Shorewall users - May 2003 - dual routing to the internet

Tom

I have a fairly standard 3 interface router (ippp0/net, eth0/loc,
eth1/dmz). I have now acquired a nice new (faster) ADSL interface
ppp0/newnet which will replace ippp0 in due course. In the mean time I
would like to swop over gracefully. I am proxyarping all the extra IPs
of ippp0''s subnet across to dmz (and also ppp0''s spares as
well).

This seems to me to require (amongst other things) policy routing. 

At the moment I would be happy just policy based routing and making sure
that masq''d traffic from loc goes out on ppp0/newnet.

I have read the advancing routing howto and come up with this script:-

F1=ppp0                   # Zen ADSL
IF2=ippp0                 # Existing nailed up ISDN link
IP1=217.155.251.110
IP2=212.240.163.97
IP1_NET=217.155.251.104/29
IP2_NET=212.240.163.96/28
P1=62.3.83.2
P2=158.152.1.222
P1_NET=62.3.83.2/32
P2_NET=158.152.1.222/32

# remove ''redhat'' routing
ip route del $P1_NET
ip route del $P2_NET
ip route del default

# remove any pre-existing routing
ip route flush table T1
ip route flush table T2
ip rule del from $IP1_NET
ip rule del from $IP2_NET

# set up basic routing both ''normal'' and into specific
# per interface tables
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2

ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

ip route add default via $P1 src $IP1 table T1
ip route add default via $P2 src $IP2 table T2

# make stuff go out on the interface it came in on
ip rule add from $IP2_NET table T2
ip rule add from $IP1_NET table T1

# ''Normal'' default route via Zen
ip route add default via $P1
ip route flush cache

-------------------------- cut here --------------------------

The problem is that this doesn''t seem to work reliably. It
''mostly''
routes thru ppp0/newnet but all access from loc to dmz disappears. Also
(I think) dmz->net traffic stops

Can you shed any light, how much more info do you need?

Dirk
-- 
Please Note: Some Quantum Physics Theories Suggest That When the
Consumer Is Not Directly Observing This Product, It May Cease to
Exist or Will Exist Only in a Vague and Undetermined State.

----- Original Message ----- 
From: "Dirk Koopman" <djk@tobit.co.uk>
To: <shorewall-users@lists.shorewall.net>
Sent: Thursday, May 08, 2003 2:11 PM
Subject: [Shorewall-users] dual routing to the internet

>
> The problem is that this doesn''t seem to work reliably. It
''mostly''
> routes thru ppp0/newnet but all access from loc to dmz disappears. Also
> (I think) dmz->net traffic stops
>
> Can you shed any light, how much more info do you need?
>
Any traffic flowing through your firewall has to be to the routing table
that contains the proper entries to route that traffic. Sounds like you
haven''t considered DMZ traffic when designing your routing tables.

-Tom