Shorewall users - Dec 2009 - shorewall 4.0 multi-isp unreliable InternetConnection

Hi;

I''ve tried to setup multi-isp with two ppp connections and have been 
sucessful - somehow.

Accessing the Server behind the fw works and the connection speed is 
sufficient.
Accessing the net from inside is slow and unreliable - just as clampmss has 
been set to "no", which is not the case.

I''ve attached the dump, hopefully I missed just a small step while
working
through the guides. 

TIA
kp


------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

KP Kirchdoerfer wrote:
> Hi;
> 
> I''ve tried to setup multi-isp with two ppp connections and have
been
> sucessful - somehow.
> 
> Accessing the Server behind the fw works and the connection speed is 
> sufficient.
> Accessing the net from inside is slow and unreliable - just as clampmss has
> been set to "no", which is not the case.
What does ''from inside'' mean? From the ''loc''
zone?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

Am Samstag, 12. Dezember 2009 19:55:35 schrieb Tom
Eastep:
> KP Kirchdoerfer wrote:
> > Hi;
> >
> > I''ve tried to setup multi-isp with two ppp connections and
have been
> > sucessful - somehow.
> >
> > Accessing the Server behind the fw works and the connection speed is
> > sufficient.
> > Accessing the net from inside is slow and unreliable - just as
clampmss
> > has been set to "no", which is not the case.
>
> What does ''from inside'' mean? From the
''loc'' zone?
Sorry;

yes the ''loc'' is meant, for legacy reasons it''s
called ''dmz'' in my setup
files.

kp


------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

Tom Eastep wrote:
> KP Kirchdoerfer wrote:
>> Hi;
>>
>> I''ve tried to setup multi-isp with two ppp connections and
have been
>> sucessful - somehow.
>>
>> Accessing the Server behind the fw works and the connection speed is 
>> sufficient.
>> Accessing the net from inside is slow and unreliable - just as clampmss
has
>> been set to "no", which is not the case.
> 
> What does ''from inside'' mean? From the
''loc'' zone?
Hmmm -- it appears that ''loc'' is empty. So that can''t
be what you mean...

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

KP Kirchdoerfer wrote:
> Am Samstag, 12. Dezember 2009 19:55:35 schrieb Tom Eastep:
>> KP Kirchdoerfer wrote:
>>> Hi;
>>>
>>> I''ve tried to setup multi-isp with two ppp connections and
have been
>>> sucessful - somehow.
>>>
>>> Accessing the Server behind the fw works and the connection speed
is
>>> sufficient.
>>> Accessing the net from inside is slow and unreliable - just as
clampmss
>>> has been set to "no", which is not the case.
>> What does ''from inside'' mean? From the
''loc'' zone?
> 
> Sorry;
> 
> yes the ''loc'' is meant, for legacy reasons it''s
called ''dmz'' in my setup
> files.
Does ''ip route ls cache'' show the correct MTU on routes out of
ppp0 and
ppp1? (note that the two links have *different MTUs*)

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

Am Sonntag, 13. Dezember 2009 18:00:38 schrieb Tom
Eastep:
> KP Kirchdoerfer wrote:
> > Am Samstag, 12. Dezember 2009 19:55:35 schrieb Tom Eastep:
> >> KP Kirchdoerfer wrote:
> >>> Hi;
> >>>
> >>> I''ve tried to setup multi-isp with two ppp
connections and have been
> >>> sucessful - somehow.
> >>>
> >>> Accessing the Server behind the fw works and the connection
speed is
> >>> sufficient.
> >>> Accessing the net from inside is slow and unreliable - just as
clampmss
> >>> has been set to "no", which is not the case.
> >>
> >> What does ''from inside'' mean? From the
''loc'' zone?
> >
> > Sorry;
> >
> > yes the ''loc'' is meant, for legacy reasons
it''s called ''dmz'' in my setup
> > files.
>
> Does ''ip route ls cache'' show the correct MTU on routes
out of ppp0 and
> ppp1? (note that the two links have *different MTUs*)
>
Tom;

yes the MTU''s are correct. And the pb seems to have been solved a few
hrs ago.

First I made shure, I have the masq file exactly as in the multi-ISP docs, 
which is somewhat different from my previous setup with only one line.
And I followed a short note in a previous mail you wrote - the ''empty
loc
zone''. I removed the empty zone and all rules to/from that zone and
after
restarting all connections including from those from dmz runs as fast as 
expect.

I wasn''t aware that an empty zone can cause that much harm.

Thanks for your help.
kp



------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

KP Kirchdoerfer wrote:
> Am Sonntag, 13. Dezember 2009 18:00:38 schrieb Tom Eastep:
>> KP Kirchdoerfer wrote:
>>> Am Samstag, 12. Dezember 2009 19:55:35 schrieb Tom Eastep:
>>>> KP Kirchdoerfer wrote:
>>>>> Hi;
>>>>>
>>>>> I''ve tried to setup multi-isp with two ppp
connections and have been
>>>>> sucessful - somehow.
>>>>>
>>>>> Accessing the Server behind the fw works and the connection
speed is
>>>>> sufficient.
>>>>> Accessing the net from inside is slow and unreliable - just
as clampmss
>>>>> has been set to "no", which is not the case.
>>>> What does ''from inside'' mean? From the
''loc'' zone?
>>> Sorry;
>>>
>>> yes the ''loc'' is meant, for legacy reasons
it''s called ''dmz'' in my setup
>>> files.
>> Does ''ip route ls cache'' show the correct MTU on
routes out of ppp0 and
>> ppp1? (note that the two links have *different MTUs*)
>>
> 
> Tom;
> 
> yes the MTU''s are correct. And the pb seems to have been solved a
few hrs ago.
> 
> First I made shure, I have the masq file exactly as in the multi-ISP docs, 
> which is somewhat different from my previous setup with only one line.
> And I followed a short note in a previous mail you wrote - the
''empty loc
> zone''. I removed the empty zone and all rules to/from that zone
and after
> restarting all connections including from those from dmz runs as fast as 
> expect.
> 
> I wasn''t aware that an empty zone can cause that much harm.
Other than slowing down ''start'' and
''restart'', it should have had no
effect. Similarly, the changes you made to the masq file should only
affect connections originating on the firewall itself.

At any rate, I''m glad to hear that the problem appears solved.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev