Hi there, I need some hint about multi ISP configuration of shorewall. I have installed shorewall 4.4.11.,6 on debian squeeze. I have two providers connected on eth1 (ISP1) and eth2 (ISP2) by two routers (not modem); both the connections have static public ip address. The eth0 is the local lan interface. eth1 has ip address 192.168.10.9 with gateway (ISP1 router) 192.168.10.1 eth2 has ip address 192.168.1.9 with gateway (ISP2 router) 192.168.1.1 In the default configuration some applications (VPN, ssh and video conference) must be routed on ISP2 and all the others on ISP1. I used tcrules file to route the applications. When one of the ISP is down I need to switch all applications on the ISP that is up. I use a swping-like script to test the connections and eventually switch from a ISP to the other. If I use eth1 and eth2 files status to set UP or DOWN the interfaces, when an interface goes down after the shorewall restart I''m no longer be able to test the interface that is down, the ping to an external ip fails also when the interface is again up. I''m only able to ping the gateway address that correspond to the ISP router, but this is always up! How can I modify interface configuration to be able to ping an external ip address? When an interface is down how the relative routings in the tcrules file are processed? When shorewall is restarted (/sbin/shorewall restart -f) are the configuration files reread? In the present configuration I don''t use eth file status and when an interface is down (ping is not responding) the script modifies tcrules file to redirect all applications on interface that is up and restarts shorewall (/etc/init.d/shorewall restart). I hope I was able to expalin the situation and the problem. Thanks in advance for your answer... and sorry for my little english. ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On Wed, 2011-07-13 at 18:29 +0200, A.Santoro wrote:> Hi there, > I need some hint about multi ISP configuration of shorewall. > > I have installed shorewall 4.4.11.,6 on debian squeeze. > > I have two providers connected on eth1 (ISP1) and eth2 (ISP2) by two > routers (not modem); both the connections have static public ip > address. The eth0 is the local lan interface. > > eth1 has ip address 192.168.10.9 with gateway (ISP1 router) > 192.168.10.1 > > eth2 has ip address 192.168.1.9 with gateway (ISP2 router) 192.168.1.1 > > In the default configuration some applications (VPN, ssh and video > conference) must be routed on ISP2 and all the others on ISP1. > I used tcrules file to route the applications. > When one of the ISP is down I need to switch all applications on the > ISP that is up. > > I use a swping-like script to test the connections and eventually > switch from a ISP to the other. > > If I use eth1 and eth2 files status to set UP or DOWN the interfaces, > when an interface goes down after the shorewall restart I''m no longer > be able to test the interface that is down, the ping to an external ip > fails also when the interface is again up. > I''m only able to ping the gateway address that correspond to the ISP > router, but this is always up! > > How can I modify interface configuration to be able to ping an > external ip address?You must configure a route to the pinged address via the interface''s gateway (in /etc/network/interfaces). That, of course, means that you can''t communicate with the host at that address through the other interface. When I had a multi-ISP configuration that had a local router, I used traceroute to determine the IP address of the upstream router and pinged that address. You must, of course, configure such a route on both interfaces. To answer your other question, when Shorewall considers an interface to be down, the interface''s entries in tcrules are basically ignored since the route rule that routes the interface''s mark out of the interface is not present. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ AppSumo Presents a FREE Video for the SourceForge Community by Eric Ries, the creator of the Lean Startup Methodology on "Lean Startup Secrets Revealed." This video shows you how to validate your ideas, optimize your ideas and identify your business strategy. http://p.sf.net/sfu/appsumosfdev2dev
On Thu, 14 Jul 2011 06:03:55 -0700, Tom Eastep <teastep@shorewall.net> wrote:>You must configure a route to the pinged address via the interface''s >gateway (in /etc/network/interfaces). That, of course, means that you >can''t communicate with the host at that address through the other >interface. > >When I had a multi-ISP configuration that had a local router, I used >traceroute to determine the IP address of the upstream router and pinged >that address. > >You must, of course, configure such a route on both interfaces. > >To answer your other question, when Shorewall considers an interface to >be down, the interface''s entries in tcrules are basically ignored since >the route rule that routes the interface''s mark out of the interface is >not present. > >-TomThanks Tom, for your quick answer. I have created the two static route and now all seems work perfectly. A.Santoro ------------------------------------------------------------------------------ Magic Quadrant for Content-Aware Data Loss Prevention Research study explores the data loss prevention market. Includes in-depth analysis on the changes within the DLP market, and the criteria used to evaluate the strengths and weaknesses of these DLP solutions. http://www.accelacomm.com/jaw/sfnl/114/51385063/