Shorewall devel - May 2005 - Multiple Internet connections with Dynamic IP addresses

Cristian and Alex,

Both of you have asked about this. A routing table can only have one default
route so when the second link comes up, adding the second default route will
fail. So in general, Shorewall can only reliably detect the gateway for
P-T-P connections which is what the CVS current code does.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

"Tom Eastep" <teastep@shorewall.net> writes:
> A routing table can only have one default route so when the second link
> comes up, adding the second default route will fail.
Hmm, maybe I''ve misunderstood you, but here is my main routing table:

gw2:/# ip route
212.xxx.xxx.255 dev ppp0  proto kernel  scope link  src 212.xxx.xxx.138
213.xxx.xxx.xxx/29 dev eth1  proto kernel  scope link  src 213.xxx.xxx.xxx
81.xxx.xxx.xxx/26 dev eth2  proto kernel  scope link  src 81.xxx.xxx.xxx
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.0.3
default via 213.xxx.xxx.xxx dev eth1  metric 10
default via 81.xxx.xxx.xxx dev eth2  metric 20
default dev ppp0  scope link  metric 50

I cannot say that this already achieves my main goal (build a failover
connection that automatically passes all outbound traffic to eth2 and then
ppp0 when eth1 link fails), but multiple default routes are there...

- Dmitry Bely

Dmitry Bely wrote:
>>A routing table can only have one default route so when the second link
>>comes up, adding the second default route will fail.
> 
> Hmm, maybe I''ve misunderstood you, but here is my main routing
table:
> 
> gw2:/# ip route
> 212.xxx.xxx.255 dev ppp0  proto kernel  scope link  src 212.xxx.xxx.138
> 213.xxx.xxx.xxx/29 dev eth1  proto kernel  scope link  src 213.xxx.xxx.xxx
> 81.xxx.xxx.xxx/26 dev eth2  proto kernel  scope link  src 81.xxx.xxx.xxx
> 172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.0.3
> default via 213.xxx.xxx.xxx dev eth1  metric 10
> default via 81.xxx.xxx.xxx dev eth2  metric 20
> default dev ppp0  scope link  metric 50
> 
> I cannot say that this already achieves my main goal (build a failover
> connection that automatically passes all outbound traffic to eth2 and then
> ppp0 when eth1 link fails),
You haven''t.
> but multiple default routes are there...
Yes -- you can set up multiple default routes with different
scope/metric values.

I''m guessing though that in your case, the routes through eth1 and eth2
were not generated by some sort of dynamic IP clients, right? And that
is what this discussion is about.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
> Yes -- you can set up multiple default routes with different
> scope/metric values.
> 
> I''m guessing though that in your case, the routes through eth1 and
eth2
> were not generated by some sort of dynamic IP clients, right? And that
> is what this discussion is about.
> 
Nevertheless, I''ve relaxed the restriction and Shorewall will now *try*
to use the routing table to determine the gateway IP address if the
interface is not P-T-P. That code is in CVS and will be in -RC2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dmitry Bely wrote:
> 
>>And that is what this discussion is about.
> 
> Sorry I did not realized why "dynamic" is critical here. If I had
2 ppp
> interfaces, I could reproduce the same.
> 
The question was not what YOU COULD DO but what dhclient, dhcpcd and
other dynamic IP tools WILL DO.

As I said in my last post though, I''ve added code that will try very
hard to determine what the gateway IP address is using a variety of
techniques. So whatever YOU DO, Shorewall should be able to determine
the gateway IP address given the interface name.

I consider this issue closed,

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep <teastep@shorewall.net> writes:
>>>A routing table can only have one default route so when the second
link
>>>comes up, adding the second default route will fail.
>> 
>> Hmm, maybe I''ve misunderstood you, but here is my main routing
table:
>> 
>> gw2:/# ip route
>> 212.xxx.xxx.255 dev ppp0  proto kernel  scope link  src 212.xxx.xxx.138
>> 213.xxx.xxx.xxx/29 dev eth1  proto kernel  scope link  src
213.xxx.xxx.xxx
>> 81.xxx.xxx.xxx/26 dev eth2  proto kernel  scope link  src
81.xxx.xxx.xxx
>> 172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.0.3
>> default via 213.xxx.xxx.xxx dev eth1  metric 10
>> default via 81.xxx.xxx.xxx dev eth2  metric 20
>> default dev ppp0  scope link  metric 50
>> 
>> I cannot say that this already achieves my main goal (build a failover
>> connection that automatically passes all outbound traffic to eth2 and
then
>> ppp0 when eth1 link fails),
>
> You haven''t.
Sure. Currently I have to manually change metrics. I will wrote a simple
script that continously pings some predefined hosts and change metrics
accordingly if I don''t find a more "correct" way.
>> but multiple default routes are there...
>
> Yes -- you can set up multiple default routes with different
> scope/metric values.
It does not matter. Just use "route" instead of "ip route":

gw2:/# route del default dev eth1
gw2:/# route del default dev eth2
gw2:/# route del default dev ppp0
gw2:/# route add default dev ppp0
gw2:/# route add default dev eth2 gw 81.xxx.xxx.xxx
gw2:/# route add default dev eth1 gw 213.xxx.xxx.xxx
gw2:/# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
212.xxx.xxx.xxx 0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
213.xxx.xxx.xxx 0.0.0.0         255.255.255.248 U     0      0        0 eth1
81.xxx.xxx.xxx  0.0.0.0         255.255.255.192 U     0      0        0 eth2
172.16.0.0      0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         213.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 eth1
0.0.0.0         81.xxx.xxx.xxx  0.0.0.0         UG    0      0        0 eth2
0.0.0.0         212.xxx.xxx.xxx 0.0.0.0         UG    0      0        0 ppp0
gw2:/# ip route
212.xxx.xxx.xxx dev ppp0  proto kernel  scope link  src 212.xxx.xxx.xxx
213.xxx.xxx.xxx/29 dev eth1  proto kernel  scope link  src 213.xxx.xxx.xxx
81.xxx.xxx.xxx/26 dev eth2  proto kernel  scope link  src 81.xxx.xxx.xxx
172.16.0.0/16 dev eth0  proto kernel  scope link  src 172.16.0.3
default via 213.xxx.xxx.xxx dev eth1
default via 81.xxx.xxx.xxx dev eth2
default dev ppp0  scope link

2(3) interfaces with the same scope/metric are there.
> I''m guessing though that in your case, the routes through eth1 and
eth2
> were not generated by some sort of dynamic IP clients, right?
Yes.
> And that is what this discussion is about.
Sorry I did not realized why "dynamic" is critical here. If I had 2
ppp
interfaces, I could reproduce the same.

- Dmitry Bely