4 days without a post -- I''m suffering Shorewall Support Withdrawal :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Great Work Tom,
While things are quiet...
I went live with no Shorewall experience as our systems admin had built the
initial Shorewall setup.
Then when we upgraded our internet to dual providers I made a minimum change
in that I added the second provider as a sub interface of the interface with
the primary provider and this has been working for over six months.
Our Environment: We utilise DNAT and conntrack
Internet traffic could be in via provider A or B and out via
provider A or B. (Asymmetric routing)
Provider B is a layer two peering point so the Quagga routing table
contains ~50 different next hops.
Should I stay with this setup or do you recommend following
http://www.shorewall.net/MultiISP.html ?
After reading " Shorewall includes limited support for multiple Internet
connections. Limitations of this support are as follows:
* It utilizes static routing configuration. If there is a change in the
routing topology, Shorewall must be restarted."
I prefer staying with my current setup.
Kind regards,
Trent O''Callaghan
------------------------------------------------------------------------------
here, I''ll help. my tc is behaving wierdly. my router had to get updated early (debian 5) and now everything is more or less working (a harddrive died) so I updated to the latest shorewall 4.4.9 and my kernel is now 2.6.32-bpo.4-amd64. I haven''t built ipp2p yet nor ipset matching, but I have plans to. the TC works almost flawlessly now! Every day when comcast changes my upstream bandwidth, I have to re-calculate my speed and restart shorewall, but once it''s properly calibrated for the hour, it works perfectly. right now I have transmission running full speed with downloads and uploads, and I still get ~70msec pings and 800-1200kbit upload speeds to my test server of choice. (4k up is broken into 2k for transmission, and 2k to split between the other services. it looks like all my traffic is getting sent to the wrong class (or is it mark? I''m still not sure), yet somehow I''m getting satisfactory performance anyway.. http://pastebin.com/vuevjvmc Tom Eastep wrote:> 4 days without a post -- I''m suffering Shorewall Support Withdrawal :-) > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
Le mardi 18 mai 2010 à 22:38 -0700, Christ Schlacta a écrit :> here, I'll help. my tc is behaving wierdly. > > my router had to get updated early (debian 5) and now everything is more > or less working (a harddrive died) so I updated to the latest shorewall > 4.4.9 and my kernel is now 2.6.32-bpo.4-amd64. I haven't built ipp2p > yet nor ipset matching, but I have plans to. the TC works almost > flawlessly now! Every day when comcast changes my upstream bandwidth, I > have to re-calculate my speed and restart shorewall, but once it's > properly calibrated for the hour, it works perfectly. > > right now I have transmission running full speed with downloads and > uploads, and I still get ~70msec pings and 800-1200kbit upload speeds to > my test server of choice. (4k up is broken into 2k for transmission, > and 2k to split between the other services. > > > it looks like all my traffic is getting sent to the wrong class (or is > it mark? I'm still not sure), yet somehow I'm getting satisfactory > performance anyway.. > http://pastebin.com/vuevjvmc >As I understand, 10.0.0.161 is your Transmission host. You may move the marking rule into tcfor, or it will reset to 0 (*) entering FORWARD: 3:F 10.0.0.161 0.0.0.0/0 all Unless the CABAL server (?) is your router, I would do the same: 4:F 10.0.0.0/24 0.0.0.0/0 tcp 38113 You can monitor current classes utilization with watch tc -s class show dev <yournetdev> It will quickly show you any problem with classifying by looking at rate values. * I hardly understand this rule, is it related with routing tables handling? Christophe> Tom Eastep wrote: > > 4 days without a post -- I'm suffering Shorewall Support Withdrawal :-) > > > > -Tom > > > > > > ------------------------------------------------------------------------ > > > > ------------------------------------------------------------------------------ > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 5/18/10 9:09 PM, Trent O''Callaghan wrote:> > Should I stay with this setup or do you recommend following > http://www.shorewall.net/MultiISP.html ?So long as it is working to your satisfaction, I see no reason to change. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On ons 19 maj 2010 04:51:42 CEST, Tom Eastep wrote> 4 days without a post -- I''m suffering Shorewall Support Withdrawal :-)not, i need more help, when shorewall is in multiisp setup can it then add default route for the specifik isp ? eksample: whois 80.166.0.0 % Information related to ''80.160.0.0/13AS3292'' route: 80.160.0.0/13 i like to add this route to my kernel based route, so routes goes more direct if destination ip is on one of my isps route all else just balance, or use availble what do i need to do in shorewall for this ? -- xpoint ------------------------------------------------------------------------------
On 05/18/2010 11:51 PM, Tom Eastep wrote:> 4 days without a post -- I''m suffering Shorewall Support Withdrawal :-) > > -TomHi Tom, now that you mentioned it :)... Since shorewall-4.4.5, MODULE_SUFFIX is taken into consideration for module loading. In default shorewall.conf file, it is defined as MODULE_SUFFIX=ko, so by default it will only attempt to load .ko modules. Is it still necessary to define it as ''ko'' only by default? From what I understood, if this setting is left blank, the suffixes ''o gz ko o.gz ko.gz'' will be probed automatically. -- Eugeni Dodonov ------------------------------------------------------------------------------
On 5/19/10 8:04 AM, Eugeni Dodonov wrote:> Is it still necessary to define it as ''ko'' only by default? From what I > understood, if this setting is left blank, the suffixes ''o gz ko o.gz > ko.gz'' will be probed automatically. >The run-time cost of each additional suffix is very high, especially if LOAD_HELPERS_ONLY=No. Setting the default to ''ko'' dramatically speeds up start/restart on slow hardware. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 5/19/10 6:29 AM, Benny Pedersen wrote:> On ons 19 maj 2010 04:51:42 CEST, Tom Eastep wrote > >> 4 days without a post -- I''m suffering Shorewall Support Withdrawal :-) > > not, i need more help, when shorewall is in multiisp setup can it then > add default route for the specifik isp ? > > eksample: > > whois 80.166.0.0 > % Information related to ''80.160.0.0/13AS3292'' > route: 80.160.0.0/13 > > i like to add this route to my kernel based route, so routes goes more > direct if destination ip is on one of my isps route all else just > balance, or use availble > > what do i need to do in shorewall for this ? >Add an entry for the network in /etc/shorewall/route_rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On ons 19 maj 2010 17:09:25 CEST, Tom Eastep wrote> Add an entry for the network in /etc/shorewall/route_rules.solved with a mod of example 2: #eth1 - Comcast 1000 - 80.160.0.0/13 myisp1 1000 - xx.xxx.0.0/15 myisp2 1000 tcptraceroute shows it works for me, and route from outside is still working super thanks, got 2.6.34 kernel now aswell, time for a beer :) -- xpoint ------------------------------------------------------------------------------
Thanks Christophe, I tried adding the :F to the rules for mark 3 and mark 4. the CABAL isn't a server, it's a client, but we had some issues with browsing (mark 2) clobbering gaming (mark 2 as well at the time, now mark 4), so we added a mark 4 entry for cabal, now cabal runs fine. I added :F as you suggested to the two rules, but now it still doesn't work, and all my bt traffic is still getting dumped into 10:11 The configs are still the same as my previous paste with the addition of :F http://pastebin.com/vuevjvmc Christophe wrote:> Le mardi 18 mai 2010 à 22:38 -0700, Christ Schlacta a écrit : >> here, I'll help. my tc is behaving wierdly. >> >> my router had to get updated early (debian 5) and now everything is more >> or less working (a harddrive died) so I updated to the latest shorewall >> 4.4.9 and my kernel is now 2.6.32-bpo.4-amd64. I haven't built ipp2p >> yet nor ipset matching, but I have plans to. the TC works almost >> flawlessly now! Every day when comcast changes my upstream bandwidth, I >> have to re-calculate my speed and restart shorewall, but once it's >> properly calibrated for the hour, it works perfectly. >> >> right now I have transmission running full speed with downloads and >> uploads, and I still get ~70msec pings and 800-1200kbit upload speeds to >> my test server of choice. (4k up is broken into 2k for transmission, >> and 2k to split between the other services. >> >> >> it looks like all my traffic is getting sent to the wrong class (or is >> it mark? I'm still not sure), yet somehow I'm getting satisfactory >> performance anyway.. >> http://pastebin.com/vuevjvmc >> > As I understand, 10.0.0.161 is your Transmission host. You may move the > marking rule into tcfor, or it will reset to 0 (*) entering FORWARD: > 3:F 10.0.0.161 0.0.0.0/0 all > Unless the CABAL server (?) is your router, I would do the same: > 4:F 10.0.0.0/24 0.0.0.0/0 tcp 38113 > > You can monitor current classes utilization with > watch tc -s class show dev <yournetdev> > It will quickly show you any problem with classifying by looking at rate > values. > > * I hardly understand this rule, is it related with routing tables > handling? > > Christophe > >> Tom Eastep wrote: >>> 4 days without a post -- I'm suffering Shorewall Support Withdrawal :-) >>> >>> -Tom >>> >>> >>> ------------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------------------ >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 5/19/10 2:33 PM, Christ Schlacta wrote:> Thanks Christophe, I tried adding the :F to the rules for mark 3 and > mark 4. the CABAL isn''t a server, it''s a client, but we had some issues > with browsing (mark 2) clobbering gaming (mark 2 as well at the time, > now mark 4), so we added a mark 4 entry for cabal, now cabal runs fine. > > I added :F as you suggested to the two rules, but now it still doesn''t > work, and all my bt traffic is still getting dumped into 10:11 > > The configs are still the same as my previous paste with the addition of > :F http://pastebin.com/vuevjvmc >Without seeing the current output of ''shorewall show mangle'' and ''shorewall show tc'', we can''t be of much help. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
aah, I made a few changes, now it''s using classify, and everything seems to be working almost perfectly. I decided to try it, and it seems to have fixed it. On 5/19/2010 15:38, Tom Eastep wrote:> ''shorewall show tc'', we can''t be of much help.------------------------------------------------------------------------------