Hello Andrew, you wrote. I have not done much with the dachstein -CD version, but I possibly found a cause. I don't have a dachstein running ( using Bering :) ) The main difference between your eigerstein and your dachstein setup seems to be the route. eigerstein > 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30
dachstein > 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30 The interface ippp0 is in eigerstein probably declared as 139.130.0.0./16 so will be the firewall rules connected to this interface In the dachstein version your firewall rules might be so that the ippp0 is only 139.130.195.1 check that. >From the route itself you should be able to route through ippp0 as the default route is directed in this direction. The ippp0_MASKLEN is not set > eval local MASKLEN=\${"$1"_MASKLEN:-""} IMHO if you set ippp0_MASKLEN=16 then you should get the same setup as before Eric Wolzak member of the Bering crew ---------------------------original message ------------- > I have configured a DACHSTIEN CD firewall which I am using at home with a > dialup system > and it works very well and now have several deployed around Australia on > remote sites for > the company I work for. The latter of these units are connected by modem > to Bigpond > Direct and have proven themselves to be very reliable. My problem occurs > when I updated > the main office firewall to DACHSTIEN CD. This firewall currently is > running Eigerstien > with 2 ISDN channels and working very reliably but I wanted to upgrade to > take advantage > of the latest security features and additions. > > On the Eigerstien version, the routes are: > > # ip route > 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65 > 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1 > 139.130.0.0/16 dev ippp0 proto kernel scope link src 139.130.195.30 > default dev ippp0 scope link > > This has been working well. To get ISDN support for the DACHSTIEN CD > version, I found > the files where the devices are created and added the appropriate text to > the files, > /var/lib/lrpkg/root.dev.mk /var/lib/lrpkg/root.dev.mod and > /var/lib/lrpkg/root.dev.own, > copying the exact text to each file that had been used in the Eigerstien > version I am > currently running. The interface devices were created in /dev and all > appear to run > correctly except for the routing when the firewall starts. The routes on > this machine > are: > > # ip route > 139.130.195.1 dev ippp0 proto kernel scope link src 139.130.195.30 > 203.47.153.64/26 dev eth1 proto kernel scope link src 203.47.153.65 > 192.168.45.0/24 dev eth0 proto kernel scope link src 192.168.45.1 > default dev ippp0 scope link > > The address 139.130.195.1 is the peer address of the box when connected to > the Bigpond > Direct point of presence. The additions to the network.conf shown below > were typed in > exactly as they were in the previous version, so this may be part of the > problem if some > of the functions act differently in the DACHSTIEN CD version. The > firewall, when > tested, dialled and connected both channels in multilink configuration to > the ISP but is > only able to access ip addresses in the 139.130.0.0/16 address range. > These are only > within our ISP's internal network and therefore do not allow access to the > internet at > large. > > Any assistance would be greatly appreciated as I have been tearing my hair > out for the > last three weeks in my attempt to find the problem myself. > > Interfaces: > # Interfaces to start on boot go here - ie "ppp0 eth0" > # Do NOT include interfaces configured by dhcp! > IF_AUTO="ippp0 eth0 eth1" > > # List of all configured interfaces, manual start and boot start > IF_LIST="$IF_AUTO" > > Device settings: > ############################################################################ > ### > # ISDN Link - the isdn.lrp is required for this to work. (External > Interface) > ############################################################################ > ### > ippp0_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic. > ippp0_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic. > ippp0_MYMSN=38049800 # My telephone Number > ippp0_REMMSN=30073300 # Their telephone number (The ISP) > ippp0_IP_SPOOF=YES > ippp0_IP_KRNL_LOGMARTIANS=NO > # Simple QOS support, Options are same as ethernet above. > ippp0_FAIRQ=YES > ippp0_TXQLEN=64 > ippp0_BNDWIDTH=64kbit # Device Bandwidth > ippp0_HNHL=3 # Queue Handle - must be unique > ippp0_IABURST=25 # Interactive Burst > ippp0_IARATE=30Kbit # Interactive Rate > ippp0_PXMTU=1500 # Physical MTU - includes Link Layer Header > > ippp1_IPADDR=139.130.195.30 # My IP Address, only set if not dynamic. > ippp1_PTPADDR=139.130.195.1 # Their IP Address, again only if not dynamic. > ippp1_MYMSN=38049800 # My telephone Number > ippp1_REMMSN=30073300 # Their telephone number (The ISP) > ippp1_IP_SPOOF=YES > ippp1_IP_KRNL_LOGMARTIANS=NO > # Simple QOS support, Options are same as ethernet above. > ippp1_FAIRQ=YES > ippp1_TXQLEN=64 > ippp1_BNDWIDTH=64kbit # Device Bandwidth > ippp1_HNHL=4 # Queue Handle - must be unique > ippp1_IABURST=25 # Interactive Burst > ippp1_IARATE=30Kbit # Interactive Rate > ippp1_PXMTU=1500 # Physical MTU - includes Link Layer Header > > Interface Activation Section: > if_up () { > local ADDR > > # sort out a few things to make life easier - here so that you > # can see what is done and so that you can add anything if needed > eval local IPADDR=\${"$1"_IPADDR:-""} # I am also a good genius > eval local MASKLEN=\${"$1"_MASKLEN:-""} > eval local BROADCAST=\${"$1"_BROADCAST:-""} > eval local MYMSN=\${"$1"_MYMSN:-""} > eval local REMMSN=\${"$1"_REMMSN:-""} > eval local PTPADDR=\${"$1"_PTPADDR:-""} > eval local PXMTU=\${"$1"_PXMTU:-""} > eval local DEFAULT_GW=\${"$1"_DEFAULT_GW:-""} > eval local IP_EXTRA_ADDRS=\${"$1"_IP_EXTRA_ADDRS:-""} > eval local ROUTES=\${"$1"_ROUTES:-""} > eval local FAIRQ=\${"$1"_FAIRQ:-""} > eval local TXQLEN=\${"$1"_TXQLEN:-""} > eval local IP_SPOOF=\${"$1"_IP_SPOOF:-""} > eval local IP_KRNL_LOGMARTIANS=\${"$1"_IP_KRNL_LOGMARTIANS:-""} > eval local IP_SHARED_MEDIA=\${"$1"_IP_SHARED_MEDIA:-""} > eval local BRIDGE=\${"$1"_BRIDGE:-""} > eval local PROXY_ARP=\${"$1"_PROXY_ARP:-""} > if [ -n "$BROADCAST" ] ; then > IFCFG_BROADCAST="broadcast $BROADCAST" > fi > > # Do dee global bridge stuff > brg_global > > # Set default interface flags here - used for PPP and WAN interfaces > if_setproc default rp_filter $DEF_IP_SPOOF > if_setproc default log_martians $DEF_IP_KRNL_LOGMARTIANS > if_setproc all accept_redirects $ALLIF_ACCEPT_REDIRECTS > > # Set up each interface > case $1 in > ppp0) > pppd call provider > ;; > ippp*) > # Get ppp user > USER=`cat /etc/ppp/pap-secrets | grep ^[a-zA-Z0-9] | sed 's/\*.*//'` > > # Set up the ISDN interface > isdnctrl verbose 3 #>/dev/null > isdnctrl system on #>/dev/null > isdnctrl addif $1 #>/dev/null > isdnctrl pppbind $1 0 #>/dev/null > isdnctrl addphone $1 out $REMMSN #>/dev/null > isdnctrl eaz $1 $MYMSN #>/dev/null > isdnctrl l2_prot $1 hdlc #>/dev/null > isdnctrl l3_prot $1 trans #>/dev/null > isdnctrl encap $1 syncppp #>/dev/null > isdnctrl huptimeout $1 43200 #>/dev/null > isdnctrl dialmode $1 auto #>/dev/null > > # Set up second chanel on ISDN card as a slave to the first. > isdnctrl addslave $1 ippp1 > isdnctrl addphone ippp1 out $REMMSN #>/dev/null > isdnctrl eaz ippp1 $MYMSN #>/dev/null > isdnctrl l2_prot ippp1 hdlc #>/dev/null > isdnctrl l3_prot ippp1 trans #>/dev/null > isdnctrl encap ippp1 syncppp #>/dev/null > isdnctrl huptimeout ippp1 43200 #>/dev/null > isdnctrl dialmode ippp1 auto #>/dev/null > > if [ -z "$IPADDR" ] ; then > echo 1 >/proc/sys/net/ipv4/ip_dynaddr > ip link set $1 dynamic on > else > ip addr add $IPADDR peer $PTPADDR dev $1 > fi > ip link set $1 arp off multicast off > ip link set $1 up > > # Debugging - Remove if you like > echo Local Address $IPADDR > echo Peer Address $PTPADDR > > if [ -z "$IPADDR" ] ; then > /usr/sbin/ipppd mru 1500 mtu $PXMTU ipcp-accept-local > ipcp-accept-remote > lcp-restart 1 name $USER noipdefault +mp /dev/$1 /dev/ippp1 & > else > /usr/sbin/ipppd mru 1500 mtu $PXMTU lcp-restart 1 name $USER > $IPADDR:$PTPADDR +mp /dev/$1 /dev/ippp1 & > fi > ip route add default dev $1 > # Fair queuing - this can be selected for any interface > ip_frQoS $1 > ;; > fr*) > wanconfig card wanpipe1 dev $1 start > ip addr add $IPADDR peer $PTPADDR dev $1 > ip link set $1 up > # Fair queuing - this can be selected for any interface > ip_frQoS $1 > ;; > nat*) > eval local BASE_PRI=\${"$1"_BASE_PRI:-""} > walk_list $1_PAIR $INIT_INDEX do_nat add $BASE_PRI > ;; > *) # default interface startup > brg_iface $1 up $BRIDGE > [ -n "$IPADDR" ] \ > && ip addr add $IPADDR/$MASKLEN $IFCFG_BROADCAST dev $1 > for ADDR in $IP_EXTRA_ADDRS; do > ip addr add $ADDR dev $1 > done > > ip link set $1 up > > case "$PROXY_ARP" in > YES|Yes|yes) > ip route flush dev $1 > ;; > *) > ;; > esac > > # Fair queuing - this can be selected for any interface > ip_QoS $1 > ;; > esac > > for route in $ROUTES; do > echo Route: $route > ip route add `echo_rtepfx $route` dev $1 `echo_rteargs $route` > done > > # Do universal interface config items here > # Default route support > [ -n "$DEFAULT_GW" ] \ > && ip route replace default nexthop via $DEFAULT_GW dev $1 > # Set the TX Queue Length > [ -n "$TXQLEN" ] \ > && ip link set $1 txqlen $TXQLEN > # Spoof protection > if_setproc $1 rp_filter $IP_SPOOF > # Kernel logging of martians on this interface > if_setproc $1 log_martians $IP_KRNL_LOGMARTIANS > # Shared Media stuff > if_setproc $1 shared_media $IP_SHARED_MEDIA > # Proxy ARP support > if_setproc $1 proxy_arp $PROXY_ARP > > return 0 > } > > if_down () { > > # Do Dee global bridge stuff > brg_global > > case $1 in > ppp*) > [ -f /var/run/$1.pid ] && qt kill `cat /var/run/$1.pid` > sleep 5 # Wait for pppd to die > ;; > ippp*) > isdnctrl hangup $1 > sleep 1 > kill `cat /var/run/ipppd.pid` > ip route del dev $1 > ip link set $1 down > isdnctrl delif $1 > ;; > fr*) > qt ip link set $1 down > qt ip addr flush dev $1 > qt wanconfig card wanpipe1 dev $1 stop > ;; > nat*) > eval local BASE_PRI=\${"$1"_BASE_PRI:-""} > walk_list $1_PAIR $INIT_INDEX do_nat del $BASE_PRI > ;; > *) # default action > brg_iface $1 down > ip link set $1 down # This also kills any routes > qt ip addr flush dev $1 > ;; > esac > > # Clean up any QoS/fair queuing stuff > ip_QoSclear $1 > > true > > } #END if_down > > Andrew GRAY _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user