[Firehol-support] Secondary internet link fails

Daniel L. Miller dmiller at amfes.com
Fri Oct 28 01:38:01 BST 2005

Hi again.

We just contracted with a new ISP, and I wanted to test out the 
connection before canceling our original one (and, just for fun, maybe 
experiment with multiple Internet links).

Unfortunately, my beloved firehol configuration is preventing me from 
using the secondary link.  During a "firehol try", I was able to ping my 
secondary gateway - right up until the final stage of firehol 
execution.  Watching a ping session while constantly re-executing "ps", 
I saw the various iptables commands being executed.  Somewhere around 
the "forward - drop" chain being created, I was then blocked out.

I added a new block of variables for the new interface, then copied some 
existing interface/router stanzas.  I'm not seeing what magic lines 
might be misconfigured:



interface "${EXT_X_IF}" amfes-newisp src not "${UNROUTABLE_IPS} 
${LAN_LAN}" dst "${EXT_X_IP}"
        protection strong 100/sec 50
        server ident reject with tcp-reset
        server ping accept log "allow ping"
        client all accept log "client out"

router lan2newisp inface "${LAN_IF}" outface "${EXT_X_IF}" src 
"${LAN_LAN}" dst not "${UNROUTABLE_IPS}"
        route all accept log "route lan2newisp"

Unless "UNROUTABLE_IPS" is somehow including my new interface?


More information about the Firehol-support mailing list