Shorewall users - Feb 2002 - load-balancing multiple DSL connections

I''ve been setting up a brand-spanking-new shorewall firewall to
replace our pmfirewall (ipchains) based firewall in place right
now.

I''ve got it up and running and doing everything I need it to do
for basic usage (it works, so I have some room to tinker).

Essentially, I''ve got 2 DSL connections (one DSL.net and one
BellSouth).  Up until now, the BellSouth one has been a secondary
that just gets turned on if something goes wrong on the primary.
Now I would like to do some kind of load balancing.

As I understand it, I would need to do a number of things.

1. Enable mangling and fwmark outgoing packets to keep track of
   sessions already created from the internal network.
2. Enable shaping and make a virtual interface that picks an
   interface to go out of.
3. Make the default route go out this virtual interface so that
   newly-created sessions from the inside will semi-randomly
   choose an outgoing interface.

I''ve started out trying TEQL for the shaping since it''s the
most
straightforward.  After going through the shorewall config and
the advanced routing howto 14 times, I still can''t quite seem to
get it to actually work.  =)

In my /etc/shorewall/tcrules, I''ve got:

  201             eth0            0.0.0.0/0       all
  202             ppp0            0.0.0.0/0       all

Then I added the routes for mark''d packets:

  ip rule add fwmark 201 table 201
  ip rule add fwmark 202 table 202
  ip route add default via <eth0-ip> dev eth0 table 201
  ip route add default via <ppp0-ip> dev ppp0 table 202

Then I added the routes for new connections:

  tc qdisc add dev eth0 root teql0
  tc qdisc add dev ppp0 root teql0
  ip addr add dev teql0 192.168.1.1/31
  ip route add default via 192.168.1.1 dev teql0
>From what I''m seeing in the routing howto and such, it seems like
this should work, but packets just get dropped on the floor, and
I don''t get any log messages.

I tried adding teql0 to my external-network zone ("net") but it
doesn''t seem to make a difference.  Are there any glaring errors
any of you can pick out as to what could be going wrong?

TIA,

-- 
Ben Reed (ben@opennms.org)
http://www.opennms.org/
"Is it considered bad form to quote yourself in your sig?" -- Me

Hi all,

I have my non-masq, non-RFC1918 packet filtering Shorewall config up and 
running.  I am running PPTP client sessions outbound, no problem.  One of the 
users here is reporting his IPSec sessions to a Nortel VPN gateway establish 
fine, but seem to be timing out, in what seems like 10-30 minutes of 
inactivity.  He is using Crystal reports, accessing the database via VPN -- so 
I''m not sure how active it keeps the pipe while he is doing local
operations.
Prior to the installation of Shorewall (he claims), VPN connections could stay 
up "literally for days."  Other than an occassional
INVALID-MAJOR-VERSION
message in tcpdump, nothing unusual is observed.

Are there any configurable values in Shorewall that might fix this?  Any other 
ideas on where to poke around?

Thanks, as always...

Dan

Dan,
> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> dgilleece@optimumnetworks.com
> Sent: Saturday, February 16, 2002 5:46 PM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] IPSec Client-to-Gateway 
> Connections Behind Shorewall "Dying"
> 
> 
> Hi all,
> 
> I have my non-masq, non-RFC1918 packet filtering Shorewall 
> config up and 
> running.  I am running PPTP client sessions outbound, no 
> problem.  One of the 
> users here is reporting his IPSec sessions to a Nortel VPN 
> gateway establish 
> fine, but seem to be timing out, in what seems like 10-30 minutes of 
> inactivity.  He is using Crystal reports, accessing the 
> database via VPN -- so 
> I''m not sure how active it keeps the pipe while he is doing 
> local operations.  
> Prior to the installation of Shorewall (he claims), VPN 
> connections could stay 
> up "literally for days."  Other than an occassional 
> INVALID-MAJOR-VERSION 
> message in tcpdump, nothing unusual is observed.
> 
> Are there any configurable values in Shorewall that might fix 
> this?  Any other 
> ideas on where to poke around?
You need UDP port 500 and protocols 51 and 51 open to this user''s
system. After a period of inactivity, either end of a VPN tunnel can
suddenly become active; if iptables connection tracking has timed out
the connection and the remote end is the first to speak, you will see
problems like you describe.

-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of 
> Benjamin Reed
> Sent: Saturday, February 16, 2002 3:06 PM
> To: shorewall-users@shorewall.net
> Subject: [Shorewall-users] load-balancing multiple DSL connections
> 
> 
> I''ve been setting up a brand-spanking-new shorewall firewall to
> replace our pmfirewall (ipchains) based firewall in place right
> now.
> 
> I''ve got it up and running and doing everything I need it to do
> for basic usage (it works, so I have some room to tinker).
> 
> Essentially, I''ve got 2 DSL connections (one DSL.net and one
> BellSouth).  Up until now, the BellSouth one has been a secondary
> that just gets turned on if something goes wrong on the primary.
> Now I would like to do some kind of load balancing.
> 
>
I haven''t done this so I can''t be of any help.

Sorry
-Tom
--
Tom Eastep   \ Shorewall -- iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net

Well, that just makes perfect sense, when you put it that way :)

Thanks again,

Dan

Quoting Tom Eastep <teastep@shorewall.net>:
> 
> You need UDP port 500 and protocols 51 and 51 open to this user''s
> system. After a period of inactivity, either end of a VPN tunnel can
> suddenly become active; if iptables connection tracking has timed out
> the connection and the remote end is the first to speak, you will see
> problems like you describe.
> 
> -Tom
> --
> Tom Eastep   \ Shorewall -- iptables made easy
> AIM: tmeastep \ http://www.shorewall.net
> ICQ: #60745924 \ teastep@shorewall.net 
>  
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>