________________________________
From: Vieri Di Paola via Shorewall-users <shorewall-users@lists.sourceforge.net>
>

> So if I wanted to avoid using proxy arp on the WAN interface, and since the 
> bulk 10.215.0.0/16 is 

> really on the LAN interface then I could change gw1's enp11s0 IP settings to 
> 10.215.144.92/32 with a 

> route for 10.215.0.0/16 via 172.16.0.1.

Hi,

I changed the network configuration in my gw1 shorewall gateway, and removed 
proxyarp=1 in fw2 as in the setup described earlier:

Internet providers --- gw1 (10.215.144.92/32 172.16.0.2/28) --- fw2 --- lan

Traffic from lan to wan is OK now, so the issue is solved.

However, there's still just one last thing that I'd like to deal with.

I tried to ping from gw1 to fw2 but failed. A tcpdump on fw2 shows that the 
ping request source IP address is 172.16.0.2. It's being blocked by fw2's 
shorewall rules. I could allow this traffic, but I'd rather keep the ACCEPT 
rule from wan:10.215.14.92 to $FW alone.
I thought I only needed to masquerade on gw1's lan interface.

Here's what I did in gw1's snat file:

SNAT($IF_LAN_MASQ_ADDRESS)      $IF_LAN_MASQ_SOURCE     $IF_LAN

The params file contains:

IF_LAN=enp11s0
IF_LAN_MASQ_ADDRESS=10.215.144.92
IF_LAN_MASQ_SOURCE=172.16.0.2

However, pings still fail for the same reason.


A tcpdump on fw2 shows requests such as:

10:50:08.948027 IP 172.16.0.2 > 10.215.144.91: ICMP echo request, id 26579, seq 
8, length 64

I'm trying to masq them as "10.215.144.92 > 10.215.144.91".


I'm sending a link to gw1's dump while trying to ping 10.215.144.91 (fw2) from 
gw1 (it actually succeeds because I added the allow rule for 172.16.0.2 to fw2):

https://drive.google.com/file/d/0B-tpkY1LkI67YTVQQ2hjQi03T0U/view?usp=sharing

In short, I'd like any application running on gw1 (ping, curl, ssh, links, 
wget, etc.) to access fw2 with source address 10.215.144.92 by default instead 
of 172.16.0.2.

Any idea where my mistake is?

Thanks,

Vieri

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to