Hello Andrew, you wrote.
I have not done much with the dachstein -CD version, but I possibly
found a cause.
I don't have a dachstein running ( using Bering :) )
The main difference between your eigerstein and your dachstein
setup seems to be the route.
eigerstein
> 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
dachstein
> 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
The interface ippp0 is in eigerstein probably declared as
139.130.0.0./16 so will be the firewall rules connected to this
interface
In the dachstein version your firewall rules might be so that the
ippp0 is only 139.130.195.1
check that.
>From the route itself you should be able to route through ippp0 as
the default route is directed in this direction.
The ippp0_MASKLEN is not set
> eval local MASKLEN=\${"$1"_MASKLEN:-""}
IMHO if you set ippp0_MASKLEN=16 then you should get the
same setup as before
Eric Wolzak
member of the Bering crew
---------------------------original message -------------
> I have configured a DACHSTIEN CD firewall which I am using at home with a
> dialup system
> and it works very well and now have several deployed around Australia on
> remote sites for
> the company I work for. The latter of these units are connected by modem
> to Bigpond
> Direct and have proven themselves to be very reliable. My problem occurs
> when I updated
> the main office firewall to DACHSTIEN CD. This firewall currently is
> running Eigerstien
> with 2 ISDN channels and working very reliably but I wanted to upgrade to
> take advantage
> of the latest security features and additions.
>
> On the Eigerstien version, the routes are:
>
> # ip route
> 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
> 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
> 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
> default dev ippp0 scope link
>
> This has been working well. To get ISDN support for the DACHSTIEN CD
> version, I found
> the files where the devices are created and added the appropriate text to
> the files,
> /var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and
> /var/lib/lrpkg/root.dev.own,
> copying the exact text to each file that had been used in the Eigerstien
> version I am
> currently running. The interface devices were created in /dev and all
> appear to run
> correctly except for the routing when the firewall starts. The routes on
> this machine
> are:
>
> # ip route
> 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30
> 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65
> 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1
> default dev ippp0 scope link
>
> The address 139.130.195.1 is the peer address of the box when connected to
> the Bigpond
> Direct point of presence. The additions to the network.conf shown below
> were typed in
> exactly as they were in the previous version, so this may be part of the
> problem if some
> of the functions act differently in the DACHSTIEN CD version. The
> firewall, when
> tested, dialled and connected both channels in multilink configuration to
> the ISP but is
> only able to access ip addresses in the 139.130.0.0/16 address range.
> These are only
> within our ISP's internal network and therefore do not allow access to the
> internet at
> large.
>
> Any assistance would be greatly appreciated as I have been tearing my hair
> out for the
> last three weeks in my attempt to find the problem myself.
>
> Interfaces:
> # Interfaces to start on boot go here - ie "ppp0 eth0"
> # Do NOT include interfaces configured by dhcp!
> IF_AUTO="ippp0 eth0 eth1"
>
> # List of all configured interfaces, manual start and boot start
> IF_LIST="$IF_AUTO"
>
> Device settings:
> ############################################################################
> ###
> # ISDN Link - the isdn.lrp is required for this to work. (External
> Interface)
> ############################################################################
> ###
> ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
> ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic.
> ippp0_MYMSN=38049800 # My telephone Number
> ippp0_REMMSN=30073300 # Their telephone number (The ISP)
> ippp0_IP_SPOOF=YES
> ippp0_IP_KRNL_LOGMARTIANS=NO
> # Simple QOS support, Options are same as ethernet above.
> ippp0_FAIRQ=YES
> ippp0_TXQLEN=64
> ippp0_BNDWIDTH=64kbit # Device Bandwidth
> ippp0_HNHL=3 # Queue Handle - must be unique
> ippp0_IABURST=25 # Interactive Burst
> ippp0_IARATE=30Kbit # Interactive Rate
> ippp0_PXMTU=1500 # Physical MTU - includes Link Layer Header
>
> ippp1_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic.
> ippp1_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic.
> ippp1_MYMSN=38049800 # My telephone Number
> ippp1_REMMSN=30073300 # Their telephone number (The ISP)
> ippp1_IP_SPOOF=YES
> ippp1_IP_KRNL_LOGMARTIANS=NO
> # Simple QOS support, Options are same as ethernet above.
> ippp1_FAIRQ=YES
> ippp1_TXQLEN=64
> ippp1_BNDWIDTH=64kbit # Device Bandwidth
> ippp1_HNHL=4 # Queue Handle - must be unique
> ippp1_IABURST=25 # Interactive Burst
> ippp1_IARATE=30Kbit # Interactive Rate
> ippp1_PXMTU=1500 # Physical MTU - includes Link Layer Header
>
> Interface Activation Section:
> if_up () {
> local ADDR
>
> # sort out a few things to make life easier - here so that you
> # can see what is done and so that you can add anything if needed
> eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius
> eval local MASKLEN=\${"$1"_MASKLEN:-""}
> eval local BROADCAST=\${"$1"_BROADCAST:-""}
> eval local MYMSN=\${"$1"_MYMSN:-""}
> eval local REMMSN=\${"$1"_REMMSN:-""}
> eval local PTPADDR=\${"$1"_PTPADDR:-""}
> eval local PXMTU=\${"$1"_PXMTU:-""}
> eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""}
> eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""}
> eval local ROUTES=\${"$1"_ROUTES:-""}
> eval local FAIRQ=\${"$1"_FAIRQ:-""}
> eval local TXQLEN=\${"$1"_TXQLEN:-""}
> eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""}
> eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""}
> eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""}
> eval local BRIDGE=\${"$1"_BRIDGE:-""}
> eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""}
> if [ -n "$BROADCAST" ] ; then
> IFCFG_BROADCAST="broadcast $BROADCAST"
> fi
>
> # Do dee global bridge stuff
> brg_global
>
> # Set default interface flags here - used for PPP and WAN interfaces
> if_setproc default rp_filter $DEF_IP_SPOOF
> if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS
> if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS
>
> # Set up each interface
> case $1 in
> ppp0)
> pppd call provider
> ;;
> ippp*)
> # Get ppp user
> USER=`cat /etc/ppp/pap-secrets | grep ^[a-zA-Z0-9] | sed 's/\*.*//'`
>
> # Set up the ISDN interface
> isdnctrl verbose 3 #>/dev/null
> isdnctrl system on #>/dev/null
> isdnctrl addif $1 #>/dev/null
> isdnctrl pppbind $1 0 #>/dev/null
> isdnctrl addphone $1 out $REMMSN #>/dev/null
> isdnctrl eaz $1 $MYMSN #>/dev/null
> isdnctrl l2_prot $1 hdlc #>/dev/null
> isdnctrl l3_prot $1 trans #>/dev/null
> isdnctrl encap $1 syncppp #>/dev/null
> isdnctrl huptimeout $1 43200 #>/dev/null
> isdnctrl dialmode $1 auto #>/dev/null
>
> # Set up second chanel on ISDN card as a slave to the first.
> isdnctrl addslave $1 ippp1
> isdnctrl addphone ippp1 out $REMMSN #>/dev/null
> isdnctrl eaz ippp1 $MYMSN #>/dev/null
> isdnctrl l2_prot ippp1 hdlc #>/dev/null
> isdnctrl l3_prot ippp1 trans #>/dev/null
> isdnctrl encap ippp1 syncppp #>/dev/null
> isdnctrl huptimeout ippp1 43200 #>/dev/null
> isdnctrl dialmode ippp1 auto #>/dev/null
>
> if [ -z "$IPADDR" ] ; then
> echo 1 >/proc/sys/net/ipv4/ip_dynaddr
> ip link set $1 dynamic on
> else
> ip addr add $IPADDR peer $PTPADDR dev $1
> fi
> ip link set $1 arp off multicast off
> ip link set $1 up
>
> # Debugging - Remove if you like
> echo Local Address $IPADDR
> echo Peer Address $PTPADDR
>
> if [ -z "$IPADDR" ] ; then
> /usr/sbin/ipppd mru 1500 mtu $PXMTU ipcp-accept-local
> ipcp-accept-remote
> lcp-restart 1 name $USER noipdefault +mp /dev/$1 /dev/ippp1 &
> else
> /usr/sbin/ipppd mru 1500 mtu $PXMTU lcp-restart 1 name $USER
> $IPADDR:$PTPADDR +mp /dev/$1 /dev/ippp1 &
> fi
> ip route add default dev $1
> # Fair queuing - this can be selected for any interface
> ip_frQoS $1
> ;;
> fr*)
> wanconfig card wanpipe1 dev $1 start
> ip addr add $IPADDR peer $PTPADDR dev $1
> ip link set $1 up
> # Fair queuing - this can be selected for any interface
> ip_frQoS $1
> ;;
> nat*)
> eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
> walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI
> ;;
> *) # default interface startup
> brg_iface $1 up $BRIDGE
> [ -n "$IPADDR" ] \
> && ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1
> for ADDR in $IP_EXTRA_ADDRS; do
> ip addr add $ADDR dev $1
> done
>
> ip link set $1 up
>
> case "$PROXY_ARP" in
> YES|Yes|yes)
> ip route flush dev $1
> ;;
> *)
> ;;
> esac
>
> # Fair queuing - this can be selected for any interface
> ip_QoS $1
> ;;
> esac
>
> for route in $ROUTES; do
> echo Route: $route
> ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route`
> done
>
> # Do universal interface config items here
> # Default route support
> [ -n "$DEFAULT_GW" ] \
> && ip route replace default nexthop via $DEFAULT_GW dev $1
> # Set the TX Queue Length
> [ -n "$TXQLEN" ] \
> && ip link set $1 txqlen $TXQLEN
> # Spoof protection
> if_setproc $1 rp_filter $IP_SPOOF
> # Kernel logging of martians on this interface
> if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS
> # Shared Media stuff
> if_setproc $1 shared_media $IP_SHARED_MEDIA
> # Proxy ARP support
> if_setproc $1 proxy_arp $PROXY_ARP
>
> return 0
> }
>
> if_down () {
>
> # Do Dee global bridge stuff
> brg_global
>
> case $1 in
> ppp*)
> [ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid`
> sleep 5 # Wait for pppd to die
> ;;
> ippp*)
> isdnctrl hangup $1
> sleep 1
> kill `cat /var/run/ipppd.pid`
> ip route del dev $1
> ip link set $1 down
> isdnctrl delif $1
> ;;
> fr*)
> qt ip link set $1 down
> qt ip addr flush dev $1
> qt wanconfig card wanpipe1 dev $1 stop
> ;;
> nat*)
> eval local BASE_PRI=\${"$1"_BASE_PRI:-""}
> walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI
> ;;
> *) # default action
> brg_iface $1 down
> ip link set $1 down # This also kills any routes
> qt ip addr flush dev $1
> ;;
> esac
>
> # Clean up any QoS/fair queuing stuff
> ip_QoSclear $1
>
> true
>
> } #END if_down
>
> Andrew GRAY
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
