Shorewall users - Sep 2005 - shorewall + Squid + Two ISP setup

Hi,
I have setup a box with shorewall and squid working as a transparent proxy
setup is
eth0 : local network
eth1 : ISP 1
eth2 : ISP 2

I am currently using eth0 and eth1 and it is working fine. now I want to use the
second ISP configured on eth2 and load balance the bandwidth. I had tried to
configure multiple isp using entries in providers file but at that time it did
not work. Please guide me to configure multiple isp in a step by step method.

Thanks in advance..

Vikas

>Hi,
>I have setup a box with shorewall and squid working as a transparent proxy
>setup is
>eth0 : local network
>eth1 : ISP 1
>eth2 : ISP 2
>
>I am currently using eth0 and eth1 and it is working fine. now I want to use
the second ISP configured on eth2 and load balance the bandwidth. I had tried to
>configure multiple isp using entries in providers file but at that time it
did not work. Please guide me to configure multiple isp in a step by step
method.
>
>Thanks in advance..
Can you post the config files that you tried, and where does the squid box live,
on the firewall?

Jerry



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

yes, squid is on the firewall itself,
I had put two lines in provider file
ISP1      1    1    main     eth1           gateway address 
track,balance
ISP2       2   2    main      eth2          gateway address 
track,balance

do I need to modify some other files.

--Vikas

----- Original Message ----- 
From: "Jerry Vonau" <jvonau@shaw.ca>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, September 27, 2005 6:40 PM
Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup


>Hi,
>I have setup a box with shorewall and squid working as a transparent proxy
>setup is
>eth0 : local network
>eth1 : ISP 1
>eth2 : ISP 2
>
>I am currently using eth0 and eth1 and it is working fine. now I want to 
>use the second ISP configured on eth2 and load balance the bandwidth. I had 
>tried to >configure multiple isp using entries in providers file but at 
>that time it did not work. Please guide me to configure multiple isp in a 
>step by step method.
>
>Thanks in advance..
Can you post the config files that you tried, and where does the squid box 
live, on the firewall?

Jerry



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Vikas wrote on 27/09/2005 10:13:28:
> yes, squid is on the firewall itself,
> I had put two lines in provider file
> ISP1      1    1    main     eth1           gateway address 
> track,balance
> ISP2       2   2    main      eth2          gateway address 
> track,balance
> 
> do I need to modify some other files.
> 
How is squid configured? Is there a tcp_outgoing_address directive?

I need to configure multiple ISP first. squid is stopped. what files I need to
modify??

Regards,
Vikas
  ----- Original Message ----- 
  From: Eduardo Ferreira 
  To: shorewall-users@lists.sourceforge.net 
  Sent: Tuesday, September 27, 2005 6:54 PM
  Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup



  Vikas wrote on 27/09/2005 10:13:28:

  > yes, squid is on the firewall itself,
  > I had put two lines in provider file
  > ISP1      1    1    main     eth1           gateway address 
  > track,balance
  > ISP2       2   2    main      eth2          gateway address 
  > track,balance
  > 
  > do I need to modify some other files.
  > 
  How is squid configured? Is there a tcp_outgoing_address directive?

> yes, squid is on the firewall itself,
> I had put two lines in provider file
> ISP1      1    1    main     eth1           gateway address 
> track,balance
> ISP2       2   2    main      eth2          gateway address 
> track,balance
> 
> do I need to modify some other files.
> 
Maybe, lets start here, with this:
ISP1      1    1    main     eth1   <gateway address> track,balance eth0
ISP2       2   2    main      eth2  <gateway address> track,balance eth0

Jerry



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

It seems I was missing eth0 option in the copy section. now atleast this 
machine is routing packets. how can I check if it is actually load balancing 
the link.Also one of the link is E1 and second is 512 kbps.  I want to set 
priority for the links. can I set balance=4 for eth1 and balance=1 for eth2

I really appreciate your help

Vikas
----- Original Message ----- 
From: "Jerry Vonau" <jvonau@shaw.ca>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, September 27, 2005 7:05 PM
Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup


> yes, squid is on the firewall itself,
> I had put two lines in provider file
> ISP1      1    1    main     eth1           gateway address
> track,balance
> ISP2       2   2    main      eth2          gateway address
> track,balance
>
> do I need to modify some other files.
>
Maybe, lets start here, with this:
ISP1      1    1    main     eth1   <gateway address> track,balance eth0
ISP2       2   2    main      eth2  <gateway address> track,balance eth0

Jerry



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php

Vikas Khandelwal wrote:
> It seems I was missing eth0 option in the copy section.
I''ve updated the example in the providers file to include an interface
in the COPY column. The documentation and example at
http://www.shorewall.net/Shorewall_and_Routing.html had already been
updated in that way.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I am not able to run transparent proxy (squid) in a two ISP setup using 
shorewall.
Please inform what configuration is required for this setup.

Thanks,
Vikas

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, September 27, 2005 9:08 PM
Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

> I am not able to run transparent proxy (squid) in a two ISP setup using 
> shorewall.
> Please inform what configuration is required for this setup.
> 
> Thanks,
> Vikas
> 
http://www.shorewall.net/Shorewall_Squid_Usage.html

If you continue to have issues, can you post what you tried, 
where the proxy is and a "shorewall status" as described at: 
http://www.shorewall.net/support.htm.
I''ll have a better idea of what your network layout is like.

Jerry



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Hi Jerry,
I have attached the output of shorewall status.
Is there any way I can configure these links as failover link so that the 
other ISP is used if one of the ISP is not available?

Thanks for your help.
Vikas
----- Original Message ----- 
From: "Jerry Vonau" <jvonau@shaw.ca>
To: <shorewall-users@lists.sourceforge.net>
Sent: Thursday, September 29, 2005 7:03 PM
Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup


> I am not able to run transparent proxy (squid) in a two ISP setup using
> shorewall.
> Please inform what configuration is required for this setup.
>
> Thanks,
> Vikas
>
http://www.shorewall.net/Shorewall_Squid_Usage.html

If you continue to have issues, can you post what you tried,
where the proxy is and a "shorewall status" as described at:
http://www.shorewall.net/support.htm.
I''ll have a better idea of what your network layout is like.

Jerry



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Vikas Khandelwal wrote:
> Hi Jerry,
> I have attached the output of shorewall status.
> Is there any way I can configure these links as failover link so that
> the other ISP is used if one of the ISP is not available?
>From http://www.shorewall.net/Shorewall_and_Routing.html ...
------------------------------------------------------------------------
What an Entry in the Providers File Does NOT Do

Given that Shorewall is simply a tool to configure Netfilter and does
not run continuously in your system, entries in the providers file do
not provide any automatic failover in the event of failure of one of
your Internet connections.
------------------------------------------------------------------------

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I have tested and found that on a ping fail to an isp gateway I can make a
change in the tcrules file to mark all packets to the working ISP. Then
restart Shorewall. Then test later and change it back to both. This keeps
the outbound working. 
I question if this is a good idea. I have yet to put it in production.
Any suggestions.

--john 
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net 
> [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> Behalf Of Tom Eastep
> Sent: Friday, September 30, 2005 9:04 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> Vikas Khandelwal wrote:
> > Hi Jerry,
> > I have attached the output of shorewall status.
> > Is there any way I can configure these links as failover 
> link so that
> > the other ISP is used if one of the ISP is not available?
> 
> >From http://www.shorewall.net/Shorewall_and_Routing.html ...
> --------------------------------------------------------------
> ----------
> What an Entry in the Providers File Does NOT Do
> 
> Given that Shorewall is simply a tool to configure Netfilter and does
> not run continuously in your system, entries in the providers file do
> not provide any automatic failover in the event of failure of one of
> your Internet connections.
> --------------------------------------------------------------
> ----------
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

John Hill wrote:
> I have tested and found that on a ping fail to an isp gateway I can make a
> change in the tcrules file to mark all packets to the working ISP. Then
> restart Shorewall. Then test later and change it back to both. This keeps
> the outbound working. 
> I question if this is a good idea. I have yet to put it in production.
> Any suggestions.
> 
To just reload the tcrules file, all that is needed is "shorewall
refresh" -- you probably also want to "ip route flush cache" to
purge
all of the cached routes through the down interface.

The best solution of course is to run a routing daemon but that requires
the cooperation of the ISPs involved which generally increases your
cost. What you propose is the "poor man''s substitute" for the
best solution.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

It''s funny telcos seem to offer the least options. BVP4 is out of the
question.

Alas, ''I am a poor man!'' :-)

--john
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net 
> [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> Behalf Of Tom Eastep
> Sent: Friday, September 30, 2005 9:24 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> John Hill wrote:
> > I have tested and found that on a ping fail to an isp 
> gateway I can make a
> > change in the tcrules file to mark all packets to the 
> working ISP. Then
> > restart Shorewall. Then test later and change it back to 
> both. This keeps
> > the outbound working. 
> > I question if this is a good idea. I have yet to put it in 
> production.
> > Any suggestions.
> > 
> 
> To just reload the tcrules file, all that is needed is "shorewall
> refresh" -- you probably also want to "ip route flush cache"
to purge
> all of the cached routes through the down interface.
> 
> The best solution of course is to run a routing daemon but 
> that requires
> the cooperation of the ISPs involved which generally increases your
> cost. What you propose is the "poor man''s substitute"
for the
> best solution.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

John Hill wrote:
> 
> It''s funny telcos seem to offer the least options. BVP4 is out of
the
> question.
> 
I suspect you meant *BGP4* -- BVP4 appears to be a "Broadcast Video
Processor" which is undoubtedly difficult to get from your Telco :-)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Right again! BVP is the vertical ERP provider at work. 
Sorry! I''ve been working on BVP problems all morning.
I can''t use video anyway, the hand gestures I would be sending them
would be
less than professional! :-)

--john
 
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net 
> [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> Behalf Of Tom Eastep
> Sent: Friday, September 30, 2005 11:29 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> John Hill wrote:
> > 
> > It''s funny telcos seem to offer the least options. BVP4 is 
> out of the
> > question.
> > 
> 
> I suspect you meant *BGP4* -- BVP4 appears to be a "Broadcast Video
> Processor" which is undoubtedly difficult to get from your Telco :-)
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

> Hi Jerry,
> I have attached the output of shorewall status.
> Is there any way I can configure these links as failover link so that the 
> other ISP is used if one of the ISP is not available?
> 
> Thanks for your help.
> Vikas
Is it just me or is this status corrupt? It appears that some of the info is
missing.

Jerry








-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

> I have tested and found that on a ping fail to an isp gateway I can make a
> change in the tcrules file to mark all packets to the working ISP. Then
> restart Shorewall. Then test later and change it back to both. This keeps
> the outbound working. 
> I question if this is a good idea. I have yet to put it in production.
> Any suggestions.
> 
> --john 
> 
John:

I *think* all you would need to do is delete, then re-add the fwmark to the
working providers lookup table, then flush the cache. I''d be interested
in
working with you off list to see what we could come up with. Email me
off list if your interested. 

For the fallover issue, there are some proc settings that you can play with.
http://mailman.ds9a.nl/pipermail/lartc/2002q4/005274.html and the reply 
is about the best info I could find regarding these settings. If anybody knows 
of some better documentation of these settings, I''d love to here from
you.

FWIW, I tried changing some of the settings, in /proc/sys/net/ipv4/route
echo 1 > gc_interval
echo 1 > gc_timeout
echo 1 > gc_elasticity
echo 2 > max_delay
echo 1 > min_delay

Just before the test below, I unplugged the nic that had the higher weighted 
value for the gateway. 
 
This appears to speed up the trying of the alternate gateway. 

PING mail.gt.ca (216.18.99.22) 56(84) bytes of data.
From 10.50.0.1 icmp_seq=1 Destination Host Unreachable
From 10.50.0.1 icmp_seq=2 Destination Host Unreachable
From 10.50.0.1 icmp_seq=3 Destination Host Unreachable
From 10.50.0.1 icmp_seq=5 Destination Host Unreachable
From 10.50.0.1 icmp_seq=6 Destination Host Unreachable
From 10.50.0.1 icmp_seq=7 Destination Host Unreachable
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=8 ttl=56 time=57.7 ms
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=9 ttl=56 time=58.4 ms
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=10 ttl=56 time=59.3 ms
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=11 ttl=56 time=59.6 ms
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=12 ttl=56 time=54.9 ms
64 bytes from mail.gt.ca (216.18.99.22): icmp_seq=13 ttl=56 time=56.0 ms

Before this, it seemed to take ''forever'' to try the alternate
gateway. This is not
by any means conclusive, just me playing around and my observations. If you 
find that changing these settings works for you, I''d like to hear, off
list, about
what you tried. Use at your own risk, you been warned. 

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

John,

Would u mind sharing your script(s) that implement what u''ve mentioned
for fail-over?

-- Aaron

On Fri, 2005-30-09 at 09:14 -0500, John Hill wrote:
> I have tested and found that on a ping fail to an isp gateway I can make a
> change in the tcrules file to mark all packets to the working ISP. Then
> restart Shorewall. Then test later and change it back to both. This keeps
> the outbound working. 
> I question if this is a good idea. I have yet to put it in production.
> Any suggestions.
> 
> --john 
> 
> > -----Original Message-----
> > From: shorewall-users-admin@lists.sourceforge.net 
> > [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> > Behalf Of Tom Eastep
> > Sent: Friday, September 30, 2005 9:04 AM
> > To: shorewall-users@lists.sourceforge.net
> > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> > 
> > Vikas Khandelwal wrote:
> > > Hi Jerry,
> > > I have attached the output of shorewall status.
> > > Is there any way I can configure these links as failover 
> > link so that
> > > the other ISP is used if one of the ISP is not available?
> > 
> > >From http://www.shorewall.net/Shorewall_and_Routing.html ...
> > --------------------------------------------------------------
> > ----------
> > What an Entry in the Providers File Does NOT Do
> > 
> > Given that Shorewall is simply a tool to configure Netfilter and does
> > not run continuously in your system, entries in the providers file do
> > not provide any automatic failover in the event of failure of one of
> > your Internet connections.
> > --------------------------------------------------------------
> > ----------
> > 
> > -Tom
> > -- 
> > Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> > 
> 


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Sure, Let me clean them up and I''ll post them.

I need to add a few things and explain what I''m doing.
--john 
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net 
> [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> Behalf Of Aaron O''Hara
> Sent: Friday, September 30, 2005 1:23 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: RE: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> 
> John,
> 
> Would u mind sharing your script(s) that implement what u''ve
mentioned
> for fail-over?
> 
> -- Aaron
> 
> On Fri, 2005-30-09 at 09:14 -0500, John Hill wrote:
> > I have tested and found that on a ping fail to an isp 
> gateway I can make a
> > change in the tcrules file to mark all packets to the 
> working ISP. Then
> > restart Shorewall. Then test later and change it back to 
> both. This keeps
> > the outbound working. 
> > I question if this is a good idea. I have yet to put it in 
> production.
> > Any suggestions.
> > 
> > --john 
> > 
> > > -----Original Message-----
> > > From: shorewall-users-admin@lists.sourceforge.net 
> > > [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> > > Behalf Of Tom Eastep
> > > Sent: Friday, September 30, 2005 9:04 AM
> > > To: shorewall-users@lists.sourceforge.net
> > > Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> > > 
> > > Vikas Khandelwal wrote:
> > > > Hi Jerry,
> > > > I have attached the output of shorewall status.
> > > > Is there any way I can configure these links as failover 
> > > link so that
> > > > the other ISP is used if one of the ISP is not available?
> > > 
> > > >From http://www.shorewall.net/Shorewall_and_Routing.html ...
> > > --------------------------------------------------------------
> > > ----------
> > > What an Entry in the Providers File Does NOT Do
> > > 
> > > Given that Shorewall is simply a tool to configure 
> Netfilter and does
> > > not run continuously in your system, entries in the 
> providers file do
> > > not provide any automatic failover in the event of 
> failure of one of
> > > your Internet connections.
> > > --------------------------------------------------------------
> > > ----------
> > > 
> > > -Tom
> > > -- 
> > > Tom Eastep    \ Nothing is foolproof to a sufficiently 
> talented fool
> > > Shoreline,     \ http://shorewall.net
> > > Washington USA  \ teastep@shorewall.net
> > > PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> > > 
> > 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, 
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> -- 
> This mail was scanned by AntiVir Milter.
> This product is licensed for non-commercial use.
> See www.antivir.de for details.
-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Here is the script.
It is not pretty. I am open to any suggestions.
A line to send an email could be added.

You need to create a tcfiles that has the proper packet markings per the 2
isp shorewall instructions.

Copy it to tcrules.both. Then edit out isp2 and save as tcrules.isp1 and
another edit out isp1 and save as tcrules.isp2.

This works here. We have not had many real world problems to test it on. 

PLEASE TEST THIS BEFORE USING!!!!! 

--John

#!/bin/sh

SWDIR=/etc/shorewall # shorewall directory
WKDIR=/root/cronscripts # working directory for semafores
G_ISP1=xxx.xxx.xxx.xxx # what to ping for isp1
G_ISP2=xxx.xxx.xxx.xxx # what to ping for isp2
PINGCT=2 # ping count

PingGateway() {
    ping -c $PINGCT $1 
      if [ $? != 0 ] ; then # Failed 
    	cp $SWDIR/tcrules.$3 $SWDIR/tcrules # swap gateway
        touch $WKDIR/failed.$2 # semafore for down gateway 
	shorewall refresh # read configs
	ip route flush cache # flush routes
          else # Passed
	     if [ -f $WKDIR/failed.$2 ]; then # check for previous failure
	     rm $WKDIR/failed.$2 # delete semafore
	     cp $SWDIR/tcrules.both $SWDIR/tcrules # return to both
	     shorewall refresh
	     ip route flush cache
	  fi	
      fi
    }


 # script starts here

    PingGateway $G_ISP1 isp1 isp2
    PingGateway $G_ISP2 isp2 isp1
    exit




-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Vikas Khandelwal wrote:
> I have attached the output of shorewall status.
Vikas:
>From your "shorewall status":
Sep 30 10:31:01 rfc1918:DROP:IN=eth2 OUT= SRC=192.168.100.192
DST=255.255.255.255 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=31892
PROTO=UDP SPT=1807 DPT=14010 LEN=84
Sep 30 10:31:01 rfc1918:DROP:IN=eth1 OUT= SRC=192.168.100.192
DST=255.255.255.255 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=31892
PROTO=UDP SPT=1807 DPT=14010 LEN=84

This indicates that traffic from 192.168.100.192 is appearing on both
eth1 and eth2. Yet:

2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:13:20:49:42:62 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.17/21 brd 192.168.103.255 scope global eth0
    inet6 fe80::213:20ff:fe49:4262/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:95:f2:cc:e5 brd ff:ff:ff:ff:ff:ff
    inet 202.56.224.94/29 brd 202.56.224.95 scope global eth1
    inet6 fe80::211:95ff:fef2:cce5/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:95:f2:cc:e2 brd ff:ff:ff:ff:ff:ff
    inet 203.129.192.78/28 brd 203.129.192.79 scope global eth2
    inet6 fe80::211:95ff:fef2:cce2/64 scope link
       valid_lft forever preferred_lft forever

This indicates that 192.168.96.0/21 is attached to eth0!!!!

Do you have eth0, eth1 and eth2 all connected to the same switch? If
not, what is the explaination for the traffic being logger?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi  Tom,
Yes, all NIC are connected on the same switch. currently using this box in 
testing environment only.
--Vikas
----- Original Message ----- --
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@lists.sourceforge.net>
Sent: Saturday, October 01, 2005 3:34 AM
Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup




-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

Vikas Khandelwal wrote:
> Hi  Tom,
> Yes, all NIC are connected on the same switch. currently using this box
> in testing environment only.
The following is included in MANY articles within the Shorewall
documentation (this one is from the Troubleshooting Guide which you
should have read carefully before posting a problem report):
---------------------------------------------------------------------------
Many times when people have problems with Shorewall, the problem is
actually an ill-conceived network setup. Here are several popular snafus:
...
-  Multiple interfaces connected to the same HUB or Switch. Given the
   way that the Linux kernel respond to ARP “who-has” requests, this
   type of setup does NOT work the way that you expect it to. If you are
   running Shorewall version 1.4.7 or later, you can test using this
   kind of configuration if you specify the arp_filter option in
   /etc/shorewall/interfaces  for all interfaces connected to the common
   hub/switch. Using such a setup with a production firewall is strongly
   recommended against.
----------------------------------------------------------------------------
That won''t stop the broadcast packets from being logged due to
''norfc1918'' (you might want to remove those options
temporarily) but it
will stop many other confusing problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

John Hill wrote:
> Here is the script.
> It is not pretty. I am open to any suggestions.
> A line to send an email could be added.
> 
> You need to create a tcfiles that has the proper packet markings per the 2
> isp shorewall instructions.
> 
> Copy it to tcrules.both. Then edit out isp2 and save as tcrules.isp1 and
> another edit out isp1 and save as tcrules.isp2.
> 
> This works here. We have not had many real world problems to test it on. 
> 
> PLEASE TEST THIS BEFORE USING!!!!! 
> 
> --John
> 
> #!/bin/sh
> 
> SWDIR=/etc/shorewall # shorewall directory
> WKDIR=/root/cronscripts # working directory for semafores
> G_ISP1=xxx.xxx.xxx.xxx # what to ping for isp1
> G_ISP2=xxx.xxx.xxx.xxx # what to ping for isp2
> PINGCT=2 # ping count
> 
> PingGateway() {
>     ping -c $PINGCT $1 
>       if [ $? != 0 ] ; then # Failed 
>     	cp $SWDIR/tcrules.$3 $SWDIR/tcrules # swap gateway
>         touch $WKDIR/failed.$2 # semafore for down gateway 
> 	shorewall refresh # read configs
Beware that I discovered yesterday that ''shorewall refresh'' is
currently
broken with respect to multiple providers and the ''track''
option. Best
use ''restart'' for the time being.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
> Beware that I discovered yesterday that ''shorewall
refresh'' is currently
> broken with respect to multiple providers and the ''track''
option. Best
> use ''restart'' for the time being.
> 
I''ll have a fix out later today -- need to test it first. The
''fix'' in
2.5.7 and in the SHOREWALL_2_4 CVS branch is wrong.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Restart is what I was doing. 
This seems to work, do you see any other gotchas?

--john 
> -----Original Message-----
> From: shorewall-users-admin@lists.sourceforge.net 
> [mailto:shorewall-users-admin@lists.sourceforge.net] On 
> Behalf Of Tom Eastep
> Sent: Wednesday, October 05, 2005 10:04 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> John Hill wrote:
> > Here is the script.
> > It is not pretty. I am open to any suggestions.
> > A line to send an email could be added.
> > 
> > You need to create a tcfiles that has the proper packet 
> markings per the 2
> > isp shorewall instructions.
> > 
> > Copy it to tcrules.both. Then edit out isp2 and save as 
> tcrules.isp1 and
> > another edit out isp1 and save as tcrules.isp2.
> > 
> > This works here. We have not had many real world problems 
> to test it on. 
> > 
> > PLEASE TEST THIS BEFORE USING!!!!! 
> > 
> > --John
> > 
> > #!/bin/sh
> > 
> > SWDIR=/etc/shorewall # shorewall directory
> > WKDIR=/root/cronscripts # working directory for semafores
> > G_ISP1=xxx.xxx.xxx.xxx # what to ping for isp1
> > G_ISP2=xxx.xxx.xxx.xxx # what to ping for isp2
> > PINGCT=2 # ping count
> > 
> > PingGateway() {
> >     ping -c $PINGCT $1 
> >       if [ $? != 0 ] ; then # Failed 
> >     	cp $SWDIR/tcrules.$3 $SWDIR/tcrules # swap gateway
> >         touch $WKDIR/failed.$2 # semafore for down gateway 
> > 	shorewall refresh # read configs
> 
> Beware that I discovered yesterday that ''shorewall
refresh''
> is currently
> broken with respect to multiple providers and the ''track''
option. Best
> use ''restart'' for the time being.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
-- 
This mail was scanned by AntiVir Milter.
This product is licensed for non-commercial use.
See www.antivir.de for details.


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl

John Hill wrote:
> Restart is what I was doing. 
> This seems to work, do you see any other gotchas?
> 
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key