-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/11/2017 03:21 AM, Philip Le Riche wrote: > Hi Tom - > > Here are a couple of pcaps on ppp0 from wireshark, one with ppp0 > as fallback (traceroute from the Pi doesn't work but web does) and > with ppp0 with no options (traceroute works but web doesn't). > > In both cases you can see the udp packets going out and icmp > timeouts coming back but with fallback they don't seem to make it > back to the Pi. It looks like shorewall isn't opening the reverse > path. Hopefully the inconsistent web behaviour is another > consequence of the same problem. > > Several other problems which may or may not be related: 1. > traceroute getting send: operation not permitted when run from the > firewall itself. 2. Mobile data dongle not starting with shorewall > running - possibly the same problem as 1. 3. dhcpd not starting > reliably - possibly a startup sequence problem - it's worked the > last twice and I didn't record the message but was something about > no available NICs to serve on. >
Turn off route filtering. From the dump: /proc ... /proc/sys/net/ipv4/conf/eno1/rp_filter = 1 /proc/sys/net/ipv4/conf/ppp0/rp_filter = 1 You have 'routefilter' specified on both provider interfaces. From shorewall-interfaces(5): Note There are certain cases where routefilter cannot be used on an interface: If USE_DEFAULT_RT=Yes in shorewall.conf[12](5) and the interface is listed in shorewall-providers[18](5). If there is an entry for the interface in shorewall-providers[18](5) that doesn't specify the balance option. ... Set 'routefilter=0' for both interfaces. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYdmHYAAoJEJbms/JCOk0QzwMP/2rGXX/LAPadXWujdCvzGNEJ RXx/+kTBjIGT3XIbI6oU34jIgNEEmoxbsBUG5xPYT+9pWmryQ8eb5kv1N+AAmFnb L9TiukV7q92c4vHFXdW3doJ/7qrNdnuNtDK8th7qiRRYhDSkf+G5R4dEiZmcuK0C OVlt/DemVoHyDjmaxcZb8lmmyrMeuACpJ0BJq2bJqjsPiEsL5TacVXbCBwKQY7Xq NAn5rTeo3x4u/l2IxNQQtaH6a38jeehfei1xLx7Lx/Blh/pTTRkkyOJkq3RMMXNR i3izCyyEUibawwdkq1LlxnAgumYmsKqbyXYgZW+cjmpn3UIbEf8lkZ/wDZ9t3L6g 6E20gkClYLYDTYAbngDfKBGwPQM6Aceb/cp8mfWZ7T/hVUZWFy/Ni3zPlZetEiHt 5lSflBvOV/X3SxAhh8JRg7xxkQKGF5jQ5ShkSb9SRMOqH2cn0f/NQxc8M5k/RZus 8GzhNMZkMdAyCMa30YFQ8u5Yda4ForMmtI5M3AtZthwORUFdXfxUSuMyl/SmtfaP CsdmGc8ejqTENPk8Lhp/EndmMA7WB/dcK0CEAEneHJyXkoOtt352IXBtmon31+vh uSlacsl3L/h5egEbNph2SySlE9+gEbGuQK+gtF8KZ3FnsJReyyoV/1X1h93u5g03 g4PU7IhZP8AT5lbD7Agb =10yC -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
