Debian/Shorewall routing issues

| No Comments

I've recently deployed a new router running Debian Squeeze and Shorewall. The problem started like this:

I have my network configured with five vlans for different areas (servers, workstations, sandboxing, guests, and DMZ) and a /28 subnet assigned for each zone all the fancy network math done.

Everything worked fine until I had to get machines to talk to the outside world.

Shorewall has configurations for 5 zones (corresponding neatly to the vlans) and a few filtering rules for each one. One is behind NAT and the others all have public addresses for which shorewall handles proxyarp.

With and without shorewall running, the router could ping machines both inside and outside the perimeter. In both cases, machines on the inside of the perimeter couldn't ping machines on the outside, but could ping each other.

Something, clearly, was wrong.

I'm pretty sure I spent at least 6 hours trying everything from verifying the upstream switch configuration to checking sysctl variables (mental note: make sure to enable the .forwarding keys!) to checking arp caches everywhere to even swapping out cables and hardware.

As it turns out, the problem was with shorewall. Since shorewall ultimately ends up making a lot of the routing decisions, a badly configured value will ultimately foobar everything else you work so hard to configure. Just remember that even though every other almost value in shorewall.conf is {Yes|No}, IP_FORWARDING takes {On|Off|Keep}.

This was a most extreme case of not RTFMing closely enough.

Leave a comment

About this Entry

This page contains a single entry by Jeff Kerzner published on December 4, 2010 2:05 AM.

Passenger on Solaris was the previous entry in this blog.

Uploading Files with Drupal 6 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.