Good day dear list!
My shorewall box is connected to two internet providers (isp0, isp1)
and local lan (br0).
I have two kind of machines on br0 - server machines (with several
known IP addresses, say ip1, ip2, ip3) and many dhcp workstations.
I want to setup these policies:
1). workstations should use isp0 ONLY (if its online and use isp1 othewise).
2). servers should prefer isp1, but can use isp0 IF its has free
bandwidth not occupied by workstations.
So far i have this configuration:
$ cat /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect
dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional
net ppp1 detect
dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional
loc br0 detect
tcpflags,nosmurfs,routefilter,logmartians,bridge
$ cat /etc/shorewall/providers
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
isp0 1 1 main ppp0 -
track,balance br0
isp1 2 2 main ppp1 -
track,balance br0
With this configuration all traffic from br0 is load-balanced between
two providers.
No I want to make certain hosts to prefer certain provider as I''ve
described above.
Setting something like (br0!ip1!ip2!ip3) - i.e. "all that comes from
br0 except of servers ips" as SOURCE fields in route_rules would help
me with 1), but it seems that such complicated source address
specifications are not supported.
And I do not have any insight about how to achieve 2).
I''ll appreciate any advice.
Thanks!
--
Zaar
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
On 2/15/11 9:31 AM, Zaar Hai wrote:> My shorewall box is connected to two internet providers (isp0, isp1) > and local lan (br0). >It is always helpful to know which *version* of Shorewall is being used. I have two kind of machines on br0 - server machines (with several> known IP addresses, say ip1, ip2, ip3) and many dhcp workstations. > > I want to setup these policies: > 1). workstations should use isp0 ONLY (if its online and use isp1 othewise). > 2). servers should prefer isp1, but can use isp0 IF its has free > bandwidth not occupied by workstations.A Shorewall-generated configuration has no capability to make routing decisions based on bandwidth availability.> > So far i have this configuration: > > $ cat /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 detect > dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional > net ppp1 detect > dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional > loc br0 detect > tcpflags,nosmurfs,routefilter,logmartians,bridge > > $ cat /etc/shorewall/providers > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > isp0 1 1 main ppp0 - > track,balance br0 > isp1 2 2 main ppp1 - > track,balance br0 > > With this configuration all traffic from br0 is load-balanced between > two providers. > No I want to make certain hosts to prefer certain provider as I''ve > described above. > > Setting something like (br0!ip1!ip2!ip3) - i.e. "all that comes from > br0 except of servers ips" as SOURCE fields in route_rules would help > me with 1), but it seems that such complicated source address > specifications are not supported.ip1 - isp1 ip2 - isp1 ip3 - isp1 br0 - isp0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
On Tue, Feb 15, 2011 at 9:48 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 2/15/11 9:31 AM, Zaar Hai wrote: > >> My shorewall box is connected to two internet providers (isp0, isp1) >> and local lan (br0). >> > > It is always helpful to know which *version* of Shorewall is being used.Oops, sorry about that. The version is 4.4.11.6-3 (debian lenny amd64).> > I have two kind of machines on br0 - server machines (with several >> known IP addresses, say ip1, ip2, ip3) and many dhcp workstations. >> >> I want to setup these policies: >> 1). workstations should use isp0 ONLY (if its online and use isp1 othewise). >> 2). servers should prefer isp1, but can use isp0 IF its has free >> bandwidth not occupied by workstations. > > A Shorewall-generated configuration has no capability to make routing > decisions based on bandwidth availability.I see. From your experience, if I enable servers to use both providers but set their band to 3 via tcpri file - will it considerably improve Internet experience of workstation users?>> >> So far i have this configuration: >> >> $ cat /etc/shorewall/interfaces >> #ZONE INTERFACE BROADCAST OPTIONS >> net ppp0 detect >> dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional >> net ppp1 detect >> dhcp,tcpflags,nosmurfs,routefilter,logmartians,optional >> loc br0 detect >> tcpflags,nosmurfs,routefilter,logmartians,bridge >> >> $ cat /etc/shorewall/providers >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> isp0 1 1 main ppp0 - >> track,balance br0 >> isp1 2 2 main ppp1 - >> track,balance br0 >> >> With this configuration all traffic from br0 is load-balanced between >> two providers. >> No I want to make certain hosts to prefer certain provider as I've >> described above. >> >> Setting something like (br0!ip1!ip2!ip3) - i.e. "all that comes from >> br0 except of servers ips" as SOURCE fields in route_rules would help >> me with 1), but it seems that such complicated source address >> specifications are not supported. > > ip1 - isp1 > ip2 - isp1 > ip3 - isp1 > br0 - isp0I've thought about this, but it gives me split-even configration - servers use isp1 _only_, and workstations use isp0 _only_. What is need is that: * servers can use both ips0 and isp1 * the rest - isp0 only. My workstations occupy known subnet space, so I've tried the following (one and only) line route_rules: 192.168.20.0/24 - isp0 And that seems to be working! - i.e. servers get balanced between ips0 and isp1, while workstations use isp0 solely Thank you, Tom! -- Zaar ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users