hm...
I had this configuration in /etc/network/interfaces previously and
internet access from vmbr0 (10.0.0.0/24) and vmbr2 (192.168.178.0/24)
was working:
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
## ISP1 public DHCP IPv4
auto eth0
iface eth0 inet dhcp
post-up echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
auto eth1
iface eth1 inet manual
auto eth2
iface eth2 inet manual
## LAN an eth0
auto vmbr0
iface vmbr0 inet static
address 10.0.0.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr0/forwarding
post-up iptables -t nat -A POSTROUTING -s '10.0.0.0/24' -o
eth0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.0.0.0/24' -o
eth0 -j MASQUERADE
## DMZ an eth1
auto vmbr1
iface vmbr1 inet static
address 10.1.0.1
netmask 255.255.255.0
bridge_ports eth1
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr1/forwarding
post-up iptables -t nat -A POSTROUTING -s '10.1.0.0/24' -o
eth1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '10.1.0.0/24' -o
eth1 -j MASQUERADE
## LAN ISP2 mit zweiter Routingtabelle an eth2
auto vmbr2
iface vmbr2 inet static
address 192.168.178.14
netmask 255.255.255.0
bridge_ports eth2
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/conf/vmbr2/forwarding
post-up ip route add 192.168.178.0/24 dev vmbr2 src
192.168.178.14 table rt2
post-up ip route add default via 192.168.178.1 dev vmbr2 table rt2
post-up ip rule add from 192.168.178.14/32 table rt2
post-up ip rule add to 192.168.178.14/32 table rt2
I'm not sure how to configure SNAT for eth0, in other words I don't know
which configuration is incomplete / incorrect.
But the configuration in /etc/shorewall/masq is:
#INTERFACE SOURCE ADDRESS
vmbr0 10.0.0.0/24 10.0.0.1
vmbr1 10.1.0.0/24 10.1.0.1
And in /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net UMB_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMB_IF,upnp,nosmurfs,tcpflags,dhcp
net UMP_IF -
optional,sourceroute=0,routefilter=0,arp_ignore=1,proxyarp=0,physical=$UMP_IF,upnp,nosmurfs,tcpflags
loc INT_IF -
dhcp,physical=$INT_IF,ignore=1,wait=5,routefilter,nets=10.0.0.0/24,routeback
vpn TUN_IF+ - physical=tun+,ignore=1
dmz vmbr1 - routeback,proxyarp=1,required,wait=30
#fb vmbr2 detect routeback=1,bridge
With /etc/shorewall/params:
LOG=NFLOG
INT_IF=vmbr0
TUN_IF=tun+
UMB_IF=eth0
UMP_IF=vmbr2
Additional information:
root@pc4-svp:/etc/shorewall# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
link/ether 74:d4:35:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 217.8.xxx.xxx/26 brd 255.255.255.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::76d4:35ff:fe1a:f60f/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
master vmbr1 state DOWN group default qlen 1000
link/ether 00:15:17:xx:xx:xx brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master vmbr2 state UP group default qlen 1000
link/ether 00:15:17:xx:xx:xx brd ff:ff:ff:ff:ff:ff
5: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default
link/ether fe:87:16:37:69:e3 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr0
valid_lft forever preferred_lft forever
inet6 fe80::64e2:e2ff:fe79:22ea/64 scope link
valid_lft forever preferred_lft forever
6: vmbr1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
link/ether 00:15:17:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 10.1.0.1/24 brd 10.1.0.255 scope global vmbr1
valid_lft forever preferred_lft forever
7: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default
link/ether 00:15:17:xx:xx:xx brd ff:ff:ff:ff:ff:ff
inet 192.168.178.14/24 brd 192.168.178.255 scope global vmbr2
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fe91:9cb9/64 scope link
valid_lft forever preferred_lft forever
8: tap121i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UNKNOWN group default qlen 500
link/ether 3a:f5:07:aa:c9:ac brd ff:ff:ff:ff:ff:ff
inet6 fe80::38f5:7ff:feaa:c9ac/64 scope link
valid_lft forever preferred_lft forever
10: veth103i0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether fe:87:16:37:69:e3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::fc87:16ff:fe37:69e3/64 scope link
valid_lft forever preferred_lft forever
14: veth112i0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr0 state UP group default qlen 1000
link/ether fe:de:f1:22:91:4a brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::fcde:f1ff:fe22:914a/64 scope link
valid_lft forever preferred_lft forever
38: veth109i0@if37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UP group default qlen 1000
link/ether fe:04:8d:b0:9a:65 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::fc04:8dff:feb0:9a65/64 scope link
valid_lft forever preferred_lft forever
40: veth108i0@if39: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master vmbr2 state UP group default qlen 1000
link/ether fe:42:9e:f2:c3:12 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::fc42:9eff:fef2:c312/64 scope link
valid_lft forever preferred_lft forever
root@pc4-svp:/etc/shorewall# ip route show
10.0.0.0/24 dev vmbr0 proto kernel scope link src 10.0.0.1
blackhole 10.0.0.0/8
10.1.0.0/24 dev vmbr1 proto kernel scope link src 10.1.0.1 linkdown
blackhole 172.16.0.0/12
blackhole 192.168.0.0/16
192.168.178.0/24 dev vmbr2 proto kernel scope link src 192.168.178.14
192.168.178.1 dev vmbr2 scope link src 192.168.178.14
217.8.xxx.xxx/26 dev eth0 proto kernel scope link src 217.8.xxx.xxx
217.8.xxx.xxx dev eth0 scope link src 217.8.xxx.xxx
Regards,
Thomas
Am 19.03.2016 um 19:23 schrieb Tom Eastep:
On 03/19/2016 01:12 AM, Thomas Schneider wrote:
Sorry... should have read the guideline more closely.
Attached the output of "shorewall dump".
You are routing traffic from 10.0.0.0/24 out of eth0 with no SNAT.
-Tom
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
