Hi,
I fixed the issue after applying your recommendation.
Basically the configuration is now aligned with this guide "Shorewall and Multiple Internet Connections - A Complete Working Example" (http://shorewall.net/MultiISP.html).
However I'm now facing an issue that I cannot access internet (= interface 'net') from any client in subnetA 10.0.0.0/24.
Any client in subnetB 192.168.178.0/24 has full access to internet.
I'm not sure if this is related to routing or rules, but I defined identical rules for subnetA and subnetB.
Question:
What do you need to continue supporting me?
THX
Thomas
Gesendet: Dienstag, 15. März 2016 um 17:00 Uhr
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
Von: "Tom Eastep" <teas...@shorewall.net>
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways
On 03/15/2016 12:51 AM, Thomas Schneider wrote:
> Hello!
>
> With regards to the recommended settings in shorewall.conf
> TC_BITS=8
> PROVIDER_OFFSET=8
> PROVIDER_BITS=4
> is this a best-practice?
> Because initially the parameters are not set.
They are not set for historical reasons -- by setting them as shown
above, you are reserving 8 bites for future traffic shapping configuration.
>
> Unfortunately I get an error when starting shorewall:
> [...]
> Mar 15 8:22:39 Finishing matrix...
> Mar 15 8:22:39 Creating iptables-restore input...
> Mar 15 8:22:39 Shorewall configuration compiled to
> /var/lib/shorewall/.start
> Mär 15 08:22:39 Starting Shorewall....
> Mär 15 08:22:39 ERROR: Can't determine the IP address of eth2
> Mär 15 08:22:39 ERROR:Shorewall start failed:Firewall state not changed
>
> I assume this is related to the network configuration where eth2 is
> bridged to vmbr2:
> [...]
> auto eth2
> iface eth2 inet manual
>
> auto vmbr2
> iface vmbr2 inet static
> address 192.168.1.14
> netmask 255.255.255.0
> bridge_ports eth2
> bridge_stp off
> bridge_fd 0
>
> root@pc4-svp:~# ifconfig
> eth0 Link encap:Ethernet Hardware Adresse 74:d4:35:1a:f6:0f
> inet Adresse:217.xxx.xxx.xxx Bcast:255.255.255.255
> Maske:255.255.255.192
> inet6-Adresse: fe80::76d4:35ff:fe1a:f60f/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:20460 errors:0 dropped:0 overruns:0 frame:0
> TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:1684356 (1.6 MiB) TX bytes:8729 (8.5 KiB)
> Interrupt:20 Speicher:f7d00000-f7d20000
>
> eth1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
> UP BROADCAST MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:16 Speicher:f7c60000-f7c80000
>
> eth2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:2306 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2293 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:335489 (327.6 KiB) TX bytes:1260503 (1.2 MiB)
> Interrupt:17 Speicher:f7c20000-f7c40000
>
> lo Link encap:Lokale Schleife
> inet Adresse:127.0.0.1 Maske:255.0.0.0
> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
> UP LOOPBACK RUNNING MTU:65536 Metrik:1
> RX packets:1 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:104 (104.0 B) TX bytes:104 (104.0 B)
>
> tap121i0 Link encap:Ethernet Hardware Adresse 46:f6:a2:8f:8e:10
> inet6-Adresse: fe80::44f6:a2ff:fe8f:8e10/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
> RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1740 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:500
> RX bytes:991546 (968.3 KiB) TX bytes:270132 (263.8 KiB)
>
> vmbr0 Link encap:Ethernet Hardware Adresse f2:b4:7f:3d:67:f9
> inet Adresse:10.0.0.1 Bcast:10.0.0.255 Maske:255.255.255.0
> inet6-Adresse: fe80::f0b4:7fff:fe3d:67f9/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:0 (0.0 B) TX bytes:1548 (1.5 KiB)
>
> vmbr1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
> inet Adresse:10.1.0.1 Bcast:10.1.0.255 Maske:255.255.255.0
> UP BROADCAST MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> vmbr2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
> inet Adresse:192.168.178.10 Bcast:192.168.1.255
> Maske:255.255.255.0
> inet6-Adresse: fe80::215:17ff:fe91:9cb9/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:1389 errors:0 dropped:377 overruns:0 frame:0
> TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:123341 (120.4 KiB) TX bytes:257435 (251.4 KiB)
>
>
>
> Can you please advise?
Then use vmbr2 as the interface for that provider rather than eth2 since
it is the bridge that has an IP address.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
> Hello!
>
> With regards to the recommended settings in shorewall.conf
> TC_BITS=8
> PROVIDER_OFFSET=8
> PROVIDER_BITS=4
> is this a best-practice?
> Because initially the parameters are not set.
They are not set for historical reasons -- by setting them as shown
above, you are reserving 8 bites for future traffic shapping configuration.
>
> Unfortunately I get an error when starting shorewall:
> [...]
> Mar 15 8:22:39 Finishing matrix...
> Mar 15 8:22:39 Creating iptables-restore input...
> Mar 15 8:22:39 Shorewall configuration compiled to
> /var/lib/shorewall/.start
> Mär 15 08:22:39 Starting Shorewall....
> Mär 15 08:22:39 ERROR: Can't determine the IP address of eth2
> Mär 15 08:22:39 ERROR:Shorewall start failed:Firewall state not changed
>
> I assume this is related to the network configuration where eth2 is
> bridged to vmbr2:
> [...]
> auto eth2
> iface eth2 inet manual
>
> auto vmbr2
> iface vmbr2 inet static
> address 192.168.1.14
> netmask 255.255.255.0
> bridge_ports eth2
> bridge_stp off
> bridge_fd 0
>
> root@pc4-svp:~# ifconfig
> eth0 Link encap:Ethernet Hardware Adresse 74:d4:35:1a:f6:0f
> inet Adresse:217.xxx.xxx.xxx Bcast:255.255.255.255
> Maske:255.255.255.192
> inet6-Adresse: fe80::76d4:35ff:fe1a:f60f/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:20460 errors:0 dropped:0 overruns:0 frame:0
> TX packets:94 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:1684356 (1.6 MiB) TX bytes:8729 (8.5 KiB)
> Interrupt:20 Speicher:f7d00000-f7d20000
>
> eth1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
> UP BROADCAST MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
> Interrupt:16 Speicher:f7c60000-f7c80000
>
> eth2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:2306 errors:0 dropped:0 overruns:0 frame:0
> TX packets:2293 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:1000
> RX bytes:335489 (327.6 KiB) TX bytes:1260503 (1.2 MiB)
> Interrupt:17 Speicher:f7c20000-f7c40000
>
> lo Link encap:Lokale Schleife
> inet Adresse:127.0.0.1 Maske:255.0.0.0
> inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
> UP LOOPBACK RUNNING MTU:65536 Metrik:1
> RX packets:1 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:104 (104.0 B) TX bytes:104 (104.0 B)
>
> tap121i0 Link encap:Ethernet Hardware Adresse 46:f6:a2:8f:8e:10
> inet6-Adresse: fe80::44f6:a2ff:fe8f:8e10/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
> RX packets:1810 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1740 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:500
> RX bytes:991546 (968.3 KiB) TX bytes:270132 (263.8 KiB)
>
> vmbr0 Link encap:Ethernet Hardware Adresse f2:b4:7f:3d:67:f9
> inet Adresse:10.0.0.1 Bcast:10.0.0.255 Maske:255.255.255.0
> inet6-Adresse: fe80::f0b4:7fff:fe3d:67f9/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:0 (0.0 B) TX bytes:1548 (1.5 KiB)
>
> vmbr1 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b8
> inet Adresse:10.1.0.1 Bcast:10.1.0.255 Maske:255.255.255.0
> UP BROADCAST MULTICAST MTU:1500 Metrik:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> vmbr2 Link encap:Ethernet Hardware Adresse 00:15:17:91:9c:b9
> inet Adresse:192.168.178.10 Bcast:192.168.1.255
> Maske:255.255.255.0
> inet6-Adresse: fe80::215:17ff:fe91:9cb9/64
> Gültigkeitsbereich:Verbindung
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
> RX packets:1389 errors:0 dropped:377 overruns:0 frame:0
> TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
> Kollisionen:0 Sendewarteschlangenlänge:0
> RX bytes:123341 (120.4 KiB) TX bytes:257435 (251.4 KiB)
>
>
>
> Can you please advise?
Then use vmbr2 as the interface for that provider rather than eth2 since
it is the bridge that has an IP address.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users