masq
> eth1.5  10.1.1.0/24 1.1.1.x
> eth1.89 10.1.1.0/24 2.2.2.y
> 
> 
> [root@FW shorewall]# shorewall show zones
> Shorewall 4.5.4 Zones at FW - Tue Nov 10 15:13:29 CET 2015
> 
> fw (firewall)
> loc (ipv4)
>     eth0:10.1.1.0/24
> vpn (ipv4)
>     tun+:0.0.0.0/0
> net (ipv4)
>     eth1.5:0.0.0.0/0
>     eth1.89:0.0.0.0/0
> 
> 
> I used the rules file of another shorewall running with single ISP, plus 
> I addes a first rule ito explicitly allow ping from lan to internet.
> 
> ACCEPT          loc    net      icmp
> 
> When i ping from lan to internet, firewall replies with "Destination 
> host unreachable"
> 
> Any help would be appreciated.


Is IP_FORWARDING set to 'Yes'?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] syntax for configuring multi ISP with vlan

Reply via email to