Hi All, I have sent posts in other newsgroups with very little feedback on routing for multiple inbound links. I appreciate this is not a standard request. I have two connections to the Internet and I need to be able to ensure that a packet arriving on one Internet link is equally returned on the same interface, and thus ignoring the default route of the firewall. The reason I need to do this, is that one link runs IPSEC and provides a secure link into a web server in a dmz zone from another network. But a user on the same network would equally need to connect to a web server in the dmz using the second link. Once I introduce a default route, all outgoing packets go via the stated route. So I end up with the situation where it works for one or the other, dictated by the default route. The information on the Advanced Linux Routing site, seems to address outbound connections but not inbound. I am now wondering whether it is possible to use traffic shaping to mark packets which come in on one interface to be able to have there replies sent out of the link where the marked packet came from. I am clutching at straws now, so any guidance would be much appreciated. Regards, Simon.
On Tue, 2003-10-07 at 03:25, Simon Chalk wrote:> > I am now wondering whether it is possible to use traffic shaping to mark > packets which come in on one interface to be able to have there replies sent > out of the link where the marked packet came from.No -- not using standard Kernel facilities.> > I am clutching at straws now, so any guidance would be much appreciated. >According to what I have read, the setup described in the LARCT Howto section 4.2.1 should do what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Check out the LARTC at http://lartc.org/ from section 4.2: A common configuration is the following, in which there are two providers that connect a local network (or even a single machine) to the big Internet. There are usually two questions given this setup. The first is how to route answers to packets coming in over a particular provider, say Provider 1, back out again over that same provider. http://lartc.org/howto/lartc.rpdb.multiple-links.html In my case, I had one link that was fast but unreliable, and another link that was slow but very reliable. I therefore did NOT use a load balancing multipath route. Instead, I set the default route to the fast link, but bound certain services (like my VPN, email, dns) to the slow/reliable link''s IP.
Hi David, I have been through this document and found that it works in an outbound direction from local network to internet, but not internet to local. Regards, Simon. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of David Tilley Sent: 07 October 2003 18:13 To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] Traffic Shaping and Inbound Links Check out the LARTC at http://lartc.org/ from section 4.2: A common configuration is the following, in which there are two providers that connect a local network (or even a single machine) to the big Internet. There are usually two questions given this setup. The first is how to route answers to packets coming in over a particular provider, say Provider 1, back out again over that same provider. http://lartc.org/howto/lartc.rpdb.multiple-links.html In my case, I had one link that was fast but unreliable, and another link that was slow but very reliable. I therefore did NOT use a load balancing multipath route. Instead, I set the default route to the fast link, but bound certain services (like my VPN, email, dns) to the slow/reliable link''s IP. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi Tom, Thanks for the reply. I have bene through the LARCT Howto, and found that it worked only in an outbound direction, but not inbound. When I first read the doc, I thought it was exactly what I needed, since it mentioned this statement: - ''This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.'' But what is not clear which commands this statement refers to, it is mentioned between two sets of commands. I have read a few posts, where people have questioned the document. If I knew which commands the statement is referring to, I could possible look closer. Regards, Simon. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 07 October 2003 14:58 To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] Traffic Shaping and Inbound Links On Tue, 2003-10-07 at 03:25, Simon Chalk wrote:> > I am now wondering whether it is possible to use traffic shaping to mark > packets which come in on one interface to be able to have there repliessent> out of the link where the marked packet came from.No -- not using standard Kernel facilities.> > I am clutching at straws now, so any guidance would be much appreciated. >According to what I have read, the setup described in the LARCT Howto section 4.2.1 should do what you want. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-10-08 at 12:35, Simon Chalk wrote:> Hi Tom, > > Thanks for the reply. I have bene through the LARCT Howto, and found that it > worked only in an outbound direction, but not inbound. When I first read the > doc, I thought it was exactly what I needed, since it mentioned this > statement: - > > ''This set of commands makes sure all answers to traffic coming in on a > particular interface get answered from that interface.'' > > But what is not clear which commands this statement refers to, it is > mentioned between two sets of commands. I have read a few posts, where > people have questioned the document. If I knew which commands the statement > is referring to, I could possible look closer. >Simon -- Please either try it or quit asking about it. I personally can''t afford two high-speed Internet connections (at least not to one location) so I can''t speak from experience. Others I''ve corresponded with however report success using the LARTC instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, I will stop sending posts now, I will try to figure this out myself if at all possible. That howto did not work for me, and I have seen posts that have also questioned this document. It does work for outbound but not inbound routing. Regards, Simon. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 08 October 2003 21:10 To: Shorewall Users Mailing List Subject: RE: [Shorewall-users] Traffic Shaping and Inbound Links On Wed, 2003-10-08 at 12:35, Simon Chalk wrote:> Hi Tom, > > Thanks for the reply. I have bene through the LARCT Howto, and found thatit> worked only in an outbound direction, but not inbound. When I first readthe> doc, I thought it was exactly what I needed, since it mentioned this > statement: - > > ''This set of commands makes sure all answers to traffic coming in on a > particular interface get answered from that interface.'' > > But what is not clear which commands this statement refers to, it is > mentioned between two sets of commands. I have read a few posts, where > people have questioned the document. If I knew which commands thestatement> is referring to, I could possible look closer. >Simon -- Please either try it or quit asking about it. I personally can''t afford two high-speed Internet connections (at least not to one location) so I can''t speak from experience. Others I''ve corresponded with however report success using the LARTC instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-10-08 at 13:27, Simon Chalk wrote:> Hi Tom, > > I will stop sending posts now, I will try to figure this out myself if at > all possible. > > That howto did not work for me, and I have seen posts that have also > questioned this document. It does work for outbound but not inbound routing. >Ok -- from your posts, I couldn''t tell if you had tried it or were just "theorizing" :-) For my future reference, how do you manage your DMZ? As mentioned in the LARTC HOWTO, the technique described there only works for masqueraded local networks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, I have a web server in the DMZ that has a public address using Shorewall NAT, but this same web server is been accessed by a user from a remote ipsec network using the web server internal address. So the DMZ is not really using masquerading, although I did have it set in this mode during testing. I presume the web servers source address will still be its internal in both cases, when accessed vi my ipsec tunnel or the external public address. Regards, Simon. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 08 October 2003 21:32 To: Shorewall Users Mailing List Subject: RE: [Shorewall-users] Traffic Shaping and Inbound Links On Wed, 2003-10-08 at 13:27, Simon Chalk wrote:> Hi Tom, > > I will stop sending posts now, I will try to figure this out myself if at > all possible. > > That howto did not work for me, and I have seen posts that have also > questioned this document. It does work for outbound but not inboundrouting.>Ok -- from your posts, I couldn''t tell if you had tried it or were just "theorizing" :-) For my future reference, how do you manage your DMZ? As mentioned in the LARTC HOWTO, the technique described there only works for masqueraded local networks. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-10-08 at 13:59, Simon Chalk wrote:> Hi Tom, > > I have a web server in the DMZ that has a public address using Shorewall > NAT, but this same web server is been accessed by a user from a remote ipsec > network using the web server internal address. So the DMZ is not really > using masquerading, although I did have it set in this mode during testing. > I presume the web servers source address will still be its internal in both > cases, when accessed vi my ipsec tunnel or the external public address. >Yes. Were you using the ipsec tunnel as one of your "Internet" links in your test? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net