Hi,
I have a Proxmox server with Shorewall installed directly at the proxmox server. It was working when I used just one public ip and DNAT. But now when I got 7 public ips I wanted to use ProxyARP and configure public ip direct on VPS. But for some reasons I don't get it to work!
If I do a ping at the public ip for a vps, I get "Destination Host Unreachable" as an answer from Proxmox/Shorewall so it seams that some routing inside Shorewall does not do its job.
Do any one have any ideas?
Thanks!
/Måns
Here is my config files:
/etc/vz/conf/111.conf
IP_ADDRESS="167.99.29.152"
HOSTNAME="web6.domain.com"
NAMESERVER="208.67.220.220 208.67.222.222"
SEARCHDOMAIN="domain.com"
/etc/vz/conf/105.conf
IP_ADDRESS="167.99.29.153"
HOSTNAME="sip8.domain.com"
NAMESERVER="213.133.98.98 213.133.99.99"
SEARCHDOMAIN="domain.com"
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 176.89.15.203
netmask 255.255.255.224
broadcast 176.89.15.223
gateway 176.89.15.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect proxyarp,blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw:176.89.15.203 - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw:176.89.15.203 tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
ACCEPT net dmz:167.99.29.152 tcp 22,25,80,81,110,143,443,993,995
ACCEPT net dmz:167.99.29.153 tcp 443,3830,5060
ACCEPT net dmz:167.99.29.153 udp 3830,5004:5079,10000:20000
# LAST LINE -- DO NOT REMOVE
/etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
167.99.29.152 vmbr0 eth0 no yes
167.99.29.153 vmbr0 eth0 no yes
/proc/sys/net/ipv4/conf/all/proxy_arp
1
Ping test
vm1:~# ping 167.99.29.152
PING 167.99.29.152 (167.99.29.152) 56(84) bytes of data.
From 176.89.15.203 icmp_seq=1 Destination Host Unreachable
From 176.89.15.203 icmp_seq=2 Destination Host Unreachable
(…)
I have a Proxmox server with Shorewall installed directly at the proxmox server. It was working when I used just one public ip and DNAT. But now when I got 7 public ips I wanted to use ProxyARP and configure public ip direct on VPS. But for some reasons I don't get it to work!
If I do a ping at the public ip for a vps, I get "Destination Host Unreachable" as an answer from Proxmox/Shorewall so it seams that some routing inside Shorewall does not do its job.
Do any one have any ideas?
Thanks!
/Måns
Here is my config files:
/etc/vz/conf/111.conf
IP_ADDRESS="167.99.29.152"
HOSTNAME="web6.domain.com"
NAMESERVER="208.67.220.220 208.67.222.222"
SEARCHDOMAIN="domain.com"
/etc/vz/conf/105.conf
IP_ADDRESS="167.99.29.153"
HOSTNAME="sip8.domain.com"
NAMESERVER="213.133.98.98 213.133.99.99"
SEARCHDOMAIN="domain.com"
/etc/network/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 176.89.15.203
netmask 255.255.255.224
broadcast 176.89.15.223
gateway 176.89.15.193
auto vmbr0
iface vmbr0 inet static
address 10.254.254.254
netmask 255.0.0.0
broadcast 10.255.255.255
bridge_ports none
bridge_stp off
bridge_fd 0
/etc/shorewall/zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
dmz ipv4
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect proxyarp,blacklist,nosmurfs
dmz venet0 detect routeback
dmz vmbr0 detect routeback,bridge
/etc/shorewall/policy
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
# From Firewall Policy
fw fw ACCEPT
fw net ACCEPT
fw dmz ACCEPT
# From DMZ Policy
dmz dmz ACCEPT
dmz net ACCEPT
dmz fw DROP info
# From Net Policy
net fw DROP info
net dmz DROP info
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# Permit access to SSH
SSH/ACCEPT net fw:176.89.15.203 - - - - 6/min:5
# Permit access to Proxmox Manager and Console
ACCEPT net fw:176.89.15.203 tcp 443,5900:5999
# PING Rules
Ping/ACCEPT all all
ACCEPT net dmz:167.99.29.152 tcp 22,25,80,81,110,143,443,993,995
ACCEPT net dmz:167.99.29.153 tcp 443,3830,5060
ACCEPT net dmz:167.99.29.153 udp 3830,5004:5079,10000:20000
# LAST LINE -- DO NOT REMOVE
/etc/shorewall/proxyarp
#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
167.99.29.152 vmbr0 eth0 no yes
167.99.29.153 vmbr0 eth0 no yes
/proc/sys/net/ipv4/conf/all/proxy_arp
1
Ping test
vm1:~# ping 167.99.29.152
PING 167.99.29.152 (167.99.29.152) 56(84) bytes of data.
From 176.89.15.203 icmp_seq=1 Destination Host Unreachable
From 176.89.15.203 icmp_seq=2 Destination Host Unreachable
(…)