Hi all, I have two isp, and I set the configuration as for the following example http://www.shorewall.net/MultiISP.html#Example1 Interfaces are: loc eth0 detect dhcp,tcpflags,detectnets,nosmurfs,routeback net eth2 detect tcpflags,routefilter,nosmurfs,logmartians net eth1 detect tcpflags,routefilter,nosmurfs,logmartians My "providers" are: TELE 2 2 main eth2 192.168.2.1 track,balance eth0 ALBA 9 9 main eth1 192.168.9.1 track,balance eth0 When tcrules is: 9 eth0 0.0.0.0/0 tcp 80 is all ok: I''m able to route the http request through the ALBA provider (eth0 is the local lan) As far the eth2 interface is the default gateway, It happens that the firewall goes on internet through the TELE isp. First problem: if I remove the "balance" flag the local lan come back to the TELE isp. Is it normal? I don''t want balance the traffic among the isp, but I can''t get it work without this flag. Second problem: suppose to set the "balance" flag again (but, at the end, I''d like to remove it). If I want the firewall use the same ALBA isp I write (in tcrules): 9 $FW 0.0.0.0/0 tcp 80 but it doesn''t work: the browser wait for the answer, untill timeout error, while the local lan goes through the ALBA isp. In the same time I see the following rows in the logs: ... martian source 192.168.2.3 from [the ip I try to connect to], on dev eth1 It is a "masquerading" problem? I set it as in "masq" as: eth2 !192.168.2.3/29 192.168.2.3 eth1 !192.168.9.3/29 192.168.9.3 Thank for any help Obviously I can give any configuration file you need. Alessandro ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
> First problem: if I remove the "balance" flag the local lan come back > to the TELE isp. Is it normal? I don''t want balance the traffic among > the isp, but I can''t get it work without this flag. > > Second problem: suppose to set the "balance" flag again (but, at the > end, I''d like to remove it). If I want the firewall use the same ALBA > isp I write (in tcrules):I think there are some problems: I''m trying without "balance", and it sometimes works.. and sometimes no :-( tcrules: 9 eth0 0.0.0.0/0 tcp 80 9 $FW 0.0.0.0/0 tcp 80 => eth0 through TELE (why?), $FW through ALBA (ok) 9 $FW 0.0.0.0/0 tcp 80 9 eth0 0.0.0.0/0 tcp 80 => eth0 through ALBA (ok), $FW has timeout connections 9 eth0 0.0.0.0/0 tcp 80 => eth0 through ALBA (ok), $FW through ALBA (why?) 9 $FW 0.0.0.0/0 tcp 80 => eth0 through TELE (ok), $FW through ALBA (ok) [empty] => eth0 through ALBA (???? ahah..), $FW through TELE (ok) This last configuration make me smile.. Can an open connection disturb the isp routing? An open chat, a you tube video.. while I''m restarting shorewall; with "tcrules" empty eth0 must go through TELE! In order to come back to the original routing I had to remove the "providers" file. I will try again in few days, after some night of sleep :-) Alessandro ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
On 1/7/11 11:44 AM, Alessandro wrote:> > In order to come back to the original routing I had to remove the > "providers" file. I will try again in few days, after some night of > sleep :-) >If you need help when you try again, please report one problem per post and include the output of ''shorewall dump''. Thanks! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers'' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl
From: Tom Eastep <teastep@shorewall.net> Date: Fri Jan 07 2011 21:28:58 GMT+0100 (CET)> If you need help when you try again, please report one problem per post > and include the output of ''shorewall dump''. > > Thanks! > -Tom >After many days I tried again.. I started again to read the documentation, and in "http://www.shorewall.net/MultiISP.html" I have read "If you are using.. providers...we recommend that you specify balance..read and follow the advice in FAQ 57 and FAQ 58." I didn''t see these simple explanations before, sorry. And then: "Note that traffic from the firewall itself must be handled in a different rule" Thanks, now it works :-) Alessandro Note that I learned to restart the network before every shorewall restarting: old shorewall modifications can influence the current settings (ex: the dafault gateway may not be reinitialize) ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server''s connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb
On 2/3/11 2:45 PM, Alessandro wrote:> > Note that I learned to restart the network before every shorewall > restarting: old shorewall modifications can influence the current > settings (ex: the dafault gateway may not be reinitialize) >Then, you are doing something wrong. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The modern datacenter depends on network connectivity to access resources and provide services. The best practices for maximizing a physical server''s connectivity to a physical network are well understood - see how these rules translate into the virtual world? http://p.sf.net/sfu/oracle-sfdevnlfb