Firewall cannot connect beyond ISP gateway.

javacougar · 05-17-2009, 02:58 PM

Our firewall (debian) currently has 4 public ip addresses (eth0 1.2.3.4, eth0:0 1.2.3.5, eth0:1 1.2.3.8, eth0:2 1.2.3.9) and 3 internal subnets (eth1 10.1.x.x, eth1:0 10.2.x.x, eth2 10.7.x.x). We are experiencing the following two problems which I believe have the same root cause. 1) The firewall cannot access beyond the isp gateway (1.2.3.1). 2) From externally, we can ping eth0 with no trouble, however, pinging the eth0:0, eth0:1 and eth0:2 interfaces have results similar to the following:

Code:

PING 1.2.3.8 (1.2.3.8) 56(84) bytes of data.
64 bytes from 1.2.3.8: icmp_seq=2 ttl=57 time=59.0 ms
64 bytes from 1.2.3.8: icmp_seq=2 ttl=57 time=63.0 ms (DUP!)
64 bytes from 1.2.3.8: icmp_seq=13 ttl=57 time=59.3 ms
64 bytes from 1.2.3.8: icmp_seq=13 ttl=57 time=63.0 ms (DUP!)
64 bytes from 1.2.3.8: icmp_seq=24 ttl=57 time=62.0 ms
64 bytes from 1.2.3.8: icmp_seq=24 ttl=57 time=65.6 ms (DUP!)

I get the feeling that I'm missing something obvious, especially since all traffic on the internal subnets can access externally as normal. Any thoughts or ideas of things to check would be most appreciated. Thanks in advance.

/etc/network/interfaces

Code:

# The loopback network interface
auto lo
iface lo inet loopback

# EXTERNAL INTERFACE

auto eth0
iface eth0 inet static
  address 1.2.3.4
  broadcast 1.2.3.255
  netmask 255.255.252.0
  gateway 1.2.3.1

auto eth0:0
iface eth0:0 inet static
  address 1.2.3.5
  broadcast 1.2.3.255
  netmask 255.255.252.0
  gateway 1.2.3.1

auto eth0:1
iface eth0:1 inet static
  address 1.2.3.8
  broadcast 1.2.3.255
  netmask 255.255.252.0
  gateway 1.2.3.1

auto eth0:2
iface eth0:2 inet static
  address 1.2.3.9
  broadcast 1.2.3.255
  netmask 255.255.252.0
  gateway 1.2.3.1

# INTERNAL INTERFACE

auto eth1
iface eth1 inet static
  address 10.1.1.1
  netmask 255.255.0.0

auto eth1:0
iface eth1:0 inet static
  address 10.2.1.1
  netmask 255.255.0.0

auto eth2
iface eth2 inet static
  address 10.7.1.1
  netmask 255.255.0.0

route -n

Code:

1.2.3.0      0.0.0.0         255.255.252.0   U     0      0        0 eth0
10.2.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth1
10.1.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth1
10.7.0.0        0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         1.2.3.1      0.0.0.0         UG    0      0        0 eth0
0.0.0.0         1.2.3.1      0.0.0.0         UG    0      0        0 eth0
0.0.0.0         1.2.3.1      0.0.0.0         UG    0      0        0 eth0
0.0.0.0         1.2.3.1      0.0.0.0         UG    0      0        0 eth0

Matir · 05-17-2009, 05:33 PM

You have 4 default routes, but at least they all go to the same router. I'd try deleting the 3 extra routes (and 3 extra 'gateway' lines in your interfaces file).

javacougar · 05-17-2009, 11:04 PM

Thanks...making the adjustments to the /etc/network/interfaces has cleared up problem 1. Now the firewall can access the internet just fine, however #2 is still a problem and I cannot ping eth0:1, eth0:2, and eth0:3 without a lot of dropped packets and Dup! packets.

javacougar · 05-18-2009, 05:39 PM

Based on how the symptoms of both problems were the same (dropped and duplicate pings) I suspect that the remaining problem (not being able to access eth0:0 et al) has something to do with routing as that is what was able to fix the first problem. I checked with our ISP and the connection up to the modem is fine, which confirms that it is indeed an issue on the firewall box. Any suggestions?

javacougar · 05-20-2009, 11:42 AM

I rebuilt our firewall on different hardware and now it works fine. Still bugs me that I couldn't figure out where the problem was...oh well.