Hi, I have a 2 ISP router on same interface via a mini switch (I can''t add a new network interface without change the motherboard) It is possible to configure shorewall 2.4.x for use the 2 router whit the new feature allowed from /etc/shorewall/providers ? The examples that I have taken from the web are referred to two interface ... Please some suggest Many thanks -- Dario Lesca <d.lesca@solinos.it> ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
> Hi, I have a 2 ISP router on same interface via a mini switch (I can''t > add a new network interface without change the motherboard) > > It is possible to configure shorewall 2.4.x for use the 2 router whit > the new feature allowed from /etc/shorewall/providers ? > > The examples that I have taken from the web are referred to two > interface ... > > Please some suggest > > Many thanks >Should work fine, I''d suggest that you not use ''detect'' for the gateway in the providers file. Jerry ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Jerry Vonau wrote:> >>Hi, I have a 2 ISP router on same interface via a mini switch (I can''t >>add a new network interface without change the motherboard) >> >>It is possible to configure shorewall 2.4.x for use the 2 router whit >>the new feature allowed from /etc/shorewall/providers ? >> >>The examples that I have taken from the web are referred to two >>interface ... >> >>Please some suggest >> >>Many thanks >> > Should work fine, I''d suggest that you not use ''detect'' for the gateway in > the providers file.And the ''track'' option won''t work at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > Hi, I have a 2 ISP router on same interface via a mini switch (I can''t > > add a new network interface without change the motherboard) > > > > It is possible to configure shorewall 2.4.x for use the 2 router whit > > the new feature allowed from /etc/shorewall/providers ? > > > > The examples that I have taken from the web are referred to two > > interface ... > > > > Please some suggest > > > > Many thanks > > > Should work fine, I''d suggest that you not use ''detect'' for the gatewayin> the providers file. > > JerryWell, I take that back, balancing outbound, should be fine, running services available to internet, though both providers, may casue problems. Jerry ------------------------------------------------------- This SF.Net email is sponsored by the ''Do More With Dual!'' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar
Jerry Vonau wrote:>... > > Well, I take that back, balancing outbound, should be fine, running > services > available to internet, though both providers, may casue problems.Due to asymmetric routing? -- Paul <http://paulgear.webhop.net> -- Did you know? It is illegal to use your copy of Microsoft Office on multiple computers without multiple licenses. Why not try the free alternative OpenOffice.org? <http://www.openoffice.org>
Paul Gear wrote:> Jerry Vonau wrote: >>... >> >>Well, I take that back, balancing outbound, should be fine, running >>services >>available to internet, though both providers, may casue problems. > > Due to asymmetric routing? >Due to the way that Shorewall marks connections. It marks them based on the interface they arrive on -- with the setup that the OP has, they will all be marked the same and only one gateway will be used for replies. I submitted a patch into HEAD the other day to catch this configuration blunder and generate an error. -Tom PS. I very much disapprove of the configuration described by the OP because it bridges the private networks of two ISP, probably without their knowledge or consent. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> ... > PS. I very much disapprove of the configuration described by the OP > because it bridges the private networks of two ISP, probably without > their knowledge or consent.How would it bridge them without giving them specific knowledge of each other? If they''re (for example) separate /29 subnets what difference does it make? Unless the routers are given addresses on the same subnet, how would they even know about each other? -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Paul Gear wrote:> Tom Eastep wrote: >>... >>PS. I very much disapprove of the configuration described by the OP >>because it bridges the private networks of two ISP, probably without >>their knowledge or consent. > > How would it bridge them without giving them specific knowledge of > each other? If they''re (for example) separate /29 subnets what > difference does it make? Unless the routers are given addresses on > the same subnet, how would they even know about each other?Broadcast packets will make the presence of the other network immediately obvious to anyone running a packet sniffer. From there, it''s childs play to configure your system to communicate directly with the hosts in the other network (assuming that you can find a free IP address in that network). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key