Hello all, I'm using shorewall on a linux machine that has two interfaces, eth0 being connected on the internal network (10.10.10.0/24) and eth1 being connected to the external network. On eth0 the IP is statically configured to 10.10.10.254 and there is a dhcp server running for the machines in the private network. On eth1, the IP is dynamically assigned by my ISP modem that acts as a bridge.
I have thus followed the "two interfaces" example which works just fine and I have this in the /etc/shorewall/interfaces file : net eth1 detect dhcp loc eth0 detect dhcp and the following in the /etc/shorewall/masq file : eth1 10.10.10.0/24 and obviously a few rules in the /etc/shorewall/rules file (port forwarding). Everything is running ok and when eth1 gets plugged in, the kernel detects it and tells the dhcp client to get an ip address as can be seen here: Oct 24 22:34:15 server kernel: e100: eth1 NIC Link is Up 100 Mbps Full Duplex Oct 24 22:34:16 server dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 12 Oct 24 22:34:16 server dhclient: DHCPOFFER from 192.0.2.254 Oct 24 22:34:16 server dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67 Oct 24 22:34:16 server dhclient: DHCPACK from 192.0.2.254 Oct 24 22:34:16 server dhclient: bound to 192.0.2.189 -- renewal in 236700 seconds. Oct 24 22:34:16 server ifplugd(eth1)[2223]: client: Determining IP information for eth1... done. Oct 24 22:34:16 server ifplugd(eth1)[2223]: client: 192.0.2.189 Oct 24 22:34:16 server ifplugd(eth1)[2223]: Program executed successfully. The problem that I'm having is that the ISP is gradually changing from the "bridge" mode to a "routed" mode which means that instead of getting a public IP address from the modem, I now get a private IP in the 192.168.1.0/24 And in this new "routed" mode, the eth1 interface does not get an IP address, the dhcp response is filtered out. I have had a look in the log and what I get is this: Oct 24 22:33:27 server kernel: e100: eth1 NIC Link is Up 100 Mbps Full Duplex Oct 24 22:33:29 server dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67 Oct 24 22:33:29 server dhclient: DHCPNAK from 192.168.1.254 Oct 24 22:33:30 server dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 5 Oct 24 22:33:30 server dhclient: DHCPOFFER from 192.168.1.254 Oct 24 22:33:30 server kernel: Shorewall:net2loc:DROP:IN=eth1 OUT=eth0 SRC=192.168.1.254 DST=192.168.1.17 LEN=576 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=556 Oct 24 22:33:30 server dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67 Apparently the response appears to Shorewall as if it is directed to the "loc" zone despite this zone not being on the 192.168.1.0/24 subnet I tried adding the following rules to /etc/shorewall/rules but to no avail: accept net $FW udp 67 accept net $FW udp 68 accept net loc udp 67 accept net loc udp 68 The ISP's modem configuration also allows to force all DHCP responses to have their source address as the broadcast address, but this does not help, it looks as if it's even worse: Oct 24 22:29:43 server kernel: e100: eth1 NIC Link is Up 100 Mbps Full Duplex Oct 24 22:29:47 server dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67 Oct 24 22:29:47 server kernel: martian source 255.255.255.255 from 192.168.1.254, on dev eth1 Oct 24 22:29:47 server kernel: ll header: ff:ff:ff:ff:ff:ff:f4:ca:e5:46:db:64:08:00 Oct 24 22:29:47 server dhclient: DHCPNAK from 192.168.1.254 Oct 24 22:29:48 server dhclient: DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6 Oct 24 22:29:48 server dhclient: DHCPOFFER from 192.168.1.254 Oct 24 22:29:48 server dhclient: DHCPREQUEST on eth1 to 255.255.255.255 port 67 Oct 24 22:29:48 server kernel: martian source 255.255.255.255 from 192.168.1.254, on dev eth1 Oct 24 22:29:48 server kernel: ll header: ff:ff:ff:ff:ff:ff:f4:ca:e5:46:db:64:08:00 I must be missing something obvious in my configuration, but when I first activated the "routed" mode on the modem, I naively thought that it would work "out of the box" for the outgoing connections because of the DHCP configuration for eth1. I knew I would have to add some port forwarding rules in the ISP modem, but that could be done later on, provided the "outgoing" connections were working. Do you have any idea what I have missed? Anything I should try? Do you need more information? Thanks in advance for your help Olivier ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
