-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recently ordered a residential class cable connection from Comcast to complement my static DSL connection for redundancy. My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the cable connection and to also use it as a backup to my other services (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got to get the cable connection working with linux first then I can deal with the shorewall config. I''ve read the Shorewall documentation on Multi ISP''s but I am having one hurdle that I can''t seem to get past, and I''m hopeful someone has the answer as I''m sure it''s simple. Everything works as expected until I plug the cable modem into eth2. It creates another default route and kills everything, and I''m not sure how to deal with that or prevent it from happening? My network consists of this: eth0 DSL with static IP eth1 Comcast Cable connection with dynamic IP eth2 192.168.1.0/24 pointing towards local LAN Here is my /etc/network/interfaces: # The loopback network interface auto lo iface lo inet loopback # eth0 interface facing internet auto eth0 iface eth0 inet static address 76.x.x.x netmask 255.255.255.224 gateway 76.5.159.161 # virtual interface to DSL modem auto eth0:0 iface eth0:0 inet static address 192.168.2.2 netmask 255.255.255.0 # eth1 cable modem auto eth1 iface eth1 inet dhcp # eth2 interface facing local LAN auto eth2 iface eth2 inet static address 192.168.1.1 netmask 255.255.255.0 Thanks, Stephen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxEbmsACgkQ3sJXNEncx7hg5ACg3g+00+aHAWW6f5GsGMJK7QXX OXwAoJvocFZKlcGYHn2DHRPTBhS8xOEn =w7XB -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 8:25 AM, Stephen Brown wrote:> I recently ordered a residential class cable connection from Comcast to > complement my static DSL connection for redundancy. > > My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the > cable connection and to also use it as a backup to my other services > (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got > to get the cable connection working with linux first then I can deal > with the shorewall config. > > I''ve read the Shorewall documentation on Multi ISP''s but I am having one > hurdle that I can''t seem to get past, and I''m hopeful someone has the > answer as I''m sure it''s simple. > > Everything works as expected until I plug the cable modem into eth2. It > creates another default route and kills everything, and I''m not sure how > to deal with that or prevent it from happening? >Please look at the ''Complete Example'' at the bottom of the Multi ISP article at shorewall.net. It has almost exactly the configuration you are trying to set up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 8:36 AM, Tom Eastep wrote:> On 7/19/10 8:25 AM, Stephen Brown wrote: >> I recently ordered a residential class cable connection from Comcast to >> complement my static DSL connection for redundancy. >> >> My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the >> cable connection and to also use it as a backup to my other services >> (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got >> to get the cable connection working with linux first then I can deal >> with the shorewall config. >> >> I''ve read the Shorewall documentation on Multi ISP''s but I am having one >> hurdle that I can''t seem to get past, and I''m hopeful someone has the >> answer as I''m sure it''s simple. >> >> Everything works as expected until I plug the cable modem into eth2. It >> creates another default route and kills everything, and I''m not sure how >> to deal with that or prevent it from happening? >> > > Please look at the ''Complete Example'' at the bottom of the Multi ISP > article at shorewall.net. It has almost exactly the configuration you > are trying to set up.Also, you must get the Shorewall configuration created and installed *first*; once the configuration is working with the cable interface disconnected, then, you can plug in the cable modem and it will work. You can''t do it the other way around. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks Tom.... I''ll give this a whirl tonight when I get home and see how it goes, I''ll undoubtedly have more questions :) On 7/19/10 12:25 PM, Tom Eastep wrote:> On 7/19/10 8:36 AM, Tom Eastep wrote: >> On 7/19/10 8:25 AM, Stephen Brown wrote: >>> I recently ordered a residential class cable connection from Comcast to >>> complement my static DSL connection for redundancy. >>> >>> My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the >>> cable connection and to also use it as a backup to my other services >>> (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got >>> to get the cable connection working with linux first then I can deal >>> with the shorewall config. >>> >>> I''ve read the Shorewall documentation on Multi ISP''s but I am having one >>> hurdle that I can''t seem to get past, and I''m hopeful someone has the >>> answer as I''m sure it''s simple. >>> >>> Everything works as expected until I plug the cable modem into eth2. It >>> creates another default route and kills everything, and I''m not sure how >>> to deal with that or prevent it from happening? >>> >> >> Please look at the ''Complete Example'' at the bottom of the Multi ISP >> article at shorewall.net. It has almost exactly the configuration you >> are trying to set up. > > Also, you must get the Shorewall configuration created and installed > *first*; once the configuration is working with the cable interface > disconnected, then, you can plug in the cable modem and it will work. > You can''t do it the other way around. > > -Tom > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxEhvMACgkQ3sJXNEncx7jTcwCglpbzuzFHDWZxTOM11QoaBiTa jrUAn3n5KoCIzi9EwOxK4KOK4bUbHF6X =LsC/ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 9:25 AM, Tom Eastep wrote:> > Also, you must get the Shorewall configuration created and installed > *first*; once the configuration is working with the cable interface > disconnected, then, you can plug in the cable modem and it will work. > You can''t do it the other way around.Well, actually you can do it the other way around; you will have little or no internet access until you get Shorewall configured (as you have already discovered). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok so far so good... but I do need some clarification on a few things. First, to summate, here are my goals: - - send and receive all traffic with the exception of SIP and IAX based traffic for VoIP over the cable link. - - have the cable modem act as a backup in the event the DSL link fails, this will include my normal web and mail server traffic. I understand the tcrules setup (I think) in regards to what I am trying to accomplish for outbound VoIP traffic. Inbound traffic will be directed to the cable link as well, I''m going to create SRV records to provide redundancy, will shorewall still process my DNAT rules regardless of which ISP they arrive from? For example, let''s say my cable modem goes down, and I have an SRV record of a higher weight to point to my DSL connection, I should expect to still be able to receive inbound calls without hassle? What about outbound calls in this scenario? What would be the best way to deal with that? Here are my config files thus far, I don''t know that many of the options are sane however (pastebin''ed because they kept wrapping in my email client): http://www.pastie.org/1050858 Some of my configs may undoubtedly be wrong or not optimized, so any help appreciated :) Thanks, Stephen On 7/19/10 11:36 AM, Tom Eastep wrote:> On 7/19/10 8:25 AM, Stephen Brown wrote: >> I recently ordered a residential class cable connection from Comcast to >> complement my static DSL connection for redundancy. >> >> My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the >> cable connection and to also use it as a backup to my other services >> (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got >> to get the cable connection working with linux first then I can deal >> with the shorewall config. >> >> I''ve read the Shorewall documentation on Multi ISP''s but I am having one >> hurdle that I can''t seem to get past, and I''m hopeful someone has the >> answer as I''m sure it''s simple. >> >> Everything works as expected until I plug the cable modem into eth2. It >> creates another default route and kills everything, and I''m not sure how >> to deal with that or prevent it from happening? >> > > Please look at the ''Complete Example'' at the bottom of the Multi ISP > article at shorewall.net. It has almost exactly the configuration you > are trying to set up. > > -Tom > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxEpQwACgkQ3sJXNEncx7jJmACgqNYktE7Jgqfv5LQc2w7ttnfc e04AoLrYAFnbKqaCUS9M+w7Kn5lHJwLJ =QQGr -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 12:18 PM, Stephen Brown wrote:> > I understand the tcrules setup (I think) in regards to what I am trying > to accomplish for outbound VoIP traffic. Inbound traffic will be > directed to the cable link as well, I''m going to create SRV records to > provide redundancy, will shorewall still process my DNAT rules > regardless of which ISP they arrive from?If you set them up correctly.> For example, let''s say my > cable modem goes down, and I have an SRV record of a higher weight to > point to my DSL connection, I should expect to still be able to receive > inbound calls without hassle? What about outbound calls in this > scenario? What would be the best way to deal with that?Sorry -- you are going to have to talk to someone who speaks VOIP and SRV records. But, from a Shorewall perspective: a) The firewall must be configured so it will ignore interfaces that are not available. b) When an interface because unavailable, Shorewall must be restarted. So when an interface is down, it is effectively not part of the configuration except that you can still use LSM to monitor the link and restart Shorewall when the link comes back up.> > Here are my config files thus far, I don''t know that many of the options > are sane however (pastebin''ed because they kept wrapping in my email > client): > > http://www.pastie.org/1050858This isn''t any better. I can''t quote from a web page; and if copy/paste, then *my* mailer will fold what I''m quoting. But I suggest that you read the text about that example (which, until recently, was my own network). In particular, you need to understand why I specified ''loose'' on my backup provider and why you should not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Well I''m not really getting anywhere. I''ve read through the multi-isp documentation at least 5 or 6 times now and I can''t seem to get things to work no matter what. In a desperate attempt I downloaded a (newer) fresh tarball and blew all of my config files away to start from scratch so I had a clean slate to work with. My /etc/shorewall only contains the following files now: bubastis:/home# tree /etc/shorewall/ /etc/shorewall/ |-- interfaces |-- masq |-- params |-- policy |-- providers |-- route_rules |-- routestopped |-- rules |-- rules.orig |-- shorewall.conf |-- shorewall.conf.orig |-- tcrules `-- zones I''ve tried multiple changes... none of which seem to work, even closely matching the working example at the bottom of the page in the multi-isp documentation. Trace attached, I get errors upon startup with this configuration.... Thanks, Stephen On 7/19/10 3:18 PM, Stephen Brown wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ok so far so good... but I do need some clarification on a few things. > > First, to summate, here are my goals: > > - - send and receive all traffic with the exception of SIP and IAX based > traffic for VoIP over the cable link. > > - - have the cable modem act as a backup in the event the DSL link fails, > this will include my normal web and mail server traffic. > > I understand the tcrules setup (I think) in regards to what I am trying > to accomplish for outbound VoIP traffic. Inbound traffic will be > directed to the cable link as well, I''m going to create SRV records to > provide redundancy, will shorewall still process my DNAT rules > regardless of which ISP they arrive from? For example, let''s say my > cable modem goes down, and I have an SRV record of a higher weight to > point to my DSL connection, I should expect to still be able to receive > inbound calls without hassle? What about outbound calls in this > scenario? What would be the best way to deal with that? > > Here are my config files thus far, I don''t know that many of the options > are sane however (pastebin''ed because they kept wrapping in my email > client): > > http://www.pastie.org/1050858 > > Some of my configs may undoubtedly be wrong or not optimized, so any > help appreciated :) > > Thanks, > Stephen > > On 7/19/10 11:36 AM, Tom Eastep wrote: > >> On 7/19/10 8:25 AM, Stephen Brown wrote: >> >>> I recently ordered a residential class cable connection from Comcast to >>> complement my static DSL connection for redundancy. >>> >>> My eventual goal is to run all of my VoIP traffic (SIP and IAX) over the >>> cable connection and to also use it as a backup to my other services >>> (mail, web, openvpn, etc) if the DSL fails for any reason, but I''ve got >>> to get the cable connection working with linux first then I can deal >>> with the shorewall config. >>> >>> I''ve read the Shorewall documentation on Multi ISP''s but I am having one >>> hurdle that I can''t seem to get past, and I''m hopeful someone has the >>> answer as I''m sure it''s simple. >>> >>> Everything works as expected until I plug the cable modem into eth2. It >>> creates another default route and kills everything, and I''m not sure how >>> to deal with that or prevent it from happening? >>> >>> >> Please look at the ''Complete Example'' at the bottom of the Multi ISP >> article at shorewall.net. It has almost exactly the configuration you >> are trying to set up. >> >> -Tom >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> >> >> >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > > iEYEARECAAYFAkxEpQwACgkQ3sJXNEncx7jJmACgqNYktE7Jgqfv5LQc2w7ttnfc > e04AoLrYAFnbKqaCUS9M+w7Kn5lHJwLJ > =QQGr > -----END PGP SIGNATURE----- >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Thanks Tom.... ignore my last message which is in moderation, I may have just got it working! I set balance=1 and balance=2 and it appears to be functioning as intended :) I can tweak now that the core is up..... Thanks! Stephen On 7/19/10 7:49 PM, Tom Eastep wrote:> On 7/19/10 12:18 PM, Stephen Brown wrote: > > >> I understand the tcrules setup (I think) in regards to what I am trying >> to accomplish for outbound VoIP traffic. Inbound traffic will be >> directed to the cable link as well, I''m going to create SRV records to >> provide redundancy, will shorewall still process my DNAT rules >> regardless of which ISP they arrive from? >> > If you set them up correctly. > > >> For example, let''s say my >> cable modem goes down, and I have an SRV record of a higher weight to >> point to my DSL connection, I should expect to still be able to receive >> inbound calls without hassle? What about outbound calls in this >> scenario? What would be the best way to deal with that? >> > Sorry -- you are going to have to talk to someone who speaks VOIP and > SRV records. But, from a Shorewall perspective: > > a) The firewall must be configured so it will ignore interfaces that are > not available. > b) When an interface because unavailable, Shorewall must be restarted. > > So when an interface is down, it is effectively not part of the > configuration except that you can still use LSM to monitor the link and > restart Shorewall when the link comes back up. > > >> Here are my config files thus far, I don''t know that many of the options >> are sane however (pastebin''ed because they kept wrapping in my email >> client): >> >> http://www.pastie.org/1050858 >> > This isn''t any better. I can''t quote from a web page; and if copy/paste, > then *my* mailer will fold what I''m quoting. But I suggest that you read > the text about that example (which, until recently, was my own network). > In particular, you need to understand why I specified ''loose'' on my > backup provider and why you should not. > > -Tom > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 5:45 PM, Stephen Brown wrote:> Thanks Tom.... ignore my last message which is in moderation, I may have > just got it working! > > I set balance=1 and balance=2 and it appears to be functioning as > intended :) > > I can tweak now that the core is up..... >Right -- I should have mentioned that having a dynamic IP provider as a ''fallback'' won''t work because DHCP will automatically add the cable default route in the main routing table. Using weights as you are doing simply makes the balancing choose the balance=2 route twice as often as it chooses the balance=1 route. Along that line, howevr, I question why you want to make the DSL your primary provider, given that the cable link is likely to be an order of magnitude faster. My own strategy was to use the DSL line for those things that I *had* to (basically, running my servers) and to use the cable link for everything else. But even if you do it your way, you can still define the DSL provider as ''fallback'' and use marking and/or routing rules to direct the bulk of your traffic there. The real benefit that it provides is to put the static default route and the dynamic one in different routing tables. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Right -- I should have mentioned that having a dynamic IP provider as > a ''fallback'' won''t work because DHCP will automatically add the > cable default route in the main routing table. Using weights as you > are doing simply makes the balancing choose the balance=2 route twice > as often as it chooses the balance=1 route.That makes sense, now I understand why when I disconnected the DSL modem and restarted shorewall the cable connection didn''t come up.> Along that line, howevr, I question why you want to make the DSL > your primary provider, given that the cable link is likely to be an > order of magnitude faster. My own strategy was to use the DSL line > for those things that I *had* to (basically, running my servers) and > to use the cable link for everything else.Great question :) I have just the opposite scenario... my DSL is 10mb/896k and the cable link is 1mb/384k. I can get a faster cable connection, but long story short Comcast gave me "the call" last year and they made me mad so I switched to DSL. I consumed a massive amount of bandwidth and I still don''t understand what I did to cause that. I don''t do any torrent downloading etc, but do a lot of VoIP and LEGAL streaming, music downloads, etc. Based on my usage habits, I am gunshy to use them as my primary provider. I originally evaluated getting a Comcast business class connection (and I still may) depending on how well this connection works for what I need it for, mainly VoIP. It was on a promo price so I couldn''t resist ;) Who knows.... I may change my mind yet again and just downgrade the DSL to a slower connection! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxF2SEACgkQ3sJXNEncx7jHxACgzh7rPPgbvBlrPOroxolifiKE eeoAn1vNxZjOoECADJSxbaDHL9INXViY =VwTf -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/19/10 5:35 PM, Stephen Brown wrote:> Well I''m not really getting anywhere. I''ve read through the multi-isp > documentation at least 5 or 6 times now and I can''t seem to get things > to work no matter what. > > In a desperate attempt I downloaded a (newer) fresh tarball and blew all > of my config files away to start from scratch so I had a clean slate to > work with. My /etc/shorewall only contains the following files now: > bubastis:/home# tree /etc/shorewall/ > /etc/shorewall/ > |-- interfaces > |-- masq > |-- params > |-- policy > |-- providers > |-- route_rules > |-- routestopped > |-- rules > |-- rules.orig > |-- shorewall.conf > |-- shorewall.conf.orig > |-- tcrules > `-- zones > > I''ve tried multiple changes... none of which seem to work, even closely > matching the working example at the bottom of the page in the multi-isp > documentation. > > Trace attached, I get errors upon startup with this configuration....Broken kit -- ''route replace'' should not fail with ''RTNETLINK answers: File exists''. That is the whole point of using ''replace''; so that it will replace the existing route. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Hi Stephen,
Back on May 19 2010, I sent to the Shorewall-users group:
...when we upgraded our internet to dual providers I made a minimum change
in that I added the second provider as a sub interface of the interface with
the primary provider and this has been working for over six months.
Our Environment: We utilise DNAT and conntrack
Internet traffic could be in via provider A or B and out via
provider A or B. (Asymmetric routing)
Provider B is a layer two peering point so the Quagga routing table
contains ~50 different next hops.
Should I stay with this setup or do you recommend following
http://www.shorewall.net/MultiISP.html ?
After reading " Shorewall includes limited support for multiple Internet
connections. Limitations of this support are as follows:
* It utilizes static routing configuration. If there is a change in the
routing topology, Shorewall must be restarted."
I prefer staying with my current setup.
To which Tom Eastep replied "So long as it is working to your satisfaction,
I see no reason to change."
Maybe the way I have gone about solving this may assist your situation.
More Detail: all providers via the one router/firewall interface as
sub-interfaces and each ISP connection cabled to a switch port in the same
VLAN as the external interface. (a little messy but has been doing the job
for 6 months without issues)
Regards,
Trent O''Callaghan
-----Original Message-----
From: Stephen Brown [mailto:stephen.brown75@gmail.com]
Sent: Tuesday, 20 July 2010 8:35 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] Multiple internet connections help
Well I''m not really getting anywhere. I''ve read through the
multi-isp
documentation at least 5 or 6 times now and I can''t seem to get things
to
work no matter what.
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/20/10 8:05 PM, Tom Eastep wrote:>> >> I''ve tried multiple changes... none of which seem to work, even closely >> matching the working example at the bottom of the page in the multi-isp >> documentation. >> >> Trace attached, I get errors upon startup with this configuration.... > > Broken kit -- ''route replace'' should not fail with ''RTNETLINK answers: > File exists''. That is the whole point of using ''replace''; so that it > will replace the existing route.We''ve seen issues similar to this before; last time was 9 months or so ago where the user was running Quagga. Here is a little experiment to try. ip route flush table 253 ip route add default scope global table 253 nexthop via 76.5.159.161 \ dev eth0 weight 1 ip route replace default scope global table 253 nexthop via \ 76.5.159.161 dev eth0 weight 1 Does that work? What are your kernel and iproute versions? uname -a ip -V Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Well my requirements have changed. Due to multiple attempts to get things working and the limitation of not being able to use a dhcp assigned address as a fallback provider, and not to mention an angry wife for the internet being up and down (I''ve GOT to keep her happy at all costs.... lol), I''ve come up with the following scenario instead: - keep the DSL on eth0 as it is now - assign eth2 to the NAT''ed side of a wireless router so that way there when I''m playing my wife will still have access to the internet without remorse (via wireless) - my theory is that I will be able to then use eth2 as a fallback in the event the DSL fails for any reason, as well as assign particular traffic to route over this link So with that being said, does Shorewall care if the fallback interface is a non-routable address (such as 192.x.x.x, 172.x.x.x, 10.x.x.x)? My first guess would be no, because it''s simply just going to route it to the gateway you provide (which will be that of the wireless router in this scenario) I''m still poking and my limited knowledge of ip routing in this type of scenario makes things a lot more challenging, but I don''t give up easily :)> What are your kernel and iproute versions?kernel: Linux bubastis 2.6.26-2-686 #1 SMP Mon Jun 21 05:58:44 UTC 2010 i686 GNU/Linux iproute: ip utility, iproute2-ss080725 This is running on an updated stock Debian Lenny box. Thanks, Stephen ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
On 7/21/10 4:11 PM, Stephen Brown wrote:> Well my requirements have changed. Due to multiple attempts to get > things working and the limitation of not being able to use a dhcp > assigned address as a fallback provider, and not to mention an angry > wife for the internet being up and down (I''ve GOT to keep her happy at > all costs.... lol), I''ve come up with the following scenario instead: > > - keep the DSL on eth0 as it is now > - assign eth2 to the NAT''ed side of a wireless router so that way there > when I''m playing my wife will still have access to the internet without > remorse (via wireless) > - my theory is that I will be able to then use eth2 as a fallback in the > event the DSL fails for any reason, as well as assign particular traffic > to route over this linkYep.> > So with that being said, does Shorewall care if the fallback interface > is a non-routable address (such as 192.x.x.x, 172.x.x.x, 10.x.x.x)? My > first guess would be no, because it''s simply just going to route it to > the gateway you provide (which will be that of the wireless router in > this scenario)Not in the least. In fact, I did something similar while I was getting Comcast Business Class set up. Wife was only moderately happy, however, since we run our own mail server which was behind the Shorewall box :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first