[Shorewall-users] Routing through a firewall/router
Hello, I'm running a 4 NIC firewall to route/organize my home network using shorewall/ dnsmasq and am at a loss why I can't connect (or ping) between subnets that hang on different nets. Access to the net (eth0) is working beautifully) and the subnets are able to ping the IP associated with the NICs on the FW, but not into the subnets beyond. I'm running in circles and are unclear where the problem is. Any advise is highly appreciated. /sbin/shorewall version 4.6.4.3 ip addr show 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:00:24:d0:62:dc brd ff:ff:ff:ff:ff:ff inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::200:24ff:fed0:62dc/64 scope link valid_lft forever preferred_lft forever 3: can0: mtu 16 qdisc noop state DOWN group default qlen 10 link/can 4: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:00:24:d0:62:dd brd ff:ff:ff:ff:ff:ff inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1 valid_lft forever preferred_lft forever inet6 fe80::200:24ff:fed0:62dd/64 scope link valid_lft forever preferred_lft forever 5: eth2: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:00:24:d0:62:de brd ff:ff:ff:ff:ff:ff inet 10.10.4.1/24 brd 10.10.4.255 scope global eth2 valid_lft forever preferred_lft forever inet6 fe80::200:24ff:fed0:62de/64 scope link valid_lft forever preferred_lft forever 6: eth3: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:00:24:d0:62:df brd ff:ff:ff:ff:ff:ff inet 10.10.5.1/24 brd 10.10.5.255 scope global eth3 valid_lft forever preferred_lft forever inet6 fe80::200:24ff:fed0:62df/64 scope link valid_lft forever preferred_lft forever ip route show default via 192.168.2.1 dev eth0 10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.1 10.10.4.0/24 dev eth2 proto kernel scope link src 10.10.4.1 10.10.5.0/24 dev eth3 proto kernel scope link src 10.10.5.1 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.100 Reuslt of shorewall dump is attached. shorewall_dump.txt.bz2 Description: application/bzip -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
Try the command shorewall clear at a root shell to set the firewall temporarily open, and see if you can then route as you expect. If you still can't it would seem to be a routing problem rather than a shorewall problem. Regards - Philip Sent from my iPhone > On 6 Jan 2017, at 21:37, Johannes Graumann > wrote: > > Hello, > > I'm running a 4 NIC firewall to route/organize my home network using > shorewall/ > dnsmasq and am at a loss why I can't connect (or ping) between subnets that > hang on different nets. Access to the net (eth0) is working beautifully) and > the subnets are able to ping the IP associated with the NICs on the FW, but > not into the subnets beyond. I'm running in circles and are unclear where the > problem is. Any advise is highly appreciated. > > /sbin/shorewall version > 4.6.4.3 > > ip addr show > 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group > default > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 > link/ether 00:00:24:d0:62:dc brd ff:ff:ff:ff:ff:ff > inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0 > valid_lft forever preferred_lft forever > inet6 fe80::200:24ff:fed0:62dc/64 scope link > valid_lft forever preferred_lft forever > 3: can0: mtu 16 qdisc noop state DOWN group default qlen 10 > link/can > 4: eth1: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 > link/ether 00:00:24:d0:62:dd brd ff:ff:ff:ff:ff:ff > inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1 > valid_lft forever preferred_lft forever > inet6 fe80::200:24ff:fed0:62dd/64 scope link > valid_lft forever preferred_lft forever > 5: eth2: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 > link/ether 00:00:24:d0:62:de brd ff:ff:ff:ff:ff:ff > inet 10.10.4.1/24 brd 10.10.4.255 scope global eth2 > valid_lft forever preferred_lft forever > inet6 fe80::200:24ff:fed0:62de/64 scope link > valid_lft forever preferred_lft forever > 6: eth3: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 > link/ether 00:00:24:d0:62:df brd ff:ff:ff:ff:ff:ff > inet 10.10.5.1/24 brd 10.10.5.255 scope global eth3 > valid_lft forever preferred_lft forever > inet6 fe80::200:24ff:fed0:62df/64 scope link > valid_lft forever preferred_lft forever > > ip route show > default via 192.168.2.1 dev eth0 > 10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.1 > 10.10.4.0/24 dev eth2 proto kernel scope link src 10.10.4.1 > 10.10.5.0/24 dev eth3 proto kernel scope link src 10.10.5.1 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.100 > > Reuslt of shorewall dump is attached. > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
On 1/6/2017 10:37 PM, Johannes Graumann wrote: > Hello, > > I'm running a 4 NIC firewall to route/organize my home network using > shorewall/ > dnsmasq and am at a loss why I can't connect (or ping) between subnets that > hang on different nets. Access to the net (eth0) is working beautifully) and > the subnets are able to ping the IP associated with the NICs on the FW, but > not into the subnets beyond. I'm running in circles and are unclear where the > problem is. Any advise is highly appreciated. > > /sbin/shorewall version > 4.6.4.3 > > ip addr show > 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group > default >link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever >inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 >link/ether 00:00:24:d0:62:dc brd ff:ff:ff:ff:ff:ff >inet 192.168.2.100/24 brd 192.168.2.255 scope global eth0 > valid_lft forever preferred_lft forever >inet6 fe80::200:24ff:fed0:62dc/64 scope link > valid_lft forever preferred_lft forever > 3: can0: mtu 16 qdisc noop state DOWN group default qlen 10 >link/can > 4: eth1: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 >link/ether 00:00:24:d0:62:dd brd ff:ff:ff:ff:ff:ff >inet 10.10.1.1/24 brd 10.10.1.255 scope global eth1 > valid_lft forever preferred_lft forever >inet6 fe80::200:24ff:fed0:62dd/64 scope link > valid_lft forever preferred_lft forever > 5: eth2: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 >link/ether 00:00:24:d0:62:de brd ff:ff:ff:ff:ff:ff >inet 10.10.4.1/24 brd 10.10.4.255 scope global eth2 > valid_lft forever preferred_lft forever >inet6 fe80::200:24ff:fed0:62de/64 scope link > valid_lft forever preferred_lft forever > 6: eth3: mtu 1500 qdisc pfifo_fast state UP > group default qlen 1000 >link/ether 00:00:24:d0:62:df brd ff:ff:ff:ff:ff:ff >inet 10.10.5.1/24 brd 10.10.5.255 scope global eth3 > valid_lft forever preferred_lft forever >inet6 fe80::200:24ff:fed0:62df/64 scope link > valid_lft forever preferred_lft forever > > ip route show > default via 192.168.2.1 dev eth0 > 10.10.1.0/24 dev eth1 proto kernel scope link src 10.10.1.1 > 10.10.4.0/24 dev eth2 proto kernel scope link src 10.10.4.1 > 10.10.5.0/24 dev eth3 proto kernel scope link src 10.10.5.1 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.100 > > Reuslt of shorewall dump is attached. > Try setting 'IP_FORWARDING=on' in shorewall.conf. -Matt -- Matt Darfeuille -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
> Try setting 'IP_FORWARDING=on' in shorewall.conf. I'm not any good at reading the dump, but if Matt's advice doesn't fix it, make sure you allow traffic between the zones that your local subnets are in. Make sure the subnet mask of your devices on those subnets matches what the firewall thinks the subnet is, and of course that they are using the correct default gateway. I can't think of anything else that might be the issue. - Bob -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/06/2017 01:37 PM, Johannes Graumann wrote: > Hello, > > I'm running a 4 NIC firewall to route/organize my home network > using shorewall/ dnsmasq and am at a loss why I can't connect (or > ping) between subnets that hang on different nets. Access to the > net (eth0) is working beautifully) and the subnets are able to ping > the IP associated with the NICs on the FW, but not into the subnets > beyond. I'm running in circles and are unclear where the problem > is. Any advise is highly appreciated. > You have enabled ping to/from the 'fw' zone and from the 'usr' zone to the other zones only. If ping is failing from the 'usr' zone to one of the other local zones, then please submit another dump collected as described in the support guidelines. Namely: - - 'shorewall clear' - - perform the failing ping - - take the dump - - when you submit the dump, tell us the source IP and destination IP of the failing test. Thanks, - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYcRrkAAoJEJbms/JCOk0QMCsQAI0wz8ZA25ie52qY8xMtDSrZ oTsECdbxpSzZ+qvrlxUConhjINY3V4KcbcwhcEmDddYpffS6IG9NTP2x1zry0Pyx RFN8jcGLvjv+zYjsCum33YCIn0PA1YlqpbfZeMI3rJF/CI8zqVSJA8nN7R3MobPM 57eDQlfYs63Rn76PMG+HfNOxNeaHXUgMXl6UL6w0bK6l1c+H7oIvtt+qy0zyNYI4 6Kq/sN52tmF/jxErzzUkjHkFMcom+ZnLcBLT7CE3qLlJXoDBARjdoonjKg+q+vd9 J6dieBjcere5zymg3KeTszVkrYjfdH9DVzuOfAXVm2nYYdHTIEnbYEFS8JdZLoHs aY65R/MGmDkVtqPrZ/RRQwn+3tjtZwMY6obt8+WveXTqWKJpoagh+IqZ77oCZJyu 5NUCMp4mBsRmQFAQxwmh1NdjyShObrpgisCCu9ixH57gJY3O5yBCNqjkjJjFfyBX gEhJwMu5lnenS3tKQzwLjEWGLNdRmaK3lFV0sHpbPGX6K2/MzI8uMk06R0WGMhy7 XarXlKtmdpdxRAdlH30WEFrXvd12ACSs6OOOi4lkDipL+WeDdGelnafvbJxjgFz5 i1mWUk7prPic3Q4i+RUIj1nJsxyoDDRwd3NWujiKLfcYdZlVp7XRmvQyS96tBh3W 28Igv2LPuoDU4Vr79Bcq =ljb6 -END PGP SIGNATURE- -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
... > You have enabled ping to/from the 'fw' zone and from the 'usr' zone to > the other zones only. If ping is failing from the 'usr' zone to one of > the other local zones, then please submit another dump collected as > described in the support guidelines. Namely: > > - - 'shorewall clear' > - - perform the failing ping > - - take the dump > - - when you submit the dump, tell us the source IP and destination IP of > the failing test. As I indeed am trying to ping from a usr IP (10.10.1.5) to an IP in strg (10.10.4.3) and it fails, I did as Tom proposed and attach the dump. Any help is highly appreciated. Note that the dump opperation throuw an error: shorewall dump > ping_dump.txt /sbin/shorewall: 859: [: ping_dump.txt: unexpected operator Joh ping_dump.txt.gz Description: GNU Zip compressed data -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Routing through a firewall/router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/15/2017 06:43 AM, Graumann, Johannes wrote: > ... > >> You have enabled ping to/from the 'fw' zone and from the 'usr' >> zone to the other zones only. If ping is failing from the 'usr' >> zone to one of the other local zones, then please submit another >> dump collected as described in the support guidelines. Namely: >> >> - - 'shorewall clear' - - perform the failing ping - - take the >> dump - - when you submit the dump, tell us the source IP and >> destination IP of the failing test. > > As I indeed am trying to ping from a usr IP (10.10.1.5) to an IP in > strg (10.10.4.3) and it fails, I did as Tom proposed and attach the > dump. > > Any help is highly appreciated. > > Note that the dump opperation throuw an error: > > shorewall dump > ping_dump.txt /sbin/shorewall: 859: [: > ping_dump.txt: unexpected operator > Yes -- that is an old bug that is now fixed. Unfortunately, I gave you incorrect instructions; I mean to have you 'shorewall reset' rather than 'shorewall clear. That having been said, if it didn't work with 'shorewall clear' then there is something wrong with your routing. Can all of the subnets access the internet with shorewall started? - -Tom - -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \ -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYe6pMAAoJEJbms/JCOk0QaN4P/3GorykPnfS/JXRvOKEOuliR W2z7P2T8nnUyRwFXdcGu0G5NhXiyqGBIeo3txNNOsFoF2Q/5PutBw9ObVoHDQp1s l1/v/UcFmsqddqOFciVQzElrLNMSRY5WP8M5LQoFxO9P6H+kADYnZehvZbCOynWm dwaZ8AO1nNMizVzJutJ2nTpzxt6Igxm0dwvudsLd84Qc3yfz2hlUGYF1Kudvat3/ tIQNjXeYC0CdFAHfhc6hCvfGc95YyNRFzqAAyuoO6LU8K0zSLYQu3XQQvb1gEFTS DCTXA8v26jLw6U80x/ZpqED83VFO2XoZdxi2a8OgV6CyzM243mT+jGt/TmGjd1tI FJkJZXIjIcty99yij5OjztbPLmPtnS5G5+BUKWg/uohaKrO2DJQkhZ6geUSwn1kX WXAh3rBg8aPE4VVZAPggfhERG1TznT98I9CJBDmYvmP1xMu6X4eLrM10uXxQdLXP 1qBRPtN+IX77us1c1+xRzh2GwIxAj8hlAZe7jnGepbKBn0istdts6EZ13cXGJ2K5 fJ837u+xDYm2q4bLjiExINUYCBUAn9O/ASvFoV+qvC377VHJW24nM8e+MyfLxnRB srYIha9aNeiYCCOdohGRh2CtrQv8KtCXfGECC95z6/Rdny2lWKP5uaq2ZAfDWVxf 0Tpk9CIxXScrWdS+2+XZ =p4eE -END PGP SIGNATURE- -- Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
