[leaf-user] Switched from ES to Bering. NAT not working right
I hope you can help me. I've been using ESb4 and its predecessors for about two years and decided it's time to upgrade to a more modern LEAF. I downloaded Bering V1.0-rc3 and documentation and made the suggested changes for my particular situation: several workstations behind LEAF, which is handling the pppoe connection to the ISP through the ADSL modem. No port forwarding going on. The pppoe link came up without a hitch but packet forwarding is not working. Symptoms: 1. I can ping the firewall from a workstation and can browse the weblet (nice improvements there, BTW). 2. I can ping the workstations and external sites from the firewall. 3. I *can't* ping (unreachable destination) external sites by IP from the workstations through the firewall. It also causes a reject in the logs. See excerpt from logs below. 4. I *can't* ping (long delay and eventual unknown host xxx) an external site by name. It also causes a flurry of rejects in the logs as dnscache tries to hit the root nameservers (which seems at odds with #2, above). See excerpt from logs below. Examples from logs. In response to ping from workstation, through firewall, to internet by IP: Aug 4 15:15:48 firewall kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.1.10 DST=64.58.76.223 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=11272 SEQ=0 In response to ping from workstation, through firewall, to internet by name: Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.36.148.17 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=60946 DF PROTO=UDP SPT=33411 DPT=53 LEN=39 Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.5.5.241 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=53616 DF PROTO=UDP SPT=2809 DPT=53 LEN=39 ... etc. ((many, many of these)) The only suspicious thing during bootup is a Shorewall warning: Setting up Kernel Route Filtering... Warning: Cannot set route filtering on eth0 I went into /etc/shorewall/shorewall.conf and set route filtering to Yes and that caused the warning to go away. I also set clamp to MSS to Yes since the documentation mentioned similar symptoms and that it might be needed by braindead ISP using pppoe, which is definately my situation. Neither change helped the main problem, though. Following is some diagnostics that I hope will help. Please let me know if there's something else I should be looking for. Hope it doesn't wrap too badly; I'm using Yahoo mail. -John = Shorewall configuration data - /etc/shorewall/shorewall.conf: (most comments deleted) ## # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to ## FW=fw SUBSYSLOCK=/var/run/shorwall STATEDIR=/var/lib/shorewall ALLOWRELATED=yes MODULESDIR= LOGRATE= LOGBURST= LOGUNCLEAN=info LOGFILE=/var/log/messages NAT_ENABLED=Yes MANGLE_ENABLED=Yes IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL= CLAMPMSS=No ROUTE_FILTER=No NAT_BEFORE_RULES=Yes -- /etc/shorewall/zones #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks /etc/shorewall/interfaces #ZONEINTERFACE BROADCAST OPTIONS #net eth0 detect dhcp,routefilter,norfc1918 net eth0detect routefilter,norfc1918 loc eth1detect routestopped --- /etc/shorewall/rules #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S) DEST # Accept DNS connections from the firewall to the network # ACCEPT fwnet tcp 53 ACCEPT fwnet udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fwtcp 22 # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # allow loc to fw tcp/80 for weblet to work # ACCEPT loc fwudp 53 ACCEPT loc fwtcp 80 /etc/shorewall/masq #INTERFACE SUBNET ADDRESS eth0eth1 = ESbeta4 versus Bering setup OLD = ESbeta4 output NEW = Bering v1.0-rc3 output OLD ip route show 10.1.61.1 dev ppp0 proto kernel scope link src 138.88.7.20 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 10.1.61.1 dev ppp0 NEW ip route show 10.1.61.1 dev ppp0 proto kernel
Re: [leaf-user] Switched from ES to Bering. NAT not working right
Le Dimanche 4 Août 2002 18:43, John Desmond a écrit : I hope you can help me. I've been using ESb4 and its predecessors for about two years and decided it's time to upgrade to a more modern LEAF. I downloaded Bering V1.0-rc3 and documentation and made the suggested changes for my particular situation: several workstations behind LEAF, which is handling the pppoe connection to the ISP through the ADSL modem. No port forwarding going on. The pppoe link came up without a hitch but packet forwarding is not working. Symptoms: 1. I can ping the firewall from a workstation and can browse the weblet (nice improvements there, BTW). 2. I can ping the workstations and external sites from the firewall. 3. I *can't* ping (unreachable destination) external sites by IP from the workstations through the firewall. It also causes a reject in the logs. See excerpt from logs below. 4. I *can't* ping (long delay and eventual unknown host xxx) an external site by name. It also causes a flurry of rejects in the logs as dnscache tries to hit the root nameservers (which seems at odds with #2, above). See excerpt from logs below. Your ppp interface does not seem declared in your shorewall interface file = Shorewall configuration data - /etc/shorewall/shorewall.conf: (most comments deleted) CLAMPMSS=No should probably set to Yes /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS #net eth0 detect dhcp,routefilter,norfc1918 net eth0 detect routefilter,norfc1918 loc eth1detect routestopped From the doc: http://leaf.sourceforge.net/devel/jnilo/bupppoe.html#AEN361 should probably look like: #ZONE INTERFACE BROADCAST OPTIONS net ppp0- routefilter loc eth1detect routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE How your /etc/network/interfaces looks like ? http://leaf.sourceforge.net/devel/jnilo/bupppoe.html#AEN341 Jacques --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Switched from ES to Bering. NAT not working right
Le Dimanche 4 Août 2002 18:43, John Desmond a écrit : I hope you can help me. I've been using ESb4 and its predecessors for about two years and decided it's time to upgrade to a more modern LEAF. I downloaded Bering V1.0-rc3 and documentation and made the suggested changes for my particular situation: several workstations behind LEAF, which is handling the pppoe connection to the ISP through the ADSL modem. No port forwarding going on. The pppoe link came up without a hitch but packet forwarding is not working. Symptoms: 1. I can ping the firewall from a workstation and can browse the weblet (nice improvements there, BTW). 2. I can ping the workstations and external sites from the firewall. 3. I *can't* ping (unreachable destination) external sites by IP from the workstations through the firewall. It also causes a reject in the logs. See excerpt from logs below. 4. I *can't* ping (long delay and eventual unknown host xxx) an external site by name. It also causes a flurry of rejects in the logs as dnscache tries to hit the root nameservers (which seems at odds with #2, above). See excerpt from logs below. Your ppp interface does not seem declared in your shorewall interface file = Shorewall configuration data - /etc/shorewall/shorewall.conf: (most comments deleted) CLAMPMSS=No should probably set to Yes /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS #net eth0 detect dhcp,routefilter,norfc1918 net eth0 detect routefilter,norfc1918 loc eth1detect routestopped From the doc: http://leaf.sourceforge.net/devel/jnilo/bupppoe.html#AEN361 should probably look like: #ZONE INTERFACE BROADCAST OPTIONS net ppp0- routefilter loc eth1detect routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE How your /etc/network/interfaces looks like ? http://leaf.sourceforge.net/devel/jnilo/bupppoe.html#AEN341 Jacques --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Switched from ES to Bering. NAT not working right
On Sun, 04 Aug 2002 09:43:22 PDT John Desmond wrote: Thank you for all the details John. They really help in the troubleshooting process. I have snipped most of them below to save bandwidth. I hope you can help me. I've been using ESb4 and its predecessors for about two years and decided it's time to upgrade to a more modern LEAF. I downloaded Bering V1.0-rc3 and documentation and made the suggested changes for my particular situation: several workstations behind LEAF, which is handling the pppoe connection to the ISP through the ADSL modem. No port forwarding going on. The pppoe link came up without a hitch but packet forwarding is not working. Symptoms: 1. I can ping the firewall from a workstation and can browse the weblet (nice improvements there, BTW). 2. I can ping the workstations and external sites from the firewall. 3. I *can't* ping (unreachable destination) external sites by IP from the workstations through the firewall. It also causes a reject in the logs. See excerpt from logs below. 4. I *can't* ping (long delay and eventual unknown host xxx) an external site by name. It also causes a flurry of rejects in the logs as dnscache tries to hit the root nameservers (which seems at odds with #2, above). See excerpt from logs below. Examples from logs. In response to ping from workstation, through firewall, to internet by IP: Aug 4 15:15:48 firewall kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=ppp0 SRC=192.168.1.10 DST=64.58.76.223 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=11272 SEQ=0 In response to ping from workstation, through firewall, to internet by name: Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.36.148.17 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=60946 DF PROTO=UDP SPT=33411 DPT=53 LEN=39 Aug 4 15:17:31 firewall kernel: Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=138.88.131.90 DST=192.5.5.241 LEN=59 TOS=0x00 PREC=0x00 TTL=64 ID=53616 DF PROTO=UDP SPT=2809 DPT=53 LEN=39 ... etc. ((many, many of these)) Hmm. These seem contrary to your shorewall rules file. Looks like they're hitting the default output policy of REJECT. [ big snip ] /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS #net eth0 detect dhcp,routefilter,norfc1918 net eth0 detect routefilter,norfc1918 loc eth1detect routestopped Ahh! Notice the OUT=ppp0 in the log entries. Yet there's no ppp0 in shorewall/interfaces. Change eth0 to ppp0 and I bet your problems will go away. --Brad --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html