Hi Tom, thank you for your reply. sorry for the text wrapping as I'm using web mail.
I have attached the gz format of shorewall dump. To clarify the objective: I want to redirect traffic from dmz (eth2) to use AC3 (eth1) link and redirect traffic from loc (eth3) to use I2N (eth0) link. I've changed provider file as follow (tried with "track" only and "track,balance"): I2N 1 1 main eth0 203.18.30.3 track,balance eth3 AC3 2 2 main eth1 203.202.13.1 track,balance eth2 Now the interesting problem: a. from host in loc zone, I can ping dmz and the net (with limitation). According to the provider file, all eth3 traffic must use eth0; but this is not the case when I am trying to ping 203.18.34.2 (R2). But if I ping the other side of R2 (203.202.140.2), it is working! Using tcpdump, I can see why 203.18.34.2 doesn't work: - because the source address isn't natted when leaving the wan interface - because it is using eth1 (which against to what the provider file states : the traffic must go through eth0) b. from host in dmz zone, I can't ping anything. again, tcpdump shows the traffic is using the incorrect wan link (different from provider) and isn't natted when leaving the wan interface. You mentioned the entry I put in tcrules isn't relevant. My understanding is that tcrules marks the packets, and using the marking, I should be able to tell shorewall to route the packets to the right wan link using the mark number. If this is gone, how can I control such event? The tcrules i attached is to test ping. Also, for masquerading in dual link scenario, it is all controlled by masq file, correct? So it is similar to simple 2 or 3 interfaces setup of shorewall. Many thanks. --- On Thu, 16/9/10, Tom Eastep <teas...@shorewall.net> wrote: > From: Tom Eastep <teas...@shorewall.net> > Subject: Re: [Shorewall-users] help for newbie on shorewall multiple isp > To: shorewall-users@lists.sourceforge.net > Received: Thursday, 16 September, 2010, 2:26 AM > On 9/15/10 5:47 PM, Lito Kusnadi > wrote: > > > I have been using shorewall for a number of years, but > I haven't > > really tried to use packet marking or multiple isp > before. > > > > I have a project to build firewall system with 2 isp > links. The > > target is to set shorewall with 2 isp link, with vrrp > for failover > > to another shorewall box. However, I want to get the > basic working > > (i.e. with 1 shorewall firewall). > > > > Having followed the multiple isp doc, I believe > there's something > > missing when putting the pieces together. Here's my > network lab > > using vmware: > > > > I got 3 vyatta routers to simulate the internet: > > > > R1 --- R2 --- R3 > > > > R1 pretends to be isp1 router R3 pretends to be isp2 > router R2 is a > > router for testing the traffic (i.e. ping, etc) All > vyatta routers > > can see each other and no firewall enabled. > > > > R1: 203.202.13.1/24 (link to shore eth1), > 203.202.140.1/24 (link to > > R2) > > > > R2: 203.202.140.2/24 (link to R1), 203.18.34.2/24 > (link to R3) > > > > R3: 203.18.34.3/24 (link to R2), 203.18.30.3/24 (link > to shore eth0) > > > > I build a shorewall system with eth0 links to R3, eth1 > links to R1 > > for WAN. I have dmz (eth2) and loc (eth3). So far I > can make only > > loc traffic works. > > One thing that jumps out immediately is that you have not > included eth2 > in the COPY column in /etc/shorewall/providers. So it is > not surprising > that you can't get the DMZ to work. > > > > > The default gateway of shorewall points to R3 (via > eth0); this is in > > /etc/sysconfig/network. > > Totally immaterial. > > > > > My shorewall settings: > > It is difficult to impossible to understand what is going > on from the > config files; see http://www.shorewall.net/support.htm#Guidelines. > > To make things worse, you mailer doesn't break long lines > so each > paragraph is a single line. Trying to reply and keep the > quoting correct > is a tedious task. > > > > > :tcrules: > > 1:P 192.168.77.224/27 > 0.0.0.0/0 icmp echo-reply > > 1 $FW > 0.0.0.0/0 icmp > echo-reply > > Both of those are meaningless. You don't want to route the > replies > through a provider other than the one that the echo-request > came in on. > > > > > With above setting, I can ping R2 from loc host and > have no problem > > redirecting the traffic with marking 1 or 2 to control > the ping > > traffic using I2N or AC3 (verified with tcpdump) > > > > See above. > > -Tom > -- > Tom Eastep \ When I die, I want > to go like my Grandfather who > Shoreline, \ died > peacefully in his sleep. Not screaming like > Washington, USA \ all of the > passengers in his car > http://shorewall.net > \________________________________________________ > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment > and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > -----Inline Attachment Follows----- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
dump1.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
