Hi ! I have 2-ISP setup, and after one of the upgrade cycles (probably to Shorewall 5.1.8 on OpenSuSE Leap) my 2-ISP setup no longer works as expected. Unfortunately, I can't say for sure when this stuff becomes broken.
After run shorewall disable LTC1 (cut off provider #1), its possible to only ping 2nd gateway (of ISP #2 BTC2), no traffic passed through. Additionally, I had to completely turn off provider #2 BTC2. **************************************************************************** /etc/shorewall/znoes fw firewall net ipv4 loc ipv4 # 192.168.0.x dmz ipv4 # DNS / E-Mail / WEB server runs at DMZ 192.168.1.2 # Squid transparent proxy runs on same shorewall PC **************************************************************************** # LTC1 - main provider # BTC2 - backup provider /etc/shorewall/providers LTC1 1 0x1 - eth0 xx.xx.xx.xx track,persistent,balance=1 - BTC2 2 0x2 - eth1 yy.yy.yy.yy track,persistent,fallback - **************************************************************************** /etc/shorewall/interfaces net eth0 tcpflags,nosmurfs,rpfilter,sourceroute=0,optional net eth1 tcpflags,nosmurfs,rpfilter,sourceroute=0,optional loc eth2 tcpflags,nosmurfs,rpfilter dmz eth3 routeback **************************************************************************** /etc/shorewall/snat MASQUERADE 192.168.0.0/24 eth0 MASQUERADE 192.168.0.0/24 eth1 MASQUERADE 192.168.1.0/24 eth0 MASQUERADE 192.168.1.0/24 eth1 MASQUERADE 192.168.0.0/24 eth3:192.168.1.2 tcp 53 MASQUERADE 192.168.0.0/24 eth3:192.168.1.2 udp 53 **************************************************************************** /etc/shorewall/rules DNS(ACCEPT) all all ACCEPT all all tcp www,ftp,pop3,imap,smtp DNAT net dmz:192.168.1.2 tcp www,pop3,smtp,imap,ftp DNAT all!$FW dmz:192.168.1.2 tcp 53 DNAT all!$FW dmz:192.168.1.2 udp 53 # xx.xx.xx.xx,yy.yy.yy.yy - External IPs from ISPs (LTC1 / BTC2). DNAT loc dmz:192.168.1.2 tcp www - xx.xx.xx.xx,yy.yy.yy.yy # External IPs offered by ISPs. DNAT loc dmz:192.168.1.2 tcp ftp - xx.xx.xx.xx,yy.yy.yy.yy DNAT loc dmz:192.168.1.2 tcp smtp - xx.xx.xx.xx,yy.yy.yy.yy DNAT loc dmz:192.168.1.2 tcp pop3 - xx.xx.xx.xx,yy.yy.yy.yy DNAT loc dmz:192.168.1.2 tcp imap - xx.xx.xx.xx,yy.yy.yy.yy # Squid transparent proxy REDIRECT loc 3128 tcp www - !xx.xx.xx.xx,yy.yy.yy.yy # and many more. **************************************************************************** /etc/shorewall/routes EMPTY # Can’t say for sure if this config existed in previous versions of the shorewall, but system was working for sure for a long time. **************************************************************************** Questions: 1) What need to be changed in order to make it work again as before upgrade ? 2) If needed to tell shorewall PC use DNS server at DMZ, not DNS servers from ISPs, will this work? DNAT all dmz:192.168.1.2 tcp 53 DNAT all dmz:192.168.1.2 udp 53 Unfortunately, its running machine in working environment, I can switch it off only for a few minutes. Thanks in advance for any help. Andrei ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
