Hi all, I''m hoping to build a gateway with multiple ISP (in my case I have 4 ISPs) with failover capability. Here''s what I hope to accomplish with shorewall, if it''s possible: 1. Switch traffic on other interfacesif an ISP fails, not only when the box hang but also if Internet connection doesn''t response 2. More complicate for me. The adsl box are never synchronised with same capacity after reboot. Do you know a good system for traffic repartition which take cares of box response times, maybe a script but how ? I had read the shorewall muti-isp documentation, but i don''t found explanation for my problem or maybe i don''t understand. Thanks, Fred ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
On 3/25/11 4:49 AM, Stealth wrote:> Hi all, > > I''m hoping to build a gateway with multiple ISP > (in my case I have 4 ISPs) with failover capability. > > Here''s what I hope to accomplish with shorewall, > if it''s possible: > > 1. Switch traffic on other interfacesif an ISP > fails, not only when the box hang but also if > Internet connection doesn''t responseUsing static routing, you can''t switch existing traffic from one ISP to another. Think about it; how is return traffic going to get back to your network if the route to your system isn''t available? That only has a chance of working if output traffic is broken but return traffic continues to flow.> > 2. More complicate for me. The adsl box are never > synchronised with same capacity after reboot. Do > you know a good system for traffic repartition > which take cares of box response times, maybe a > script but how ?Again -- you can''t switch live connections from one ISP to another. You might get away with switching output traffic if the ISP being switched to does not do ingress filtering but the return traffic is still going to go through the ISP over which the connection was initiated. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
//////Thank you so much for your quick reply,maybe I could do that with a script that reconfigures and restart shorewall ? For example something like that Script in cron at 00 * 1) Detect ISP1 response time is more bad than ISP2 -> The problem is how detect response time 2) Change a parameter in shorewall conf, maybe /balance=X ?/ 3) And finally Restart shorewall I think i''m not alone with ISP unstable, just wondering how others get around this problem Fred Le 25/03/2011 17:10, Tom Eastep a écrit :> On 3/25/11 4:49 AM, Stealth wrote: >> Hi all, >> >> I''m hoping to build a gateway with multiple ISP >> (in my case I have 4 ISPs) with failover capability. >> >> Here''s what I hope to accomplish with shorewall, >> if it''s possible: >> >> 1. Switch traffic on other interfacesif an ISP >> fails, not only when the box hang but also if >> Internet connection doesn''t response > Using static routing, you can''t switch existing traffic from one ISP to > another. Think about it; how is return traffic going to get back to your > network if the route to your system isn''t available? That only has a > chance of working if output traffic is broken but return traffic > continues to flow. > >> 2. More complicate for me. The adsl box are never >> synchronised with same capacity after reboot. Do >> you know a good system for traffic repartition >> which take cares of box response times, maybe a >> script but how ? > Again -- you can''t switch live connections from one ISP to another. You > might get away with switching output traffic if the ISP being switched > to does not do ingress filtering but the return traffic is still going > to go through the ISP over which the connection was initiated. > > -Tom > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
On 3/25/11 10:19 AM, Stealth wrote:> //////Thank you so much for your quick reply,maybe I could do that with > a script that reconfigures and restart shorewall ? > > For example something like that > > Script in cron at 00 * > > 1) Detect ISP1 response time is more bad than ISP2 -> The problem is how > detect response time > 2) Change a parameter in shorewall conf, maybe /balance=X ?/ > 3) And finally Restart shorewall > > I think i''m not alone with ISP unstable, just wondering how others get > around this problemIf you configure Shorewall as described in the MultiISP doc and run LSM, you will get failover from unstable ISPs. That''s what the users that I know of are doing. There is a rate estimation capability in Netfilter that could be used to re-balance more quickly, but Shorewall currently has no support for that feature. That would be the best approach and I have it on my long-term goals to implement such support, but I don''t have the time to do it in the near future. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
Le 25/03/2011 18:57, Tom Eastep a écrit :> If you configure Shorewall as described in the > MultiISP doc and run LSM, > you will get failover from unstable ISPs. That''s what the users that I > know of are doing. >I will get failover from unstable router or unstable internet connection ? I understand that when the router lan address doesn''t response to the shorewall it can get a failover, but in most cases this is Internet connection of the router who is broken.> There is a rate estimation capability in Netfilter that could be used to > re-balance more quickly, but Shorewall currently has no support for that > feature. That would be the best approach and I have it on my long-term > goals to implement such support, but I don''t have the time to do it in > the near future. >Thanks again, i will see with a script or a little program who rewrite shorewall rules Fred> -Tom > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
On 3/26/11 10:25 AM, Stealth wrote:> Le 25/03/2011 18:57, Tom Eastep a écrit : >> If you configure Shorewall as described in the MultiISP doc and run LSM, >> you will get failover from unstable ISPs. That''s what the users that I >> know of are doing. >> > > I will get failover from unstable router or unstable internet connection ? > I understand that when the router lan address doesn’t response to the > shorewall it can get a failover, but in most cases this is Internet > connection of the router who is broken.Well, you get to decide what internet host address to use for determining the performance of an uplink. It doesn''t have to be the next hop router. The bottom line is that if you want robust failover/balancing over multiple uplinks, you have to pay for it in the form of BGP peering. If you don''t want to pay for that, then you get what you pay for. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar