Hi, I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the net interface for shorewall and eth1 as the lan network? Thanks. sangprabv sangprabv@gmail.com ------------------------------------------------------------------------------
Michael Weickel - iQom Business Services GmbH
2010-May-22 13:16 UTC
Re: [ASK]How Many Interfaces Supported?
If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, otherwise use bonding -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 22. Mai 2010 15:04 An: Shorewall Users Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? Hi, I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the net interface for shorewall and eth1 as the lan network? Thanks. sangprabv sangprabv@gmail.com ---------------------------------------------------------------------------- -- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Hi Michael, I''m sorry I don''t understand with your explanation. So is it applicable to setup Shorewall to works with 8 ethernet cards in a box. With these allocation: eth0-eth6 will be connected to WAN (internet) eth7 will be connected to LAN And Shorewall can manage all of those ethernet cards traffics. Many thanks. sangprabv sangprabv@gmail.com On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, > otherwise use bonding > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 22. Mai 2010 15:04 > An: Shorewall Users > Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi, > I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the > net interface for shorewall and eth1 as the lan network? Thanks. > > > > sangprabv > sangprabv@gmail.com > > > > ---------------------------------------------------------------------------- > -- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
Michael Weickel - iQom Business Services GmbH
2010-May-22 16:26 UTC
Re: [ASK]How Many Interfaces Supported?
If your kernel supports up to 8 ethernet cards, shorewall will do as well. Normally the internet is provided by one port to you by your internet service provider. Planning to use 7 nics to be connected to the internet either means you have 7 internet connections or you plan something what is usually not planned and out of my scope of knowledge. Of course it would be possible to bond those 7 interfaces together but the sense would be not clear to me. But in that case you need 7 interfaces provided by your isp anyway. So I suggest you explain your environment a bit more in detail so that guys from list can help you out with your questions. Cheers Michael -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 22. Mai 2010 18:20 An: Shorewall Users Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? Hi Michael, I''m sorry I don''t understand with your explanation. So is it applicable to setup Shorewall to works with 8 ethernet cards in a box. With these allocation: eth0-eth6 will be connected to WAN (internet) eth7 will be connected to LAN And Shorewall can manage all of those ethernet cards traffics. Many thanks. sangprabv sangprabv@gmail.com On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, > otherwise use bonding > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 22. Mai 2010 15:04 > An: Shorewall Users > Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi, > I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the > net interface for shorewall and eth1 as the lan network? Thanks. > > > > sangprabv > sangprabv@gmail.com > > > >----------------------------------------------------------------------------> -- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
On 5/22/10 9:19 AM, sangprabv wrote:> Hi Michael, > I''m sorry I don''t understand with your explanation. So is it applicable to setup Shorewall to works with 8 ethernet cards in a box. With these allocation: > eth0-eth6 will be connected to WAN (internet) > eth7 will be connected to LAN > And Shorewall can manage all of those ethernet cards traffics.\Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Hi, Thanks again for the response. So the plan is my firewall will be connected to 3 different WAN. eth0-eth4 will be connected to my ISP eth5 will be connected to Partner A eth6 will be connected to Partner B eth7 will be connected to LAN The reason I split into 5 ethernet cards for ISP A is because they give us 5 static IP and the traffic will be very high on each IP. Partner A will be a host to host connection, and also Partner B. And there will be many IP and portforward to servers behind the firewall via my ISP. I hope my explanation is OK. Thanks. sangprabv sangprabv@gmail.com On May 22, 2010, at 11:26 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If your kernel supports up to 8 ethernet cards, shorewall will do as well. > > Normally the internet is provided by one port to you by your internet > service provider. Planning to use 7 nics to be connected to the internet > either means you have 7 internet connections or you plan something what is > usually not planned and out of my scope of knowledge. > > Of course it would be possible to bond those 7 interfaces together but the > sense would be not clear to me. But in that case you need 7 interfaces > provided by your isp anyway. > > So I suggest you explain your environment a bit more in detail so that guys > from list can help you out with your questions. > > > Cheers > Michael > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 22. Mai 2010 18:20 > An: Shorewall Users > Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi Michael, > I''m sorry I don''t understand with your explanation. So is it applicable to > setup Shorewall to works with 8 ethernet cards in a box. With these > allocation: > eth0-eth6 will be connected to WAN (internet) > eth7 will be connected to LAN > And Shorewall can manage all of those ethernet cards traffics. Many thanks. > > > > sangprabv > sangprabv@gmail.com > > > On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, >> otherwise use bonding >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 22. Mai 2010 15:04 >> An: Shorewall Users >> Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? >> >> Hi, >> I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the >> net interface for shorewall and eth1 as the lan network? Thanks. >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> >> > ---------------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
Michael Weickel - iQom Business Services GmbH
2010-May-22 16:59 UTC
Re: [ASK]How Many Interfaces Supported?
I see many problems in such a setup. 1.) You will need policy routing for sure 2.) Normally providers assign one ip space to their customers e.g. 1.1.1.0/29. If this is valid for your environment too, you can not assign each single ip to a different layer-3 interface since one subnet can not be configured on different network interfaces which means you have to apply /32 masks and this does not sound as this is what you want What does a lot of traffic means? For years NIC´s are able to handle up to 1 Gbit/s of traffic. It would be hard to believe that you receive more than 200 Mbit/s per each NIC, otherwise I have to suppose that the whole environment would look like completely different. I recommend trying to reduce to one NIC per each partner but 1.) has to be applied anyway otherwise locally generated traffic does not know which provider should be used, right! Shorewall and kernel is for sure more powerful than the amount of traffic you will expect. So keeping things small and easy should be your goal instead of using an environment which you will not like any more once the first configuration mistake occurs and has to be found. I suggest you sit down for a few minutes and think about my words. Maybe there will be a day where you are glad that you´ve got them :-) One last comment. You said your provider provides you with 5 static ip´s. Thats the regular useable range out of a /29 network (8 minus broadcast, minus ID, minus isp´s cpe) but I really do not believe that your isp will provide 5 ports beside the 5 ips. Even if it would be true I strongly recommend to convince your provider to change their mind. Such an environment will bring no luck to no one. If I am wrong I really misunderstood what you plan to do. Cheers Michael -----Ursprüngliche Nachricht----- Von: sangprabv [mailto:sangprabv@gmail.com] Gesendet: Samstag, 22. Mai 2010 18:47 An: Shorewall Users Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? Hi, Thanks again for the response. So the plan is my firewall will be connected to 3 different WAN. eth0-eth4 will be connected to my ISP eth5 will be connected to Partner A eth6 will be connected to Partner B eth7 will be connected to LAN The reason I split into 5 ethernet cards for ISP A is because they give us 5 static IP and the traffic will be very high on each IP. Partner A will be a host to host connection, and also Partner B. And there will be many IP and portforward to servers behind the firewall via my ISP. I hope my explanation is OK. Thanks. sangprabv sangprabv@gmail.com On May 22, 2010, at 11:26 PM, Michael Weickel - iQom Business Services GmbH wrote:> > If your kernel supports up to 8 ethernet cards, shorewall will do as well.> > Normally the internet is provided by one port to you by your internet > service provider. Planning to use 7 nics to be connected to the internet > either means you have 7 internet connections or you plan something what is > usually not planned and out of my scope of knowledge. > > Of course it would be possible to bond those 7 interfaces together but the > sense would be not clear to me. But in that case you need 7 interfaces > provided by your isp anyway. > > So I suggest you explain your environment a bit more in detail so thatguys> from list can help you out with your questions. > > > Cheers > Michael > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 22. Mai 2010 18:20 > An: Shorewall Users > Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi Michael, > I''m sorry I don''t understand with your explanation. So is it applicable to > setup Shorewall to works with 8 ethernet cards in a box. With these > allocation: > eth0-eth6 will be connected to WAN (internet) > eth7 will be connected to LAN > And Shorewall can manage all of those ethernet cards traffics. Manythanks.> > > > sangprabv > sangprabv@gmail.com > > > On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, >> otherwise use bonding >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 22. Mai 2010 15:04 >> An: Shorewall Users >> Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? >> >> Hi, >> I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the >> net interface for shorewall and eth1 as the lan network? Thanks. >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> >> >---------------------------------------------------------------------------->> -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> >----------------------------------------------------------------------------> -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >----------------------------------------------------------------------------> -- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >---------------------------------------------------------------------------- --> > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users---------------------------------------------------------------------------- -- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------
Hi Michael, Thanks alot for the suggestions. Another issue that makes me want to assign each IP on to one dedicated ethernet card is because when partner did stress test by sending around 100.000 requests via ISP A. Shorewall failed to process all, there are some traffics lost here. Do you have any setup suggestion to avoid this? sangprabv sangprabv@gmail.com On May 22, 2010, at 11:59 PM, Michael Weickel - iQom Business Services GmbH wrote:> > I see many problems in such a setup. > > 1.) You will need policy routing for sure > 2.) Normally providers assign one ip space to their customers e.g. > 1.1.1.0/29. If this is valid for your environment too, you can not assign > each single ip to a different layer-3 interface since one subnet can not be > configured on different network interfaces which means you have to apply /32 > masks and this does not sound as this is what you want > > What does a lot of traffic means? For years NIC´s are able to handle up to 1 > Gbit/s of traffic. It would be hard to believe that you receive more than > 200 Mbit/s per each NIC, otherwise I have to suppose that the whole > environment would look like completely different. > > I recommend trying to reduce to one NIC per each partner but 1.) has to be > applied anyway otherwise locally generated traffic does not know which > provider should be used, right! > > Shorewall and kernel is for sure more powerful than the amount of traffic > you will expect. So keeping things small and easy should be your goal > instead of using an environment which you will not like any more once the > first configuration mistake occurs and has to be found. > > I suggest you sit down for a few minutes and think about my words. Maybe > there will be a day where you are glad that you´ve got them :-) > > One last comment. You said your provider provides you with 5 static ip´s. > That’s the regular useable range out of a /29 network (8 minus broadcast, > minus ID, minus isp´s cpe) but I really do not believe that your isp will > provide 5 ports beside the 5 ips. Even if it would be true I strongly > recommend to convince your provider to change their mind. Such an > environment will bring no luck to no one. If I am wrong I really > misunderstood what you plan to do. > > > Cheers > Michael > > -----Ursprüngliche Nachricht----- > Von: sangprabv [mailto:sangprabv@gmail.com] > Gesendet: Samstag, 22. Mai 2010 18:47 > An: Shorewall Users > Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? > > Hi, > Thanks again for the response. So the plan is my firewall will be connected > to 3 different WAN. > > eth0-eth4 will be connected to my ISP > eth5 will be connected to Partner A > eth6 will be connected to Partner B > eth7 will be connected to LAN > > The reason I split into 5 ethernet cards for ISP A is because they give us 5 > static IP and the traffic will be very high on each IP. Partner A will be a > host to host connection, and also Partner B. And there will be many IP and > portforward to servers behind the firewall via my ISP. I hope my explanation > is OK. Thanks. > > > > sangprabv > sangprabv@gmail.com > > > On May 22, 2010, at 11:26 PM, Michael Weickel - iQom Business Services GmbH > wrote: > >> >> If your kernel supports up to 8 ethernet cards, shorewall will do as well. > >> >> Normally the internet is provided by one port to you by your internet >> service provider. Planning to use 7 nics to be connected to the internet >> either means you have 7 internet connections or you plan something what is >> usually not planned and out of my scope of knowledge. >> >> Of course it would be possible to bond those 7 interfaces together but the >> sense would be not clear to me. But in that case you need 7 interfaces >> provided by your isp anyway. >> >> So I suggest you explain your environment a bit more in detail so that > guys >> from list can help you out with your questions. >> >> >> Cheers >> Michael >> >> -----Ursprüngliche Nachricht----- >> Von: sangprabv [mailto:sangprabv@gmail.com] >> Gesendet: Samstag, 22. Mai 2010 18:20 >> An: Shorewall Users >> Betreff: Re: [Shorewall-users] [ASK]How Many Interfaces Supported? >> >> Hi Michael, >> I''m sorry I don''t understand with your explanation. So is it applicable to >> setup Shorewall to works with 8 ethernet cards in a box. With these >> allocation: >> eth0-eth6 will be connected to WAN (internet) >> eth7 will be connected to LAN >> And Shorewall can manage all of those ethernet cards traffics. Many > thanks. >> >> >> >> sangprabv >> sangprabv@gmail.com >> >> >> On May 22, 2010, at 8:16 PM, Michael Weickel - iQom Business Services GmbH >> wrote: >> >>> >>> If you mean one out of eth0-eth6 burt not eth1 an WAN its not a problem, >>> otherwise use bonding >>> >>> -----Ursprüngliche Nachricht----- >>> Von: sangprabv [mailto:sangprabv@gmail.com] >>> Gesendet: Samstag, 22. Mai 2010 15:04 >>> An: Shorewall Users >>> Betreff: [Shorewall-users] [ASK]How Many Interfaces Supported? >>> >>> Hi, >>> I have 8 ethernet cards installed. Is it possible to use eth0-eth6 as the >>> net interface for shorewall and eth1 as the lan network? Thanks. >>> >>> >>> >>> sangprabv >>> sangprabv@gmail.com >>> >>> >>> >>> >> > ---------------------------------------------------------------------------- >>> -- >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >>> >>> >>> >> > ---------------------------------------------------------------------------- >> -- >>> >>> _______________________________________________ >>> Shorewall-users mailing list >>> Shorewall-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- >> -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> >> > ---------------------------------------------------------------------------- > -- >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ---------------------------------------------------------------------------- > -- > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
On 5/22/10 5:03 PM, sangprabv wrote:> Thanks alot for the suggestions. Another issue that makes me want to > assign each IP on to one dedicated ethernet card is because when > partner did stress test by sending around 100.000 requests via ISP A. > Shorewall failed to process all, there are some traffics lost here.That''s pretty hard to explain, given that once ''shorewall start'' completes, there is absolutely no Shorewall code running in your system at all. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Yes I agree with you it''s all about IPTables , but what made me wonder is what things that cause the traffics lost here? Is it about conntrack? Or anything else? Do you have any conntrack or anything else setup tips? sangprabv sangprabv@gmail.com On May 23, 2010, at 7:44 AM, Tom Eastep wrote:> On 5/22/10 5:03 PM, sangprabv wrote: > >> Thanks alot for the suggestions. Another issue that makes me want to >> assign each IP on to one dedicated ethernet card is because when >> partner did stress test by sending around 100.000 requests via ISP A. >> Shorewall failed to process all, there are some traffics lost here. > > That''s pretty hard to explain, given that once ''shorewall start'' > completes, there is absolutely no Shorewall code running in your system > at all. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------
sangprabv wrote:>Thanks alot for the suggestions. Another issue that makes me want >to assign each IP on to one dedicated ethernet card is because when >partner did stress test by sending around 100.000 requests via ISP >A. Shorewall failed to process all, there are some traffics lost >here. Do you have any setup suggestion to avoid this?<8k of excess quoting trimmed> You still haven''t given any idea whatsoever of the scale - for starters, what speed and type of connection are you running ? At work I have a Debian box as our boundary router. 6mbps symmetric uncontended line with an entire class C (/24) subnet behind it. Watching the stats, it runs mostly at 99% idle. It''s not doing much by way of filtering, and there''s no NAT, but it is doing accounting for every one of those IPs and storing the data in RRD databases. It''s also doing traffic shaping with around 25 tc classes and the tc rules to filter traffic accordingly. We''re almost certainly turning up the speed shortly to 20 or even 25 Mbps - I''m not anticipating any performance issues. It only runs on an old PIII we had lying around. I''ve also built boxes with 32 VLAN based internal interfaces - for a business centre sharing an 8M ADSL line between different tenants. That does do NAT, plus a lot of rules to keep all the different users apart from each other. At home, I run a 2 port router as a Xen guest - about 6.5Mbps ADSL. Again, no performance issues at all, and that''s as just a VM on an AMD64-2000 that''s also running several other VMs (one runs MythTV). Unless you have a connection that''s reaching 100Mbps, then you do not need more than one interface for your WAN - and in fact, using multiple interfaces is more likely to cause performance issues due to the extra rules/processing to make it all work. And don''t forget, people run routers in small appliances with low powered ARM processors and limited RAM. You really don''t need a lot of horsepower for most normal setups. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------
On 5/22/10 5:58 PM, sangprabv wrote:> Yes I agree with you it''s all about IPTables , but what made me > wonder is what things that cause the traffics lost here? Is it about > conntrack? Or anything else? Do you have any conntrack or anything > else setup tips?>> On 5/22/10 5:03 PM, sangprabv wrote: >> >>> Another issue that makes me >>> want to assign each IP on to one dedicated ethernet card is >>> because when partner did stress test by sending around 100.000 >>> requests via ISP A. Shorewall failed to process all, there are >>> some traffics lost here.If the client tried to establish 100,000 simultaneous connections, then the issue is likely conntrack table overflow. Did you look at all at your logs after this test? If you find kernel messages indicating that the table was full, you will need to increase its size. Be sure to also increase the size of the hash table accordingly. Much information is available on this topic -- do a Google search for ''conntrack table full''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On Sat 22 May 2010 06:19:43 PM CEST, sangprabv wrote> And Shorewall can manage all of those ethernet cards traffics. > Many thanks.provide more info then shorewall will do more for you eg: ifconfig, or even ip addr show, ip route show if you have 8 nics already setup, then you find more help here getting it done with shorewall i have one soekris 1641 working wery well with shorewall for me -- xpoint ------------------------------------------------------------------------------