Hello Shorewall list,
I''m a happy Shorewall user since a few years now and everything works
fine
for me except one thing that I try to implement since a week, the multi-isp.
I''ve downloaded the 2.4.0 Stable release yesterday and tried the RC2
since a
week.
My config is a Debian running a kernel 2.4.27 home made with the
CONNMARK.diff patch applied
I''m using 2 ISP, one is Nerim with a fixed IP and the other is neuf
telecom
with a dynamic IP.
I use NAT on both lines. The interfaces are:
ETH0=PPP0 ISP nerim
ETH1=PPP1 ISP neuf telecom
ETH2=LAN
ETH3=DMZ
ETH4=Wifi.
The features available in the kernel are:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Not available
IP range Match: Not available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
ROUTE Target: Not available
Extended MARK Target: Not available
CONNMARK Target: Available
Connmark Match: Available
My providers file is:
nerim 200 200 main ppp0 detect
track,balance=2
n9uf 201 201 main ppp1 detect
track,balance=1
My masq file is:
ppp0 eth2 -
ppp1 eth2 -
ppp0 eth3 -
ppp1 eth3 -
ppp0 eth4 -
ppp1 eth4 -
Here a copy of the route and ip route:
emeraude:/etc/shorewall# route
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use
Iface
lo1-lns101-tip- * 255.255.255.255 UH 0 0 0 ppp0
1.240.101-84.re * 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.18.0 * 255.255.255.0 U 0 0 0 eth4
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.17.0 * 255.255.255.0 U 0 0 0 eth3
192.168.16.0 * 255.255.255.0 U 0 0 0 eth2
default lo1-lns101-tip- 0.0.0.0 UG 0 0 0 ppp0
emeraude:/etc/shorewall# ip route
62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153
84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
192.168.18.0/24 dev eth4 proto kernel scope link src 192.168.18.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.17.0/24 dev eth3 proto kernel scope link src 192.168.17.1
192.168.16.0/24 dev eth2 proto kernel scope link src 192.168.16.1
default
nexthop via 62.4.16.246 dev ppp0 weight 2
nexthop via 84.101.240.1 dev ppp1 weight 1
I try to achieve the following:
Incoming connections based on the port used should be forwarded to the
correct machine in the DMZ.
For example a connection to port 25 should go to the mail server like this
in my rule file:
DNAT net dmz:192.168.17.4 tcp 25 -
This should work for both ISP.
If I have the following default route:
Destination Passerelle Genmask Indic Metric Ref Use
Iface
lo1-lns101-tip- * 255.255.255.255 UH 0 0 0 ppp0
1.240.101-84.re * 255.255.255.255 UH 0 0 0 ppp1
192.168.2.0 * 255.255.255.0 U 0 0 0 eth1
192.168.18.0 * 255.255.255.0 U 0 0 0 eth4
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.17.0 * 255.255.255.0 U 0 0 0 eth3
192.168.16.0 * 255.255.255.0 U 0 0 0 eth2
default lo1-lns101-tip- 0.0.0.0 UG 0 0 0 ppp0
emeraude:/etc/shorewall# ip route
62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153
84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
192.168.18.0/24 dev eth4 proto kernel scope link src 192.168.18.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
192.168.17.0/24 dev eth3 proto kernel scope link src 192.168.17.1
192.168.16.0/24 dev eth2 proto kernel scope link src 192.168.16.1
default
nexthop via 62.4.16.246 dev ppp0 weight 2
nexthop via 84.101.240.1 dev ppp1 weight 1
The 2 incoming connections are working fine allowing the smtp connections,
but I''m not able to surf the web from the LAN interface nor the DMZ or
Wifi.
I get also a message on the console "MASQUERADE: Route sent us somewhere
else."
A copy of the shorewall status is available here:
http://goodies.escapade.ch/shore-stat.txt
And a copy of the shorewall.conf is available here:
http://goodies.escapade.ch/shorewall.com
Thanks for reading so far. If I didn''t provide enough information I
would be
more than happy to share more, just let me know what is needed.
Best regards.
Manuel.
----- Original Message ----- From: "Manuel Goepfert" <manuel@escapade.ch> To: <shorewall-users@lists.shorewall.net> Sent: Monday, June 06, 2005 01:53 Subject: [Shorewall-users] Multi-ISP in 2.4.0> Hello Shorewall list, > > I''m a happy Shorewall user since a few years now and everythingworks fine> for me except one thing that I try to implement since a week, themulti-isp.> > I''ve downloaded the 2.4.0 Stable release yesterday and tried the RC2since a> week. > > My config is a Debian running a kernel 2.4.27 home made with the > CONNMARK.diff patch applied > > I''m using 2 ISP, one is Nerim with a fixed IP and the other is neuftelecom> with a dynamic IP. > I use NAT on both lines. The interfaces are: > ETH0=PPP0 ISP nerim > ETH1=PPP1 ISP neuf telecom > ETH2=LAN > ETH3=DMZ > ETH4=Wifi. > > The features available in the kernel are: > > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Not available > IP range Match: Not available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > ROUTE Target: Not available > Extended MARK Target: Not available > CONNMARK Target: Available > Connmark Match: Available > > > My providers file is: > > nerim 200 200 main ppp0 detect > track,balance=2 > n9uf 201 201 main ppp1 detect > track,balance=1 > > My masq file is: > > ppp0 eth2 - > ppp1 eth2 - > ppp0 eth3 - > ppp1 eth3 - > ppp0 eth4 - > ppp1 eth4 - > > Here a copy of the route and ip route: > > emeraude:/etc/shorewall# route > Table de routage IP du noyau > Destination Passerelle Genmask Indic Metric RefUse> Iface > lo1-lns101-tip- * 255.255.255.255 UH 0 00 ppp0> 1.240.101-84.re * 255.255.255.255 UH 0 00 ppp1> 192.168.2.0 * 255.255.255.0 U 0 00 eth1> 192.168.18.0 * 255.255.255.0 U 0 00 eth4> localnet * 255.255.255.0 U 0 00 eth0> 192.168.17.0 * 255.255.255.0 U 0 00 eth3> 192.168.16.0 * 255.255.255.0 U 0 00 eth2> default lo1-lns101-tip- 0.0.0.0 UG 0 00 ppp0> > emeraude:/etc/shorewall# ip route > 62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153 > 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204 > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 > 192.168.18.0/24 dev eth4 proto kernel scope link src 192.168.18.1 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 192.168.17.0/24 dev eth3 proto kernel scope link src 192.168.17.1 > 192.168.16.0/24 dev eth2 proto kernel scope link src 192.168.16.1 > default > nexthop via 62.4.16.246 dev ppp0 weight 2 > nexthop via 84.101.240.1 dev ppp1 weight 1 > > > I try to achieve the following: > > Incoming connections based on the port used should be forwarded tothe> correct machine in the DMZ. > For example a connection to port 25 should go to the mail serverlike this> in my rule file: > DNAT net dmz:192.168.17.4 tcp 25 - > > This should work for both ISP. > > If I have the following default route: > Destination Passerelle Genmask Indic Metric RefUse> Iface > lo1-lns101-tip- * 255.255.255.255 UH 0 00 ppp0> 1.240.101-84.re * 255.255.255.255 UH 0 00 ppp1> 192.168.2.0 * 255.255.255.0 U 0 00 eth1> 192.168.18.0 * 255.255.255.0 U 0 00 eth4> localnet * 255.255.255.0 U 0 00 eth0> 192.168.17.0 * 255.255.255.0 U 0 00 eth3> 192.168.16.0 * 255.255.255.0 U 0 00 eth2> default lo1-lns101-tip- 0.0.0.0 UG 0 00 ppp0> > emeraude:/etc/shorewall# ip route > 62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153 > 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204 > 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 > 192.168.18.0/24 dev eth4 proto kernel scope link src 192.168.18.1 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 > 192.168.17.0/24 dev eth3 proto kernel scope link src 192.168.17.1 > 192.168.16.0/24 dev eth2 proto kernel scope link src 192.168.16.1 > default > nexthop via 62.4.16.246 dev ppp0 weight 2 > nexthop via 84.101.240.1 dev ppp1 weight 1 > > The 2 incoming connections are working fine allowing the smtpconnections,> but I''m not able to surf the web from the LAN interface nor the DMZor Wifi.> > I get also a message on the console "MASQUERADE: Route sent ussomewhere> else." >I think that has something to do with using masq instead of snat, having said that, I''d try to use the snat switch in the masq file: ppp0 eth2 $ipisp1 ppp1 eth2 $ipisp2 repeat as required You say you have a one fixed and one dynamic ip address, this is a problem, you''ll need to use the params file to define the above variables. Sorry I have cable, anybody have a script that can grab the external ip of a ppp interface, I''m drawing a blank here. (must go for coffee) Just wondering, what does ''ip rule show'' give you? There maybe some we can do there.> A copy of the shorewall status is available here: > http://goodies.escapade.ch/shore-stat.txt > > And a copy of the shorewall.conf is available here: > http://goodies.escapade.ch/shorewall.com > > > Thanks for reading so far. If I didn''t provide enough information Iwould be> more than happy to share more, just let me know what is needed. > > Best regards. > > Manuel.Jerry Vonau
> Just wondering, what does ''ip rule show'' give you?Never mind, it''s in the status, see I need coffee before posting.... Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 13:27 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>I think that has something to do with using masq instead of snat, >having said that, >I''d try to use the snat switch in the masq file: >ppp0 eth2 $ipisp1 >ppp1 eth2 $ipisp2 >repeat as requiredOk so the best for now if found out is to do this: ifconfig ppp1 | grep adr: | awk ''{print $2}'' adr:84.101.240.204 But as you can see I get also the adr: in my way. For the ppp0 I have specified the IP address in the masq file and I entered also the dynamic ip for ppp1 What do you mean by "using the snat switch in the masq file" ? Manuel
>I think that has something to do with using masq instead of snat, >having said that, >I''d try to use the snat switch in the masq file: >ppp0 eth2 $ipisp1 >ppp1 eth2 $ipisp2 >repeat as requiredOk so the best for now if found out is to do this: ifconfig ppp1 | grep adr: | awk ''{print $2}'' adr:84.101.240.204 But as you can see I get also the adr: in my way. For the ppp0 I have specified the IP address in the masq file and I entered also the dynamic ip for ppp1 What do you mean by "using the snat switch in the masq file" ? Manuel Did you restart shorewall? Does it work right? The third column of the masq file, if blank=masq if populated=snat masq= use any ipaddress snat= use only this ipaddress you had masq, so this would be snat: $IFISP1 eth2 $IPISP1 $IFISP2 eth2 $IPISP2 The params file can look like this IFISP1=ppp0 IFISP2=ppp1 IPISP1=`find_interface_addresses ppp0 ` IPISP2=`find_interface_addresses ppp1 ` The params files sets globle variables that you could use anywhere in shorewall. I used a variable for the net interface above, just to ensure that the isp/ip relationship remains constant. You can (should) now use $IFISP1 wherever you used ppp0 prevously, dido for $IPISP2, just so you don''t run into any suprises down the road, cause the interfaces got reversed Jerry
> >I think that has something to do with using masq instead of snat, > >having said that, > >I''d try to use the snat switch in the masq file: > >ppp0 eth2 $ipisp1 > >ppp1 eth2 $ipisp2 > >repeat as required > > Ok so the best for now if found out is to do this: > > ifconfig ppp1 | grep adr: | awk ''{print $2}'' > adr:84.101.240.204 > > But as you can see I get also the adr: in my way. > For the ppp0 I have specified the IP address in the masq file and I > entered > also the dynamic ip for ppp1 > > What do you mean by "using the snat switch in the masq file" ? > > > Manuel > > > Did you restart shorewall? > Does it work right? > > The third column of the masq file, > if blank=masq > if populated=snat > masq= use any ipaddress > snat= use only this ipaddress > > you had masq, so this would be snat: > $IFISP1 eth2 $IPISP1 > $IFISP2 eth2 $IPISP2 > > > The params file can look like this > IFISP1=ppp0 > IFISP2=ppp1 > IPISP1=`find_interface_addresses ppp0 ` > IPISP2=`find_interface_addresses ppp1 ` > > The params files sets globle variables that you could use anywhere in > shorewall. I used a variable for the net interface above, just to > ensure > that the isp/ip relationship remains constant. You can (should) now > use > $IFISP1 wherever you used ppp0 prevously, dido for $IPISP2, just so > you don''t run into any suprises down the road, cause the interfaces > got > reversed > > Jerry >Table n9uf: 62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204 Table nerim: 62.4.16.246 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.204 These can''t be right, you should have only one of the ppp interfaces, for that provider. Can you post your config files please. Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 14:30 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>you had masq, so this would be snat: >$IFISP1 eth2 $IPISP1 >$IFISP2 eth2 $IPISP2>The params file can look like this >IFISP1=ppp0 >IFISP2=ppp1 >IPISP1=`find_interface_addresses ppp0 ` >IPISP2=`find_interface_addresses ppp1 `Ok so this is set and works fine. No error message. Now for the config files in my original post you have the link to shorewall.conf if you''re talking about that one. If not what file do you want to see ? :) I have also updated the shorewall status to the last state. So: Shorewall.conf here: http://goodies.escapade.ch/shorewall.conf Shorewall status here: http://goodies.escapade.ch/shore-stat.txt With the last update, no more masquerade error, but I still go out from the ppp0 link instead of the ppp1 even if weight is set: default nexthop via 62.4.16.247 dev ppp0 weight 2 nexthop via 84.101.240.1 dev ppp1 weight 1 Strange thing is that doing a route show ppp0 as default route Table de routage IP du noyau Destination Passerelle Genmask Indic Metric Ref Use Iface lo1-lns103-tip- * 255.255.255.255 UH 0 0 0 ppp0 1.240.101-84.re * 255.255.255.255 UH 0 0 0 ppp1 192.168.2.0 * 255.255.255.0 U 0 0 0 eth1 192.168.18.0 * 255.255.255.0 U 0 0 0 eth4 localnet * 255.255.255.0 U 0 0 0 eth0 192.168.17.0 * 255.255.255.0 U 0 0 0 eth3 192.168.16.0 * 255.255.255.0 U 0 0 0 eth2 default lo1-lns103-tip- 0.0.0.0 UG 0 0 0 ppp0 Thanks for your help Manuel
Ok the modifications you asked me to do in the params and the masq file did the trick actually. I check a website where I can get my IP and indeed I go out with the correct interface meaning ppp1 Thanks Jerry. I see the coffee was the right thing to do before :)))) Manuel
I discovered something eles. If for any reason my ppp1 is dead there is no fallback to my ppp0. Is there something that I have to add ?? Manuel
> I discovered something eles. > > If for any reason my ppp1 is dead there is no fallback to my ppp0. Isthere> something that I have to add ?? > > Manuel >Think that goes with my prior post about the routing tables, can you post the tcrules file please. Jerry
> > > > I discovered something eles. > > > > If for any reason my ppp1 is dead there is no fallback to my ppp0. Is > there > > something that I have to add ?? > > > > Manuel > > > Think that goes with my prior post about the routing tables, can you post > the > tcrules file please. > > JerryPlease try a network restart first, the "ip rule" might be an old entry. Those "iprules" don''t get cleared when an interface goes down. Just need to have a clean base starting point. Jerry.
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 15:36 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>Think that goes with my prior post about the routing tables, can you post >the tcrules file please.Tcrules file is empty. Manuel
>Think that goes with my prior post about the routing tables, can you post >the tcrules file please.Tcrules file is empty. Just because it works doesn''t mean it is correct, you might want to re-read: http://www.shorewall.net/Shorewall_and_Routing.html noting: "The bottom line is that if you want traffic to go out through a particular provider then you must mark that traffic with the provider''s MARK value in /etc/shorewall/tcrules and you must do that marking in the PREROUTING chain." Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 15:42 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>Please try a network restart first, the "ip rule" might be an old entry. >Those "iprules" don''t get cleared when an interface goes down. Just need to >have a clean base starting point.HA this in the ip rule show ip rule show 0: from all lookup local 32750: from 84.101.240.42 lookup n9uf 32751: from all fwmark 0xc9 lookup n9uf 32752: from 80.65.224.153 lookup nerim 32753: from all fwmark 0xc8 lookup nerim 32766: from all lookup main 32767: from all lookup default Manuel
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 16:08 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>Just because it works doesn''t mean it is correct, you might want to >re-read: http://www.shorewall.net/Shorewall_and_Routing.htmlSure, this time I added some rules in the tcrules like this: ############################################################################ ## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 201:P eth2 ppp1 - 200:P eth3 ppp0 - 201:P eth4 ppp1 - It is correctly routed Manuel
>It is correctly routedI was too fast on that one :( Doesn''t seems to work like I want to. Manuel
>Just because it works doesn''t mean it is correct, you might want to >re-read: http://www.shorewall.net/Shorewall_and_Routing.htmlSure, this time I added some rules in the tcrules like this: ########################################################################### # ## #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 201:P eth2 ppp1 - 200:P eth3 ppp0 - 201:P eth4 ppp1 - It is correctly routed Manuel Those won''t work, DEST needs to be ip/netmask combo, that is a bug, shouldn''t let you try that. try: 201:P eth2 0.0.0.0/0 all repeat Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 18:46 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0 Those won''t work, DEST needs to be ip/netmask combo, that is a bug, shouldn''t let you try that. try: 201:P eth2 0.0.0.0/0 all repeat Jerry This is now the tcrules file: 201:P eth2 0.0.0.0/0 all 200:P eth3 0.0.0.0/0 all 201:P eth4 0.0.0.0/0 all It seems to work fine. The only problem is when one connections drops. After recovering the LAN zone on eth2 doesn''t seems to recover MAnuel
Those won''t work, DEST needs to be ip/netmask combo, that is a bug, shouldn''t let you try that. try: 201:P eth2 0.0.0.0/0 all repeat Jerry This is now the tcrules file: 201:P eth2 0.0.0.0/0 all 200:P eth3 0.0.0.0/0 all 201:P eth4 0.0.0.0/0 all It seems to work fine. The only problem is when one connections drops. After recovering the LAN zone on eth2 doesn''t seems to recover MAnuel shorewall status please Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : lundi 6 juin 2005 21:17 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>shorewall status pleaseHere it is: http://goodies.escapade.ch/shore-stat.txt Manuel
> > > Those won''t work, DEST needs to be ip/netmask combo, that is a bug, > shouldn''t let you try that. > try: > 201:P eth2 0.0.0.0/0 all > repeat > > Jerry > > > This is now the tcrules file: > > 201:P eth2 0.0.0.0/0 all > 200:P eth3 0.0.0.0/0 all > 201:P eth4 0.0.0.0/0 all > > It seems to work fine. > > The only problem is when one connections drops. > After recovering the LAN zone on eth2 doesn''t seems to recover > > MAnuel > > > shorewall status please > > Jerry >Thanks. Now that you are using "find interface" in the params file, did you restart shorewall after the dropped connection was brought back up? Shorewall will need to be restarted after a connection loss, you can do that from /etc/ppp/ip-up, just call a shorewall restart from there. What doesn''t seen to be working? I just may need coffee, ;-) but can you point it out please. Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : mardi 7 juin 2005 15:45 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>Thanks. Now that you are using "find interface" in the params file, did >you restart shorewall after the dropped connection was brought back >up?No I didn''t>Shorewall will need to be restarted after a connection loss, you can >do that from /etc/ppp/ip-up, just call a shorewall restart from there. >What doesn''t seen to be working? I just may need coffee, ;-) but can you >point it out please.Ok will restart shorewall after the connection recovers. By the way, with the current setup shouldn''t I go through the ppp0 connection if ppp1 fails ? That was my understanding with this route weight. Thanks. Manuel
>Thanks. Now that you are using "find interface" in the params file, did >you restart shorewall after the dropped connection was brought back >up?No I didn''t>Shorewall will need to be restarted after a connection loss, you can >do that from /etc/ppp/ip-up, just call a shorewall restart from there. >What doesn''t seen to be working? I just may need coffee, ;-) but can you >point it out please.Ok will restart shorewall after the connection recovers. By the way, with the current setup shouldn''t I go through the ppp0 connection if ppp1 fails ? That was my understanding with this route weight. Thanks. Manuel Think that would depend on what the ppp/ip-down does to the routing on disconnect. If you disconnect one of the providers, is there a default gateway? Don''t think that kind logic is there by default, you''ll need to create the logic to replace the default gateway to point to the other provider. I''m still concerned about these: Table n9uf: 62.4.16.242 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.180 Table nerim: 62.4.16.242 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.180 Can you post the providers file? Jerry
-----Message d''origine----- De : shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] De la part de Jerry Vonau Envoyé : mardi 7 juin 2005 19:23 À : Mailing List for Shorewall Users Objet : Re: [Shorewall-users] Multi-ISP in 2.4.0>Think that would depend on what the ppp/ip-down does to the routing on >disconnect. If you disconnect one of the providers, is there a default >gateway?Yes there is. The ppp0 is the default gateway but I will try to make some tests with the ip-down. Don''t think that kind logic is there by default, you''ll need to create the logic to replace the default gateway to point to the other provider. I''m still concerned about these: Table n9uf: 62.4.16.242 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.180 Table nerim: 62.4.16.242 dev ppp0 proto kernel scope link src 80.65.224.153 84.101.240.1 dev ppp1 proto kernel scope link src 84.101.240.180 Can you post the providers file? Here we go: nerim 200 200 main ppp0 detect track,balance=2 n9uf 201 201 main ppp1 detect track,balance=1 Thanks Manuel