Shorewall version: 4.4.19 I need a little advice before flailing around some more :) I have a multi-ISP setup using 5 providers which works very nicely. I''m trying to introduce OSPF routing updates into the picture but the software only updates the main routing table, which poses a problem for me with my current configuration, namely: USE_DEFAULT_RT is currently set to Yes All providers have "main" as their duplicate. As the routing suite I am using will only update the main routing table, those copies made for each provider become invalid. I tried setting USE_DEFAULT_RT to No and using "-" for the duplicate in the providers file. This reduced all the provider routing tables down to the default routes as it should and placed main (with no default route) before everything else. I used to have a default route for everybody who did *not*have a provider which was in the main table, that is no longer present in the main table, of course. The problem I believe I am experiencing is from the default table: default nexthop via 10.1.5.3 dev eth1.5 weight 1 nexthop via 24.52.191.241 realm 3 dev eth1.9 weight 1 nexthop via 10.3.11.1 realm 4 dev eth1.9 weight 1 nexthop via 10.3.11.1 realm 5 dev eth1.9 weight 1 which is "load-balancing" new connections and causing all kinds of issues (traffic goes out wrong interface, doesn''t get NAT''d, etc) I want only the first line (my "default" ISP, if there is such a thing) I am thinking that maybe I should be explicitly marking packets so they do not hit the default table: (from MultiISP <http://www.shorewall.net/MultiISP.html>) The bottom line is that if you want traffic to go out through a particular provider then you must mark that traffic with the provider''s MARK value in /etc/shorewall/tcrules and you must do that marking in the PREROUTING chain; or, you must provide the appropriate rules in /etc/shorewall/route_rules Or is there a way to force that default table NOT to have nexthops from particular providers? I considered the fallback option in the Providers file, but that didn''t seem right. I''ve have a shorewall dump before/after these changes if somebody is interested in looking over it all. It''s about 100K compressed. Thanks -- Lee ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
On Jan 15, 2012, at 11:50 AM, Lee Brown wrote:> Shorewall version: 4.4.19 > > I need a little advice before flailing around some more :) > > I have a multi-ISP setup using 5 providers which works very nicely. > I''m trying to introduce OSPF routing updates into the picture but the software only updates the main routing table, which poses a problem for me with my current configuration, namely: > > USE_DEFAULT_RT is currently set to Yes > All providers have "main" as their duplicate.Those two statements are inconsistent. If USE_DEFAULT_RT=Yes,, the DUPLICATE column must be empty.> > I''ve have a shorewall dump before/after these changes if somebody is interested in looking over it all. It''s about 100K compressed.It''s the only way that we will make progress. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
> > I''ve have a shorewall dump before/after these changes if somebody is interested in looking over it all. It''s about 100K compressed.Please tar up the dump along with /etc/shorewall. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
On Jan 15, 2012, at 11:50 AM, Lee Brown wrote:> > > Or is there a way to force that default table NOT to have nexthops from particular providers? I considered the fallback option in the Providers file, but that didn''t seem right. >Just don''t specify ''balance'' for those that you don''t want to balance. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
On Jan 15, 2012, at 1:56 PM, Tom Eastep wrote:> > On Jan 15, 2012, at 11:50 AM, Lee Brown wrote: > >> >> >> Or is there a way to force that default table NOT to have nexthops from particular providers? I considered the fallback option in the Providers file, but that didn''t seem right. >> > > Just don''t specify ''balance'' for those that you don''t want to balance.But if you really do have USE_DEFAULT_RT=Yes, then you must either specify ''loose'' or ''fallback'' to eliminate from balancing. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
On Sun, Jan 15, 2012 at 1:28 PM, Tom Eastep <teastep@shorewall.net> wrote:> > > I''ve have a shorewall dump before/after these changes if somebody is > interested in looking over it all. It''s about 100K compressed. > > > Please tar up the dump along with /etc/shorewall. >That was over 128k and got rejected. Is it OK to split it into 3 posts?> > Thanks, > -Tom > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Jan 16, 2012, at 7:35 PM, Lee Brown wrote:> > That was over 128k and got rejected. Is it OK to split it into 3 posts?Just send it to me personally. But please try the tips that I sent you first. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Jan 17, 2012, at 11:22 AM, Lee Brown wrote:> > > On Tue, Jan 17, 2012 at 10:29 AM, Tom Eastep <teastep@shorewall.net> wrote: > On 01/17/2012 08:25 AM, Lee Brown wrote: > > Hi Tom, > > > > With USE_DEFAULT_RT=Yes, I tried explicitly putting loose into the > > providers file (and removing duplicate field) which did remove the list > > of default routes in the default table. However it still doesn''t work > > as anticipated. It appears table 999 doesn''t get installed in the rules. > > Valid table numbers are 0-255. 999??? > > Sorry, I meant the rule number 999. According to the MultiISP docs "Packets are sent through the main routing table by a routing rule with priority 999. The priority range 1-998 may be used for inserting rules that bypass the main table."Turns out that the code doesn''t generate that rule when there are no balance providers. I''ve attached a patch for 4.4.19. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On Tue, Jan 17, 2012 at 12:59 PM, Tom Eastep <teastep@shorewall.net> wrote:> > On Jan 17, 2012, at 11:22 AM, Lee Brown wrote: > > > > On Tue, Jan 17, 2012 at 10:29 AM, Tom Eastep <teastep@shorewall.net>wrote: > >> On 01/17/2012 08:25 AM, Lee Brown wrote: >> > Hi Tom, >> > >> > With USE_DEFAULT_RT=Yes, I tried explicitly putting loose into the >> > providers file (and removing duplicate field) which did remove the list >> > of default routes in the default table. However it still doesn''t work >> > as anticipated. It appears table 999 doesn''t get installed in the >> rules. >> >> Valid table numbers are 0-255. 999??? >> > > Sorry, I meant the rule number 999. According to the MultiISP docs "Packets > are sent through the main routing table by a routing rule with priority > 999. The priority range 1-998 may be used for inserting rules that bypass > the main table." > > > Turns out that the code doesn''t generate that rule when there are no > balance providers. I''ve attached a patch for 4.4.19. >Thanks Tom, this is Awesome. I now have this implemented on my system. Turned out I had to leave one provider "balanced" (or not loose) in order to get that route into the default route table, but the patch was required either way as I couldn''t ssh out of the box due to incorrect routing.> > -Tom > > > > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > >------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d