Preston Kutzner
2005-Aug-18 19:49 UTC
Running Shorewall with WonderShaper on a dual-ISP setup.
I''m currently building a firewall for a network with 2 ISP links. Unfortunately, one of the ISP''s doesn''t support BGP yet, otherwise I would be doing load balancing at the router, instead of the firewall. I''ve been trying to find information on how to get WonderShaper working, but everything I''ve found talks about setting it up for a firewall with one internet connection. I was wondering if it''s even possible to set up WonderShaper to work with 2 ISP''s or is that a lost cause? I''ve already got the load-balancing working in Shorewall (1.5.0) and it''s working well, although initial connections seem to lag a little bit, so I was hoping that something like WonderShaper in conjunction with Shorewall would help improve surfing a little bit. If this is possible, could someone point me in the right direction as far as documentation / how-to''s are concerned? Thanks.
Tom Eastep
2005-Aug-18 19:56 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Preston Kutzner wrote:> > If this is possible, could someone point me in the right direction as > far as documentation / how-to''s are concerned? Thanks.I just cloned my tcstart file into wonder_eth2 and wonder_eth4 for my two internet interfaces then have /etc/shorewall/tcstart as follows: #!/bin/bash . /etc/shorewall/wonder_eth2 . /etc/shorewall/wonder_eth4 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Preston Kutzner
2005-Aug-18 22:01 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Tom Eastep wrote: --snip--> I just cloned my tcstart file into wonder_eth2 and wonder_eth4 for my two > internet interfaces then have /etc/shorewall/tcstart as follows: > > #!/bin/bash > > . /etc/shorewall/wonder_eth2 > . /etc/shorewall/wonder_eth4--snip-- After starting with this configuration, all subsequent attempts to run shorewall <command> where <command> = start or stop results in shorewall hanging after displaying the "Loading modules..." line. ''shorewall check'' and ''shorwall status'' work just fine, however. I''ve removed the tcstart and wonder_X files, restarted the firewall and attempted to start shorewall again, only to have the same problem. Just curious as to what might be the problem... is there a lock file or something that I need to remove? Or is there another place I can clear out some residual files to cause it to work again? Also, I''m getting nothing in /var/log/messages, so I don''t quite know where to look.
Alexander Wilms
2005-Aug-18 22:17 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Preston Kutzner wrote:> Tom Eastep wrote: --snip-- > >> I just cloned my tcstart file into wonder_eth2 and wonder_eth4 >> for my two internet interfaces then have /etc/shorewall/tcstart >> as follows: >> >> #!/bin/bash >> >> . /etc/shorewall/wonder_eth2 . /etc/shorewall/wonder_eth4 > > --snip-- > > After starting with this configuration, all subsequent attempts to > run shorewall <command> where <command> = start or stop results in > shorewall hanging after displaying the "Loading modules..." line. > ''shorewall check'' and ''shorwall status'' work just fine, however. > I''ve removed the tcstart and wonder_X files, restarted the firewall > and attempted to start shorewall again, only to have the same > problem. Just curious as to what might be the problem... is there > a lock file or something that I need to remove? Or is there > another place I can clear out some residual files to cause it to > work again? > > Also, I''m getting nothing in /var/log/messages, so I don''t quite > know where to look. >Hi Preston, do you use hostnames instead of IP''s somewhere in your config? I knew this behaviour if DNS resolving doesn''t work during (re)start Alex ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep
2005-Aug-18 22:23 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Preston Kutzner wrote:> is there a lock file or > something that I need to remove? Or is there another place I can clear > out some residual files to cause it to work again?/var/lib/shorewall/lock -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Aug-18 22:27 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Preston Kutzner wrote:> Tom Eastep wrote:> After starting with this configuration, all subsequent attempts to run > shorewall <command> where <command> = start or stop results in > shorewall hanging after displaying the "Loading modules..." line. > ''shorewall check'' and ''shorwall status'' work just fine, however.You really want to get "/etc/shorewall/tcstart" working first before trying to start Shorewall with it! If it stops, the entire shell process in which "shorewall start" is running is stopped (and you get the stale lock file). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Preston Kutzner
2005-Aug-18 23:05 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Tom Eastep wrote: --snip--> You really want to get "/etc/shorewall/tcstart" working first before trying > to start Shorewall with it! If it stops, the entire shell process in which > "shorewall start" is running is stopped (and you get the stale lock file).--snip-- Thanks for this and the above response. That''s probably what happened, as I realized after I put in the tcstart scripts that I had neglected to remove the 2 lines that tell you to read the README, then exit the script. My guess is it probably killed the shorewall init and left the stale lock file.
Preston Kutzner
2005-Aug-19 03:13 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Tom Eastep wrote:> Preston Kutzner wrote: > >>Tom Eastep wrote: > > >>After starting with this configuration, all subsequent attempts to run >>shorewall <command> where <command> = start or stop results in >>shorewall hanging after displaying the "Loading modules..." line. >>''shorewall check'' and ''shorwall status'' work just fine, however. > > > You really want to get "/etc/shorewall/tcstart" working first before trying > to start Shorewall with it! If it stops, the entire shell process in which > "shorewall start" is running is stopped (and you get the stale lock file). > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.keyI have one more question, now that I have this working... can you use WonderShaper in conjunction with tcrules?
Tom Eastep
2005-Aug-19 03:15 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
Preston Kutzner wrote:> > I have one more question, now that I have this working... can you use > WonderShaper in conjunction with tcrules?No -- WonderShaper is a standalone traffic-shaping script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tuomo Soini
2005-Aug-23 07:17 UTC
Re: Running Shorewall with WonderShaper on a dual-ISP setup.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1>>I have one more question, now that I have this working... can you use >>WonderShaper in conjunction with tcrules? > > No -- WonderShaper is a standalone traffic-shaping script.But you can use TOS to tune traffic classes and tell wondershaper how to treat certain traffic. Let me explain more: I had problems with "rsync -e ssh" with wondershaper because ssh is classified as TOS minimize-delay (16). That means wondershaper gives rsync over ssh highest possible priority and everything else won''t work at same time. I noticed that scp uses tos maximize-throughput (8) and so I changed tos of ssh traffic to that certain host to be type 8. That solved the problem, ping flow well again and ssh is useable. So /etc/shorewall/tos is your tool if you use wondershaper and want to tune traffic. - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org iD8DBQFDCs2LTlrZKzwul1ERAv+aAJ9pkG9+WJ+wJe9VuAqKL8U5W8ShlwCeKgQo 7quSPGLwJNFGWkGfeSFMKiw=hZ2x -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf