[Shorewall-users] Problem with multiple ISP's

Stephen Carville stephen at totalflood.com
Tue Mar 1 19:56:00 PST 2005


On Tue March 1 2005 4:40 pm, Jerry Vonau wrote:
> This is off topic, but....

So Tom has reminded me :-)

> > I have a setup with two Internet providers.  One circuit (net0 == eth1)
> > is used primarily for employees and tunnels to other sites.   The other
> > (net1 == eth2) is for the production machines that customers access. 
> > Everythung works in teh sense that packets get to where they are sent
> > (mostly) but I recently I had a sniffer on the system and noticed a
> > problem I cannot solve.  traffic coming in on eth2 goes back out on eth1
> >
> > For examle in rules I have the line:
> >
> > DNAT    net1    loc:192.168.124.18     tcp     smtp      -    
> > 65.223.121.227
> >
> > If I connect to 65.223.121.227 on port 25 from a remote site I see
> > inbound packets arriving on eth2 (net1) as they should but outbound
> > packets in the same conversation go out on eth1 (net0).
> >
> > I've tried adding to masq: (tho I don't think it should matter in this
> > case)
> >
> > eth2        192.168.124.18       65.223.121.227  tcp     25
> >
> > with the same results.
> >
> > I read the FAQ on setting up for two ISP's and as far as I can tell I;ve
> > done everything right.  Obviously I haven't btu I cannot se where the
> > error is. Can any here see my mistake(s)?
> >
> > $ Shorewall version:
> > 2.0.12
> >
> > $ ip addr show
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
> >     link/ether 00:0f:1f:64:44:4e brd ff:ff:ff:ff:ff:ff
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> >     link/ether 00:0f:1f:64:44:4f brd ff:ff:ff:ff:ff:ff
> >     inet 209.189.103.196/27 brd 209.189.103.223 scope global eth1
> >     inet 209.189.103.202/27 brd 209.189.102.223 scope global secondary
> > eth1:1 inet 209.189.103.208/27 brd 209.189.103.223 scope global secondary
> > eth1:2 inet 209.189.103.207/27 brd 209.189.103.223 scope global secondary
> > eth1:3 inet 209.189.103.203/27 brd 209.189.103.223 scope global secondary
> > eth1:4 inet 209.189.103.198/27 brd 209.189.103.223 scope global secondary
> > eth1:5 inet 209.189.103.200/27 brd 209.189.103.223 scope global secondary
> > eth1:6 inet 209.189.103.197/27 brd 209.189.103.223 scope global secondary
> > eth1:7 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
> > 100 link/ether 00:04:23:ab:46:4c brd ff:ff:ff:ff:ff:ff
> >     inet 65.223.121.237/28 brd 65.223.121.239 scope global eth2
> >     inet 65.223.121.227/28 brd 65.223.121.239 scope global secondary
> > eth2:1 inet 65.223.121.230/28 brd 65.223.121.239 scope global secondary
> > eth2:2 inet 65.223.121.228/28 brd 65.223.121.239 scope global secondary
> > eth2:3 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
> > 100 link/ether 00:04:23:ab:46:4d brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.150.11/24 brd 192.168.150.255 scope global eth3
> > 6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> >     link/ether 00:04:23:ab:44:ca brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.170.1/24 brd 192.168.170.255 scope global eth4
> > 7: eth5: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
> >     link/ether 00:04:23:ab:44:cb brd ff:ff:ff:ff:ff:ff
> >     inet 192.168.124.249/24 brd 192.168.124.255 scope global eth5
> > 8: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
> > 100 link/ppp
> >     inet 192.168.254.5 peer 192.168.254.6/32 scope global tun1
> > 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
> > 100 link/ppp
> >     inet 192.168.254.1 peer 192.168.254.2/32 scope global tun0
> >
> > $ ip route show
> > 192.168.254.6 dev tun1  proto kernel  scope link  src 192.168.254.5
> > 192.168.254.2 dev tun0  proto kernel  scope link  src 192.168.254.1
> > 65.223.121.224/28 dev eth2  scope link
> > 209.189.103.192/27 dev eth1  scope link
> > 192.168.160.0/24 via 192.168.124.28 dev eth5
> > 192.168.150.0/24 dev eth3  scope link
> > 192.168.1.0/24 via 192.168.254.2 dev tun0
> > 192.168.124.0/24 dev eth5  scope link
> > 192.168.170.0/24 dev eth4  scope link
> > 192.168.111.0/24 via 192.168.124.28 dev eth5
> > 172.16.10.0/24 via 192.168.254.6 dev tun1
> > 192.168.120.0/24 via 192.168.124.28 dev eth5
> > 172.16.11.0/24 via 192.168.254.6 dev tun1
> > 192.168.26.0/24 via 192.168.124.28 dev eth5
> > 169.254.0.0/16 dev eth5  scope link
> > 127.0.0.0/8 dev lo  scope link
> > default via 209.189.103.222 dev eth1
> > default via 209.189.103.222 dev eth1  src 209.189.103.197  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.200  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.198  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.203  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.207  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.208  metric 1
> > default via 209.189.103.222 dev eth1  src 209.189.103.202  metric 1
>
> well, 65.223.121.224/28 dev eth2  scope link
> I don't see how this network could use any other gateway but
> 209.189.103.222 I have this:
> /sbin/ip route ls
> ~~snip~~
> default
>         nexthop via zzz.zzz.0.1 dev eth0 weight 1
>         nexthop via yyy.yyy.28.28  dev ppp0 weight 1
>
> Have you setup "routing rules" for use with "routing tables"?
> What does "/sbin/ip rule ls" show?

$ ip rule ls
0:      from all lookup local
32764:  from 65.223.121.237 lookup T2
32765:  from 209.189.103.196 lookup T1
32766:  from all lookup main
32767:  from all lookup 253

$ ip route list table T1
209.189.103.192/27 dev eth1  scope link  src 209.189.103.196
192.168.124.0/24 dev eth5  scope link
127.0.0.0/8 dev lo  scope link
default via 209.189.103.222 dev eth1

$ ip route list table T2
65.223.121.224/28 dev eth2  scope link  src 65.223.121.237
192.168.124.0/24 dev eth5  scope link
127.0.0.0/8 dev lo  scope link
default via 65.223.121.225 dev eth2

> Jerry Vonau
>
>
>
>
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users at lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602


More information about the Shorewall-users mailing list