At 02:36 PM 12/8/2003 -0600, Troy Aden wrote:
I made these changes to shorewall and rebooted. The result was all hosts lost Internet access.
What exactly does this mean?
1. Did "all hosts" have Internet access under some prior configuration? If so, what was it?
2. How many hosts did you actually test, and what subnets were they on? In particular, did you do tests from a host on the 192.168.147.0/24 network (the one that is DIRECTLY connected to the LEAF router, if I read your routing table right)? Might there be problems with the internal routers (the various 192.168.147.d routers, that is)?
3. When you say "lost Internet access", what actual services and destinations did you use in your tests?
4. For the moment, I'm going to leave the ipsec stuff to the side, under the assumption that you undescribed problems you are seeing involve ordinary (not VPN) service connections from the various 192.168.c.0 networks to public addresses on the Internet.
5. Can the router itself access the Internet? For example, can it ping 142.165.207.254, its default gateway? If not, how does the attempt fail?
6. If you run a traceroute from an internal host to 142.165.207.254, where does the traceroute stop?
/ETC/shorewall/hosts
#ZONE HOST(S) OPTIONS loc eth1:192.168.1.0/24 loc eth1:192.168.2.0/24 loc eth1:192.168.140.0/24 loc eth1:192.168.142.0/24 loc eth1:192.168.143.0/24 loc eth1:192.168.145.0/24 loc eth1:192.168.146.0/24 loc eth1:192.168.147.0/24 loc eth1:192.168.148.0/24
If you "cheat" and specify loc as 192.168.0.0/16, does that fix any of the problems you see?
[...]
I think I may not have given all the information in my previous post. Here are the relevant configs. (Some IPs have been altered to protect the innocent)
IP ROUTE:
192.168.147.0/24 dev eth1 proto kernel scope link src 192.168.147.4 192.168.146.0/24 via 192.168.147.2 dev eth1 192.168.145.0/24 via 192.168.147.2 dev eth1 192.168.2.0/24 via 192.168.147.5 dev eth1 192.168.1.0/24 via 192.168.147.5 dev eth1 192.168.148.0/24 via 192.168.147.2 dev eth1 10.10.26.0/24 via 142.165.207.254 dev ipsec0 192.168.143.0/24 via 192.168.147.1 dev eth1 192.168.142.0/24 via 192.168.147.1 dev eth1 142.165.207.0/24 dev eth0 proto kernel scope link src 142.165.207.* 142.165.207.0/24 dev ipsec0 proto kernel scope link src 142.165.207.* 192.168.140.0/24 via 192.168.147.3 dev eth1 default via 142.165.207.254 dev eth0
You have here two routes to 142.165.207.0/24 ... one on eth0, the other on ipsec0. Since this network contains your default gateway, any problem here will interfere with Internet access. Of course, in "protecting the innocent" you may have obscured or distorted something here that matters.
[rest deleted]
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html