On 07/27/2017 06:39 PM, Tom Eastep wrote:
On 07/27/2017 09:13 AM, Tom Eastep wrote:
On 07/27/2017 08:51 AM, Adam Cécile wrote:
Hi,
Here we go:
0: from all lookup local
999: from all lookup main
10000: from all fwmark 0x1/0xff lookup 1
10001: from all fwmark 0x2/0xff lookup 2
20000: from 10.13.70.138 lookup 1
20000: from 192.168.195.227 lookup 2
32765: from all lookup 250
32767: from all lookup default
Thanks
On 07/27/2017 05:10 PM, Tom Eastep wrote:
On 07/26/2017 11:34 PM, Adam Cécile wrote:
Hello,
I made a quick setup using PBR to migrate a server from an old network
to a new one.
Here is the provider file:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
NEW 1 1 - eth0 10.13.70.190
track
OLD 2 2 - eth1 192.168.195.254
track
And the interfaces:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.13.70.138 netmask 255.255.255.192 broadcast 10.13.70.191
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.195.227 netmask 255.255.255.0 broadcast
192.168.195.255
Everything is working correctly except PBR seems to be overrided if the
client is directly connected on one of the local network.
For instance, if I ssh this server from another machine in
192.168.195.0/24 on its 10.13.70.138 address, I see packet coming from
eth0 but response sent through eth1.
I suspect that it's the other way around (requests arrive on eth1 but
responses sent through eth0)?
Nop, the way I told you: 192.168.195.1 send a packet to this machine
using it's 10.13.70.190 address. Its default gateway knows about all
networks and route it to 10.13.70.190 on eth0. Response is sent using
eth1. I expect it to be sent back through eth0
What is the output of 'ip rule ls'?
I guess that I need to see the output of 'shorewall dump' (as an
attachment) then. You can send it to me privately, if you like.
Will do, in private in a few minutes, it's not home setup so I have to
connect a few things before !
Maybe not. I take it that the machines in 192.168.195.0/24 don't know to
route packets to 110.13.70.138 via 192.168.195.227?
Sorry I don't get it. It's the same default gateway for everyone. No
matter if we're talking about the client or the PBR-configured machine,
both 10.13 and 192.168 are using the same firewall as default gateway.
If so, then I would
expect the requests to arrive on eth0 and the responses to be sent out
of eth1. While the routing in this case is asymmetric, it should work
correctly and I wouldn't try to "fix" it.
From the routing rules you posted above, the 'main' table is traversed
before BPR is used, and the 'main' table will route packets to
192.168.195.0 out of eth1.
Sounds like the root of the issue to me !
-Tom
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
