[Shorewall-users] DNAT with Multimac OR Multiple IP Setup v2

Donald Thu, 27 Aug 2009 08:21:44 -0700

Hello List!

Sorry, I sent the email prematurely.  This email outlines the problem I was
having.


This may be one of those, you're doing it wrong, and there is a far easier
way to do it than the way you are doing it.  Please let me know.

*Problem*
**- Seems like rules to the firewall work fine.  However, the DNAT rule will
not work over its dead body.  When I had the 3 NIC setup, that DNAT rule
worked fine.
-Also, I can't use the shorewall show status commands because
/var/log/shorewall.log is empty.

*Overview
*-Cable Provider provides 2x IPs
-IPs are given out via DHCP.  Static costs $$ (double/triple the monthly
cost).
-Bandwidth is 7Mb down/2Mb up, but shared between two ips.

*Goal*
- Use both IPs and do traffic shaping on both of them.  IP1 gives access to
router.  IP2 gives access to other machines on LAN using DNAT.
- My goal is that I could have usenet or bt going full throttle, but
immediately slows down once someone makes a voip phone call or starts
browsing the internet.
- If I didn't need to do the traffic shaping, using 3 NICs with the
multi-isp shorewall setup would work fine.

*Rationale and other strategies*
- Tried using 3 NICs, 2 on the internet getting IPs via DHCP, and 1 for the
lan.  Couldn't do traffic shaping well, since the bandwidth is shared
between the two ips.  If each IP got dedicated bandwidth it'd be fantastic,
but I couldn't figure out what to do to keep latency down, tried halving the
bandwidth on each interface, but to no avail.  Perhaps go back to this
setup, but use IFB's to shape the download bandwidth?  Ultimately, the only
reason this seems to be a difficult problem is because I need to try to get
traffic shaping shared between two ips.

*Current Physical Setup*
*==========================
*- Two NICs: eth0-LAN,eth1-INTERNET
- Using bridge-br0 interface to bridge eth1 & tap0
- Using Program called Multimac to create tap1 & tap2 interfaces with unique
MAC addresses that request ips via DHCP.  Multimac works by copying all
traffic on tap0 to tap1 & tap2.  Call it another bridge.  I tried to not use
multimac and create tap interfaces, add them to the bridge and assign unique
MACs and IPs, but couldn't get it to work, so I just ended up using the
multimac application.

**
*Current Setup
**==========================
*- Version: Shorewall-perl 4.0.15 on Debian lenny

*zones
==========================
*fw    firewall
loc    ipv4
ptd1    ipv4
ptd2    ipv4

world    ipv4
wan:world    bport4
dmz:world    bport4
*
Interfaces
**==========================*
world    br0        -        bridge,dhcp
wan    br0:eth1    -
dmz    br0:tap0    -

ptd1    tap1        detect        dhcp,routeback,upnp
ptd2    tap2        detect        dhcp,routeback,upnp
loc     eth0            detect          dhcp,routeback*

Policy
**==========================
*wan        dmz        ACCEPT
dmz        wan        ACCEPT

# Firewall Policy
loc        ptd1        ACCEPT
loc        ptd2        ACCEPT
loc        $FW        ACCEPT
loc        all        REJECT        info

$FW        ptd1        ACCEPT
$FW        ptd2        ACCEPT
$FW        loc        ACCEPT
$FW        all        REJECT        info

ptd1        $FW        DROP        info
ptd1        loc        DROP        info
ptd1        all        DROP        info

ptd2        $FW        DROP        info
ptd2        loc        DROP        info
ptd2        all        DROP        info

# THE FOLLOWING POLICY MUST BE LAST
all        all        REJECT        info*

Masq
**==========================*
tap1    192.168.1.0/24        24.102.132.193
tap1    24.102.139.228        24.102.132.193
tap2    192.168.1.0/24        24.102.139.228
tap2    24.102.132.193        24.102.139.228*

providers**
**==========================*
ptd1 1 1 main tap1 detect track,balance,optional eth0
ptd2 2 2 main tap2 detect track,balance,optional eth0*

route_rules
**==========================*
192.168.1.2    -        ptd2        1000
192.168.1.0/24    -        ptd1        1000*

tcclasses
**==========================*
tap0    1    25*full/100    full    1    tos=0x68/0xfc,tos=0xb8/0xfc
tap0    2    15*full/100    full    2
tap0    3    20*full/100    full    3    tos-minimize-delay
tap0    4    30*full/100    full    4
tap0    5    10*full/100    75*full/10    5    default
*
tcdevices
**==========================*
tap0    1550kbit    5600kbit*

tcrules
**==========================*
1:T    0.0.0.0/0    0.0.0.0/0    icmp    echo-request
1:T    0.0.0.0/0    0.0.0.0/0    icmp    echo-reply
1:T    192.168.1.5    0.0.0.0/0
1:T    0.0.0.0/0    192.168.1.5
2:T    0.0.0.0/0    0.0.0.0/0    udp    53
2:T    0.0.0.0/0    0.0.0.0/0    tcp    53
3:T    0.0.0.0/0    0.0.0.0/0    tcp    22
3:T    0.0.0.0/0    0.0.0.0/0    tcp    5900
4:T    0.0.0.0/0    0.0.0.0/0    tcp    80,443,8080,8088
# Bittorrent/Usenet
5:T    0.0.0.0/0    0.0.0.0/0    tcp    6974
5:T    0.0.0.0/0    0.0.0.0/0    udp    6974
5:T    0.0.0.0/0    192.168.1.2
5:T    192.168.1.2    0.0.0.0/0*

ip addr show
**==========================*
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:30:65:7b:b2:c4 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:01:02:a6:54:0b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::201:2ff:fea6:540b/64 scope link
       valid_lft forever preferred_lft forever
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UNKNOWN qlen 1000
    link/ether 00:10:4b:c5:99:de brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::210:4bff:fec5:99de/64 scope link
       valid_lft forever preferred_lft forever
5: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb state UNKNOWN
qlen 500
    link/ether 00:ff:6f:ae:70:0f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::2ff:6fff:feae:700f/64 scope link
       valid_lft forever preferred_lft forever
6: tap1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state
UNKNOWN qlen 500
    link/ether 00:1e:2a:47:bf:0d brd ff:ff:ff:ff:ff:ff
    inet 24.102.132.193/24 brd 255.255.255.255 scope global tap1
7: tap2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 576 qdisc pfifo_fast state
UNKNOWN qlen 500
    link/ether 00:10:4b:c5:99:dd brd ff:ff:ff:ff:ff:ff
    inet 24.102.139.228/24 brd 255.255.255.255 scope global tap2
8: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UNKNOWN
    link/ether 00:01:02:a6:54:0b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::201:2ff:fea6:540b/64 scope link
       valid_lft forever preferred_lft forever*


ip route show
**==========================*
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
24.102.139.0/24 dev tap2  proto kernel  scope link  src 24.102.139.228
24.102.132.0/24 dev tap1  proto kernel  scope link  src 24.102.132.193
default
    nexthop via 24.102.132.1  dev tap1 weight 1
    nexthop via 24.102.139.1  dev tap2 weight 1
default via 24.102.132.1 dev tap1 *

*
*rules
**==========================
*Ping/ACCEPT    ptd1        $FW
SSH/ACCEPT    ptd1:$NRDC,$NCXOFFICE,$ALAN    $FW
HTTP/ACCEPT    ptd1:$NRDC,$NCXOFFICE,$ALAN    $FW
DNAT        ptd2            loc:192.168.1.2:80    tcp    80     -     $PTD2*
*

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] DNAT with Multimac OR Multiple IP Setup v2

Reply via email to