I''m now running Shorewall 2.4.5 and I''m having difficulties setting up multiple WAN interfaces. I have 1 LAN and 2 WAN interfaces. I don''t want to load balance the WAN interfaces, just reference them separately in my rules file for DNAT rules. Both WAN interfaces use DHCP to get info from the ISP. I followed the guide for Multiple Internet Providers to get started (figuring I''d figure out how to break the load balancing later), but when I have the line of: #ISP1 1 1 main eth0 detect track,balance eth1 #ISP2 2 2 main eth2 detect track,balance eth1 I get the following error on shorewall startup: Error: Unable to detect the gateway through interface eth2 I manually typed the gateway for ISP2 and then got: ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! -- mark 0 -j CONNMARK --restore-mark" Failed Looking at netstat -r, I only saw the gateway for eth0 (WAN1). I just happened to know, by documentation, the gateway for eth2 (WAN2). Before I go further: 1. Should I be using the providers file if I have no desire to load balance the 2 WAN connections? 2. Is there documentation on setting up 2 WAN interfaces that are not load balanced and where 1 is not a DMZ? Thanks, -- Aaron ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Aaron O''Hara wrote:> Both WAN interfaces use DHCP to get info from the ISP. I followed the > guide for Multiple Internet Providers to get started (figuring I''d > figure out how to break the load balancing later), but when I have the > line of: > > #ISP1 1 1 main eth0 detect > track,balance eth1 > #ISP2 2 2 main eth2 detect > track,balance eth1 > > I get the following error on shorewall startup: > > Error: Unable to detect the gateway through interface eth2 >You have answered the question about why that error occurs already below (netstat -r doesn''t show a default route through eth2).> I manually typed the gateway for ISP2 and then got: > > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! -- > mark 0 -j CONNMARK --restore-mark" FailedThere was an error message printed before that one that tells WHY the command failed -- given that you didn''t post that message, I''ll have to guess that your kernel or iptables doesn''t support the CONNMARK target. Hint: look at the output of "shorewall show capabilities". That is a requirement of using ''track'' (and which is needed for DNAT).> > Looking at netstat -r, I only saw the gateway for eth0 (WAN1). I just > happened to know, by documentation, the gateway for eth2 (WAN2).Well, if your system doesn''t know the IP address of the gateway through eth2, it is not going to be able to send packets to the internet on that interface. I suspect that the absense of a default route through the2 is a consequence of running two DHCP-enabled interfaces on a single system -- whichever comes up first gets its default route recorded and the second one doesn''t. Can anyone with a similar configuration confirm that?> > Before I go further: > > 1. Should I be using the providers file if I have no desire to load > balance the 2 WAN connections?You can look at the LARTC Howto (www.lartc.org) and configure your interfaces and routing based on what you find there. As stated in FAQ 32, the Shorewall configuration part is easy -- it''s the rest that''s hard; that''s why I added the provider file - to try to make the hard part easier. But in the final analysis, Shorewall just runs the standard utilities (ip, arp, iptables, ...) for you and you can always run them yourself. The main thing to keep in mind is that running with two internet interfaces is a *routing problem* and not a *firewall* problem and, either by using the providers file or not, you must get the routing correct.> > 2. Is there documentation on setting up 2 WAN interfaces that are not > load balanced and where 1 is not a DMZ?The fact that you have ''balance'' specified has nothing whatsoever to do with the problems you are seeing. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for your response. I''m running on FC2 with 2.6.10 and the capabilities show''s that CONNMARK is not available. Is this going to be required if I just want to have a 2nd WAN adapter (no load balancing). Knowing that my issue is a routing one, can I setup shorewall with the 2nd WAN port as a zone net2? -- Aaron On Fri, 2005-07-10 at 14:01 -0700, Tom Eastep wrote:> Aaron O''Hara wrote: > > Both WAN interfaces use DHCP to get info from the ISP. I followed the > > guide for Multiple Internet Providers to get started (figuring I''d > > figure out how to break the load balancing later), but when I have the > > line of: > > > > #ISP1 1 1 main eth0 detect > > track,balance eth1 > > #ISP2 2 2 main eth2 detect > > track,balance eth1 > > > > I get the following error on shorewall startup: > > > > Error: Unable to detect the gateway through interface eth2 > > > > You have answered the question about why that error occurs already below > (netstat -r doesn''t show a default route through eth2). > > > I manually typed the gateway for ISP2 and then got: > > > > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! -- > > mark 0 -j CONNMARK --restore-mark" Failed > > There was an error message printed before that one that tells WHY the > command failed -- given that you didn''t post that message, I''ll have to > guess that your kernel or iptables doesn''t support the CONNMARK target. > Hint: look at the output of "shorewall show capabilities". That is a > requirement of using ''track'' (and which is needed for DNAT). > > > > > Looking at netstat -r, I only saw the gateway for eth0 (WAN1). I just > > happened to know, by documentation, the gateway for eth2 (WAN2). > > Well, if your system doesn''t know the IP address of the gateway through > eth2, it is not going to be able to send packets to the internet on that > interface. > > I suspect that the absense of a default route through the2 is a > consequence of running two DHCP-enabled interfaces on a single system -- > whichever comes up first gets its default route recorded and the second > one doesn''t. Can anyone with a similar configuration confirm that? > > > > > Before I go further: > > > > 1. Should I be using the providers file if I have no desire to load > > balance the 2 WAN connections? > > You can look at the LARTC Howto (www.lartc.org) and configure your > interfaces and routing based on what you find there. As stated in FAQ > 32, the Shorewall configuration part is easy -- it''s the rest that''s > hard; that''s why I added the provider file - to try to make the hard > part easier. But in the final analysis, Shorewall just runs the standard > utilities (ip, arp, iptables, ...) for you and you can always run them > yourself. The main thing to keep in mind is that running with two > internet interfaces is a *routing problem* and not a *firewall* problem > and, either by using the providers file or not, you must get the routing > correct. > > > > > 2. Is there documentation on setting up 2 WAN interfaces that are not > > load balanced and where 1 is not a DMZ? > > The fact that you have ''balance'' specified has nothing whatsoever to do > with the problems you are seeing. > > -Tom------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
----- Original Message -----> I''m now running Shorewall 2.4.5 and I''m having difficulties setting up > multiple WAN interfaces. I have 1 LAN and 2 WAN interfaces. I don''t > want to load balance the WAN interfaces, just reference them separately > in my rules file for DNAT rules. > > Both WAN interfaces use DHCP to get info from the ISP. I followed the > guide for Multiple Internet Providers to get started (figuring I''d > figure out how to break the load balancing later), but when I have the > line of: > > #ISP1 1 1 main eth0 detect > track,balance eth1 > #ISP2 2 2 main eth2 detect > track,balance eth1 > > I get the following error on shorewall startup: > > Error: Unable to detect the gateway through interface eth2 > > I manually typed the gateway for ISP2 and then got: > > ERROR: Command "/sbin/iptables -t mangle -A PREROUTING -m connmark ! -- > mark 0 -j CONNMARK --restore-mark" Failed2 dhcp clients are a bit problematic, what you may have is an issue with the way the interface is brought up. Using dhcp, once a gateway as been set by the first dhcp lease, the ifup script won''t add or replace a gateway. The only thing I can think of is to use the params file to reference the dhcp leases files for the gateways to use, what files to source would be dependent on which dhcp client your using. Quickest if the gateways don''t change, is to just code them where you have detect.> > Looking at netstat -r, I only saw the gateway for eth0 (WAN1). I just > happened to know, by documentation, the gateway for eth2 (WAN2). > > Before I go further: > > 1. Should I be using the providers file if I have no desire to load > balance the 2 WAN connections? >Yes, you''ll still need to have seperate routing tables for each provider, Or no, you could setup the routing tables yourself.> 2. Is there documentation on setting up 2 WAN interfaces that are not > load balanced and where 1 is not a DMZ? >Not really, but we''re working on it. Can you expand on what you want to do? Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Aaron O''Hara wrote:> Thanks for your response. > > I''m running on FC2 with 2.6.10 and the capabilities show''s that CONNMARK > is not available. Is this going to be required if I just want to have a > 2nd WAN adapter (no load balancing).It is if you use the providers file, yes.> > Knowing that my issue is a routing one, can I setup shorewall with the > 2nd WAN port as a zone net2? >Yes -- but you still have to solve the routing issue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message -----> Thanks for your response. > > I''m running on FC2 with 2.6.10 and the capabilities show''s that CONNMARK > is not available. Is this going to be required if I just want to have a > 2nd WAN adapter (no load balancing). >Funny, run fedora core 3 yummed up to core 4 and that is stock, out of the box: locate ipt_CONNMARK.ko /lib/modules/2.6.12-1.1398_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.770_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.11-1.27_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1447_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1387_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.12-1.1390_FC4/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.770_14.rhfc3.at/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.766_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.10-1.760_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko /lib/modules/2.6.11-1.14_FC3/kernel/net/ipv4/netfilter/ipt_CONNMARK.ko Time to upgrade maybe?> Knowing that my issue is a routing one, can I setup shorewall with the > 2nd WAN port as a zone net2? >Don''t think that will help, masq code looks for a default gateway to use. Jerry ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl