Bit of a shorewall newbie so if the answer is obvious please be gentle. We have been using version 1.4.2 for a while now and are very happy with how it performs, however we are looking to increase the resilience of our internet connection by providing a second internet feed. The idea being that should the primary connection fail shorewall will transparently (as far as users are concerned) switch to the second connection. Sounds lovely in theory just not sure how to setup it up. So if anyone is running this sort of configuration or has any thoughts on the best way of doing this then any suggestions gratefully received. Matthew Hale Technical Support Manager www.omniis.com
On Thu, 2004-11-18 at 22:51 +0000, Matthew Hale wrote:> Bit of a shorewall newbie so if the answer is obvious please be gentle. > > We have been using version 1.4.2 for a while now and are very happy with > how it performs, however we are looking to increase the resilience of > our internet connection by providing a second internet feed. The idea > being that should the primary connection fail shorewall will > transparently (as far as users are concerned) switch to the second > connection. > > Sounds lovely in theory just not sure how to setup it up. So if anyone > is running this sort of configuration or has any thoughts on the best > way of doing this then any suggestions gratefully received.Most of what you need is in Shorewall FAQ #32. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Matthew, Matthew Hale said the following on 18-Nov-04 23:51:> Bit of a shorewall newbie so if the answer is obvious please be gentle. > > We have been using version 1.4.2 for a while now and are very happy with > how it performs, however we are looking to increase the resilience of > our internet connection by providing a second internet feed. The idea > being that should the primary connection fail shorewall will > transparently (as far as users are concerned) switch to the second > connection.If you only want failover and not loadbalancing, this is something that needs to be solved outside of shorewall imho. In theory the only thing you would need to do when ISP #1 fails is to change the default route to ISP #2. I would assume your FW would have at least 3 interfaces: 1) Internal network 2) ISP #1 3) ISP #2 By default you set the default route to the def GW of ISP #1. Now you can do a fancy thing, or the poor mans solution. Fancy, run some sort of link state routing between you and ISP #1 and ISP #2 which will detect the link failure and set the def GW to ISP #2. The poor man solution would be to ping the def GW of ISP #1 every minute, if no answer then switch the def GW to ISP #2. Then have a script ping the ISP #1 gw every minute till it''s back and switch back the routes. If you want loadbalancing indeed, then see tom''s answer. -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
On Fri, 2004-11-19 at 00:22 +0100, Stijn Jonker wrote:> > If you only want failover and not loadbalancing, this is something that > needs to be solved outside of shorewall imho. >But the Shorewall configuration changes described in FAQ 32 are still required. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key