Shorewall users - Jan 2011 - MultiISP and forcing traffic to a specific ISP

I have a rather complex configuration (thanks Tom for the great flexibility of 
Shorewall!) with three ISP connections, two separate LAN zones, a DMZ and a 
vpn zone (OpenVPN server for road warriors running on the firewall).

Initially I tried to force the use of one of the ISPs for specific protocols 
and / or source addresses in the loc zone, with limited success (maybe 
something wrong in my configuration files).

Today I revised the configuration, following the "Complete Working
Example" of
Tom''s network in early 2009
http://www.shorewall.net/MultiISP.html#Complete
but I can''t find the tcrules file in the example and I''m not
sure that mine is
correct.

Specifically, I need a confirmation about the MARK field in providers: in the 
example it''s above 0xFF (so I assume HIGH_ROUTE_MARKS=Yes in
shorewall.conf)
and I can''t understand from the documentation if I need to use 0x100,
0x200
and so on MARKs also in tcrules or not (in all the examples I found I always 
see 1, 2 and similar low values).

Anyway, I decided not to use HIGH_ROUTE_MARKS (like in the "fall 2008"
example) so that the MARKs are always 1, 2 and 3, and I am using route_rules 
to force certain loc IP ranges to use provider 1, and tcrules (with MARK 1 
without :P or other chain specifiers) to force specific protocols on provider 
1. I have no specific need for shaping, so tcclasses is empty and tcdevices 
only specifies the out-banwidth.

Before going into more details (contents of the configuration files and dumps) 
I would like to understand if what I did is reasonable.

Thanks for any help
Elio

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

On 1/12/11 4:10 PM, Elio Tondo wrote:
> I have a rather complex configuration (thanks Tom for the great flexibility
of
> Shorewall!) with three ISP connections, two separate LAN zones, a DMZ and a
> vpn zone (OpenVPN server for road warriors running on the firewall).
> 
> Initially I tried to force the use of one of the ISPs for specific
protocols
> and / or source addresses in the loc zone, with limited success (maybe 
> something wrong in my configuration files).
> 
> Today I revised the configuration, following the "Complete Working
Example" of
> Tom''s network in early 2009
http://www.shorewall.net/MultiISP.html#Complete
> but I can''t find the tcrules file in the example and I''m
not sure that mine is
> correct.
That example only uses route_rules -- there were no entries in the
tcrules file.
> 
> Specifically, I need a confirmation about the MARK field in providers: in
the
> example it''s above 0xFF (so I assume HIGH_ROUTE_MARKS=Yes in
shorewall.conf)
> and I can''t understand from the documentation if I need to use
0x100, 0x200
> and so on MARKs also in tcrules or not (in all the examples I found I
always
> see 1, 2 and similar low values).
Yes -- you need to use the same value in tcrules that is specified in
the providers file.
> 
> Anyway, I decided not to use HIGH_ROUTE_MARKS (like in the "fall
2008"
> example) so that the MARKs are always 1, 2 and 3, and I am using
route_rules
> to force certain loc IP ranges to use provider 1, and tcrules (with MARK 1 
> without :P or other chain specifiers) to force specific protocols on
provider
> 1. I have no specific need for shaping, so tcclasses is empty and tcdevices
> only specifies the out-banwidth.
If tcclasses is empty, then tcdevices should also be empty.
> 
> Before going into more details (contents of the configuration files and
dumps)
> I would like to understand if what I did is reasonable.
> 
Sounds like it.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl