Shorewall users - Nov 2005 - multi isp masq

I need to have a particular pc go out as a specific ip for a legacy app.


 

Under my old ShoreWall I had route statements in my rc.local for the
multi isp.

 

However since 3.0 handles this from within ShoreWall I made the upgrade.


 

All other functions I had to customize now work natively from within
ShoreWall, which is great, with the exception of masq. 

 

When I configure the statement below I expected my traffic from the pc
to go out on eth2 but it does not in fact it does not make it off the
ShoreWall box. 

 

I know I must have missed something in the docs and faq but cant seem to
locate it via Google.

 

masq

 

eth1                    192.xxx.xxx.0/24!192.xxx.xxx.15 71.xxx.xxx.2

eth2                    192.xxx.xxx.15                  64.xxx.xxx.2

 

Any help appreciated

----- Original Message ----- 
> I need to have a particular pc go out as a specific ip for a legacy app.
> 
> 
>  
> 
> Under my old ShoreWall I had route statements in my rc.local for the
> multi isp.
> 
> 
Those statements would be helpful to know.

 
> 
> However since 3.0 handles this from within ShoreWall I made the upgrade.
> 
> 
>  
> 
> All other functions I had to customize now work natively from within
> ShoreWall, which is great, with the exception of masq. 
> 
>  
> 
> When I configure the statement below I expected my traffic from the pc
> to go out on eth2 but it does not in fact it does not make it off the
> ShoreWall box. 
> 
>  
> 
> I know I must have missed something in the docs and faq but cant seem to
> locate it via Google.
> 
>  
> 
> masq
> 
>  
> 
> eth1                    192.xxx.xxx.0/24!192.xxx.xxx.15 71.xxx.xxx.2
> 
> eth2                    192.xxx.xxx.15                  64.xxx.xxx.2
> 
>  
> 
> Any help appreciated
> 
Have you setup the providers file? 
Then you need to use tcrules to mark the traffic for the preferred isp.

2:P    192.xxx.xxx.15    <ip of remote or 0.0.0.0/0> all 

The 2 part will be the providers number in the providers file, P is prerouting
of nat table,
192.xxx.xxx.15 is the source of the packet to be marked, <ip of remote or
0.0.0.0/0>
could be the ip of the destination, or any. all is the protocols involved, could
be further
refined to just a single port/protocol. 

Really need to see a "shorewall dump" for this.

Jerry







-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

Thanks jerry,

I had read the tcrules link but couldn''t interpret how it related to my
situation and there was no sample, here is what I added to make my
config work:
1:P     eth0            0.0.0.0/0       all
2:P    192.xxx.xxx.15    0.0.0.0/0      all

I guess my only other question; are there special considerations if one
of the isp connections fails? 

Is there something else that I need to set so there is an automatic
failover for the outbound routing and how does that logic relate to
masq?

Again thanks

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry
Vonau
Posted At: Wednesday, November 16, 2005 11:39 AM
Posted To: shorewall
Conversation: [Shorewall-users] multi isp masq
Subject: Re: [Shorewall-users] multi isp masq


----- Original Message ----- 
> I need to have a particular pc go out as a specific ip for a legacy
app.
> 
> 
>  
> 
> Under my old ShoreWall I had route statements in my rc.local for the
> multi isp.
> 
> 
Those statements would be helpful to know.

 
> 
> However since 3.0 handles this from within ShoreWall I made the
upgrade.
> 
> 
>  
> 
> All other functions I had to customize now work natively from within
> ShoreWall, which is great, with the exception of masq. 
> 
>  
> 
> When I configure the statement below I expected my traffic from the pc
> to go out on eth2 but it does not in fact it does not make it off the
> ShoreWall box. 
> 
>  
> 
> I know I must have missed something in the docs and faq but cant seem
to
> locate it via Google.
> 
>  
> 
> masq
> 
>  
> 
> eth1                    192.xxx.xxx.0/24!192.xxx.xxx.15 71.xxx.xxx.2
> 
> eth2                    192.xxx.xxx.15                  64.xxx.xxx.2
> 
>  
> 
> Any help appreciated
> 
Have you setup the providers file? 
Then you need to use tcrules to mark the traffic for the preferred isp.

2:P    192.xxx.xxx.15    <ip of remote or 0.0.0.0/0> all 

The 2 part will be the providers number in the providers file, P is
prerouting of nat table,
192.xxx.xxx.15 is the source of the packet to be marked, <ip of remote
or 0.0.0.0/0> 
could be the ip of the destination, or any. all is the protocols
involved, could be further 
refined to just a single port/protocol. 

Really need to see a "shorewall dump" for this.

Jerry







-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=ick
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

----- Original Message ----- 
>I guess my only other question; are there special considerations if one
>of the isp connections fails? 
>
You''ll need to undo the tcrules, or at least the fwmark/multi-gateway
parts.
>Is there something else that I need to set so there is an automatic
>failover for the outbound routing and how does that logic relate to
>masq?
The tcrules override the *normal* routing code, that is why you need to undo
them
when an isp goes down. Without using tcrules, the failover should be automatic,
but
may occur slower than what you like. Check the thread from Friday, September 30,
2005 Re: [Shorewall-users] shorewall + Squid + Two ISP setup. There is lots of 
good info in that tread.

Hope it helps, 

Jerry

 
 




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

Jerry,

 

Thanks apparently I had already looked at that, it makes much more sense
now.

 

I was reading johns script and he mentions tcfiles but a search brings
up no such reference do you know the instructions he''s referencing?

 

Sent: Wednesday, October 05, 2005 10:04 AM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] shorewall + Squid + Two ISP setup
> 
> John Hill wrote:
> > Here is the script.
> > It is not pretty. I am open to any suggestions.
> > A line to send an email could be added.
> > 
> > You need to create a tcfiles that has the proper packet
> markings per the 2
> > isp shorewall instructions.
> > 
> > Copy it to tcrules.both. Then edit out isp2 and save as
> tcrules.isp1 and
> > another edit out isp1 and save as tcrules.isp2.
> > 
> > This works here. We have not had many real world problems
> to test it on. 
> > 
> > PLEASE TEST THIS BEFORE USING!!!!! 
> > 
> > --John
> > 
> > #!/bin/sh
> > 
> > SWDIR=/etc/shorewall # shorewall directory WKDIR=/root/cronscripts #
> > working directory for semafores G_ISP1=xxx.xxx.xxx.xxx # what to 
> > ping for isp1 G_ISP2=xxx.xxx.xxx.xxx # what to ping for isp2
> > PINGCT=2 # ping count
> > 
> > PingGateway() {
> >     ping -c $PINGCT $1 
> >       if [ $? != 0 ] ; then # Failed 
> >         cp $SWDIR/tcrules.$3 $SWDIR/tcrules # swap gateway
> >         touch $WKDIR/failed.$2 # semafore for down gateway 
> >   shorewall refresh # read configs
 

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry
Vonau
Posted At: Wednesday, November 16, 2005 3:44 PM
Posted To: shorewall
Conversation: [Shorewall-users] multi isp masq
Subject: Re: [Shorewall-users] multi isp masq

 

 

----- Original Message ----- 
>I guess my only other question; are there special considerations if one
>of the isp connections fails? 
> 
You''ll need to undo the tcrules, or at least the fwmark/multi-gateway
parts.

 
>Is there something else that I need to set so there is an automatic
>failover for the outbound routing and how does that logic relate to
>masq?
 

The tcrules override the *normal* routing code, that is why you need to
undo them 

when an isp goes down. Without using tcrules, the failover should be
automatic, but 

may occur slower than what you like. Check the thread from Friday,
September 30, 

2005 Re: [Shorewall-users] shorewall + Squid + Two ISP setup. There is
lots of 

good info in that tread.

 

Hope it helps, 

 

Jerry

 

 

 

 

 

 

 

-------------------------------------------------------

This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today

Register for a JBoss Training Course.  Free Certification Exam

for All Training Attendees Through End of 2005. For more info visit:

http://ads.osdn.com/?ad_idv28&alloc_id845&op=ick

_______________________________________________

Shorewall-users mailing list

Shorewall-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/shorewall-users

----- Original Message ----- 
From: "shorewall" <shorewall@marshtek.com>
To: <shorewall-users@lists.sourceforge.net>
Sent: Wednesday, November 16, 2005 15:47
Subject: RE: [Shorewall-users] multi isp masq

> Jerry,
> 
>  
> 
> Thanks apparently I had already looked at that, it makes much more sense
> now.
> 
>  
> 
> I was reading johns script and he mentions tcfiles but a search brings
> up no such reference do you know the instructions he''s
referencing?
> 
>
He was, at that time, most likely looking at: 
http://www.shorewall.net/Shorewall_and_Routing.html
That page been split into 2 parts, with the the latest multi-isp info at:
http://www.shorewall.net/MultiISP.html

Jerry





-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

Jerry,

I''ve looked at both of those but don''t see a tcfiles reference
to copy
from I see tcrules, tcclasses, tcdevice... am I missing something???

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry
Vonau
Posted At: Wednesday, November 16, 2005 5:44 PM
Posted To: shorewall
Conversation: [Shorewall-users] multi isp masq
Subject: Re: [Shorewall-users] multi isp masq


----- Original Message ----- 
From: "shorewall" <shorewall@marshtek.com>
To: <shorewall-users@lists.sourceforge.net>
Sent: Wednesday, November 16, 2005 15:47
Subject: RE: [Shorewall-users] multi isp masq

> Jerry,
> 
>  
> 
> Thanks apparently I had already looked at that, it makes much more
sense
> now.
> 
>  
> 
> I was reading johns script and he mentions tcfiles but a search brings
> up no such reference do you know the instructions he''s
referencing?
> 
>
He was, at that time, most likely looking at: 
http://www.shorewall.net/Shorewall_and_Routing.html
That page been split into 2 parts, with the the latest multi-isp info
at:
http://www.shorewall.net/MultiISP.html

Jerry





-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=ick
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click

----- Original Message ----- 
>Jerry,
>
>I''ve looked at both of those but don''t see a tcfiles
reference to copy
>from I see tcrules, tcclasses, tcdevice... am I missing something???
Think we both did... ;-) I missed the "tcfiles" part of the question.
----
> > You need to create a tcfiles that has the proper packet
> markings per the 2
> > isp shorewall instructions.
----
I think John meant "tcfiles" to be "tcrules file" in this
case.
I''ve short-typed stuff by accident... ;-)

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click