[Firehol-support] Secondary internet link fails

Costa Tsaousis costa at tsaousis.gr
Fri Oct 28 10:14:07 BST 2005

Hi Daniel,

Why don't you just give us a few log lines of packets being dropped?
This will make everything clear...


Daniel L. Miller wrote:

> Hi again.
> We just contracted with a new ISP, and I wanted to test out the 
> connection before canceling our original one (and, just for fun, maybe 
> experiment with multiple Internet links).
> Unfortunately, my beloved firehol configuration is preventing me from 
> using the secondary link.  During a "firehol try", I was able to ping 
> my secondary gateway - right up until the final stage of firehol 
> execution.  Watching a ping session while constantly re-executing 
> "ps", I saw the various iptables commands being executed.  Somewhere 
> around the "forward - drop" chain being created, I was then blocked out.
> I added a new block of variables for the new interface, then copied 
> some existing interface/router stanzas.  I'm not seeing what magic 
> lines might be misconfigured:
> LAN_IF="eth0"
> LAN_LAN=""
> LAN_IP=""
> EXT_X_IF="eth2"
> EXT_X_LAN=""
> EXT_X_IP=""
> interface "${EXT_X_IF}" amfes-newisp src not "${UNROUTABLE_IPS} 
> ${LAN_LAN}" dst "${EXT_X_IP}"
>        protection strong 100/sec 50
>        server ident reject with tcp-reset
>        server ping accept log "allow ping"
>        client all accept log "client out"
> router lan2newisp inface "${LAN_IF}" outface "${EXT_X_IF}" src 
> "${LAN_LAN}" dst not "${UNROUTABLE_IPS}"
>        route all accept log "route lan2newisp"
> Unless "UNROUTABLE_IPS" is somehow including my new interface?

More information about the Firehol-support mailing list