On 07/27/2017 09:13 AM, Tom Eastep wrote: > On 07/27/2017 08:51 AM, Adam Cécile wrote: >> Hi, >> >> Here we go: >> >> 0: from all lookup local >> 999: from all lookup main >> 10000: from all fwmark 0x1/0xff lookup 1 >> 10001: from all fwmark 0x2/0xff lookup 2 >> 20000: from 10.13.70.138 lookup 1 >> 20000: from 192.168.195.227 lookup 2 >> 32765: from all lookup 250 >> 32767: from all lookup default > > Thanks > >> >> On 07/27/2017 05:10 PM, Tom Eastep wrote: >>> On 07/26/2017 11:34 PM, Adam Cécile wrote: >>>> Hello, >>>> >>>> I made a quick setup using PBR to migrate a server from an old network >>>> to a new one. >>>> >>>> Here is the provider file: >>>> >>>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >>>> OPTIONS COPY >>>> NEW 1 1 - eth0 10.13.70.190 >>>> track >>>> OLD 2 2 - eth1 192.168.195.254 >>>> track >>>> >>>> And the interfaces: >>>> >>>> eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 >>>> inet 10.13.70.138 netmask 255.255.255.192 broadcast 10.13.70.191 >>>> >>>> eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 >>>> inet 192.168.195.227 netmask 255.255.255.0 broadcast >>>> 192.168.195.255 >>>> >>>> >>>> Everything is working correctly except PBR seems to be overrided if the >>>> client is directly connected on one of the local network. >>>> >>>> For instance, if I ssh this server from another machine in >>>> 192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from >>>> eth0 but response sent through eth1. > > I suspect that it's the other way around (requests arrive on eth1 but > responses sent through eth0)? > >>>> >>> What is the output of 'ip rule ls'? > > I guess that I need to see the output of 'shorewall dump' (as an > attachment) then. You can send it to me privately, if you like.
Maybe not. I take it that the machines in 192.168.195.0/24 don't know to route packets to 110.13.70.138 via 192.168.195.227? If so, then I would expect the requests to arrive on eth0 and the responses to be sent out of eth1. While the routing in this case is asymmetric, it should work correctly and I wouldn't try to "fix" it. From the routing rules you posted above, the 'main' table is traversed before BPR is used, and the 'main' table will route packets to 192.168.195.0 out of eth1. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users