Shorewall users - Nov 2005 - Providers File: How to use it correctly for multiple external interfaces?

Hello;

I have a gateway machine with two external interfaces, and one  
internal interface.

One external interface is a cable router with a fixed IP. The other  
is to an ADSL modem with a dynamic IP, but the router manages that  
and we just use the router as its own gateway (whereas with the  
cable, we can send straight out).

Is it possible using the providers file to load balance between the  
two connections so that if one connection goes down the other will  
pick up the slack, and that packets will be routed according to the  
weight of the connection - the cable connection has a 3gb cap and the  
ADSL has a 10gb cap: initially we were thinking of having it set up  
2 : 8 ratio.

We have experimented with shorewall and have been using up til now  
with no problems. We have it set up so that both connections can work  
individually if we enable them separately (ie, one or the other),  
however when adding a providers file (and setting up traffic shaping  
in the shorewall conf) and enabling both interfaces the whole gateway  
dies.

I read somewhere that the providers file does not in fact provide the  
kind of configuration we are looking for: I am curious to know if  
there are any tutorials for setting up this kind of gateway using  
shorewall.

We are in a bit of a bind at the moment, and any advice would be  
appreciated.

Thanks
Sammi

http://www.shorewall.net/MultiISP.html is the place to start.



-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Sammi
Williams
Sent: Tuesday, November 29, 2005 4:54 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] Providers File: How to use it correctly for
multiple external interfaces?


Hello;

I have a gateway machine with two external interfaces, and one  
internal interface.

One external interface is a cable router with a fixed IP. The other  
is to an ADSL modem with a dynamic IP, but the router manages that  
and we just use the router as its own gateway (whereas with the  
cable, we can send straight out).

Is it possible using the providers file to load balance between the  
two connections so that if one connection goes down the other will  
pick up the slack, and that packets will be routed according to the  
weight of the connection - the cable connection has a 3gb cap and the  
ADSL has a 10gb cap: initially we were thinking of having it set up  
2 : 8 ratio.

We have experimented with shorewall and have been using up til now  
with no problems. We have it set up so that both connections can work  
individually if we enable them separately (ie, one or the other),  
however when adding a providers file (and setting up traffic shaping  
in the shorewall conf) and enabling both interfaces the whole gateway  
dies.

I read somewhere that the providers file does not in fact provide the  
kind of configuration we are looking for: I am curious to know if  
there are any tutorials for setting up this kind of gateway using  
shorewall.

We are in a bit of a bind at the moment, and any advice would be  
appreciated.

Thanks
Sammi



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click

A sample of the providers/tcrules files that you tried would be helpful here.
The best would be a (ver 2.4.x) "shorewall status" or (ver 3.0.x)
"shorewall dump"

Jerry

----- Original Message ----- 
From: "Sammi Williams" <ioquatix@oriontransfer.co.nz>
To: <shorewall-users@lists.sourceforge.net>
Sent: Tuesday, November 29, 2005 15:54
Subject: [Shorewall-users] Providers File: How to use it correctly for multiple
external interfaces?





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

Hello.

I apologize if this has hit the list twice; I''ve been having trouble  
with the list server.

I have a gateway machine with two external interfaces, and one  
internal interface.

One external interface is a cable router with a fixed IP. The other  
is to an ADSL modem with a dynamic IP, but the router manages that  
and we just use the router as its own gateway (whereas with the  
cable, we can send straight out).

Is it possible using the providers file to load balance between the  
two connections so that if one connection goes down the other will  
pick up the slack, and that packets will be routed according to the  
weight of the connection - the cable connection has a 3gb cap and the  
ADSL has a 10gb cap: initially we were thinking of having it set up  
2 : 8 ratio.

We have experimented with shorewall and have been using up til now  
with no problems. We have it set up so that both connections can work  
individually if we enable them separately (ie, one or the other),  
however when adding a providers file (and setting up traffic shaping  
in the shorewall conf) and enabling both interfaces the whole gateway  
dies.

I read somewhere that the providers file does not in fact provide the  
kind of configuration we are looking for: I am curious to know if  
there are any tutorials for setting up this kind of gateway using  
shorewall.

We are in a bit of a bind at the moment, and any advice would be  
appreciated.

Thanks
Sammi

Thanks for your prompt replies;

(Sorry if my post hit the list more than once - I was having issues  
with the list server)

I am running shorewall 2.4.5. The tcrules file is empty - should  
there be anything in this file?

I have read http://www.shorewall.net/MultiISP.html but I find some of  
it a bit unclear; exactly what is connmark and how do I get it?

Thanks for any help.

My interfaces are as follows:

#ZONE	 	INTERFACE	BROADCAST	OPTIONS
local		eth0		detect
net		eth1		detect
net		eth2		detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

My masq file is as follows:

#INTERFACE	        SUBNET		ADDRESS
eth1			eth0		202.0.48.91		# Remote CABLE router
eth2			eth0		10.1.1.1			# Local ADSL Router
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

My Policy file is as follows:

#SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
local		all		ACCEPT
$FW		all		ACCEPT		info
net		all		DROP		info
all		all		REJECT		info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

My rules are:

#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL
#                       	        	PORT    PORT(S)    DEST
ACCEPT	net	fw	tcp	22	-
ACCEPT	local	fw	tcp	22	-
DNAT	net	local:192.168.1.232	tcp	5900
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The output of shorewall show capabilities

stryper:~# shorewall show capabilities
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following iptables/netfilter capabilities:
    NAT: Available
    Packet Mangling: Available
    Multi-port Match: Available
    Extended Multi-port Match: Not available
    Connection Tracking Match: Available
    Packet Type Match: Available
    Policy Match: Not available
    Physdev Match: Not available
    IP range Match: Not available
    Recent Match: Available
    Owner Match: Available
    Ipset Match: Not available
    ROUTE Target: Not available
    Extended MARK Target: Not available
    CONNMARK Target: Not available
    Connmark Match: Not available
    Raw Table: Not available
stryper:~#

----- Original Message ----- 
>I am running shorewall 2.4.5. The tcrules file is empty - should  
>there be anything in this file?
Only if you want to "favour" the use of one isp over the other.
>I have read http://www.shorewall.net/MultiISP.html but I find some of  
>it a bit unclear; exactly what is connmark and how do I get it?
>
<snip>
>    CONNMARK Target: Not available
>    Connmark Match: Not available
It''s a kernel compile time option, have a look at

http://www.shorewall.net/2.0/kernel.htm

Jerry



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

On 30/11/2005, at 1:46 PM, Jerry Vonau wrote:
>
> ----- Original Message -----
>> I am running shorewall 2.4.5. The tcrules file is empty - should
>> there be anything in this file?
>
> Only if you want to "favour" the use of one isp over the other.
>
>> I have read http://www.shorewall.net/MultiISP.html but I find some of
>> it a bit unclear; exactly what is connmark and how do I get it?
>>
> <snip>
>>    CONNMARK Target: Not available
>>    Connmark Match: Not available
>
> It''s a kernel compile time option, have a look at
>
> http://www.shorewall.net/2.0/kernel.htm
>
> Jerry
Thanks;

Even on that kernel page, I can find no reference to connmark - can  
you tell me the specific options that enable it? I''ve actually tried  
recompiling a kernel to get it to work--

I will shortly get some more information when the router is setup for  
both links.

I''ve found the multi-isp documentation unclear - what exactly does  
the ''track'' option do and is it essential? Do i need to have
connmark
for ''track'' to work?

Thanks
Sammi

On Tuesday 29 November 2005 17:31, Sammi Williams wrote:
>
> Even on that kernel page, I can find no reference to connmark - can
> you tell me the specific options that enable it? I''ve actually
tried
> recompiling a kernel to get it to work--
Connection Marking is available without patching in later 2.6 kernels -- 
earlier 2.6 kernels and 2.4 kernels require patching to include that support. 
The exact options are:

Connection mark match support
CONNMARK target support
>
> I will shortly get some more information when the router is setup for
> both links.
>
> I''ve found the multi-isp documentation unclear - what exactly does
> the ''track'' option do and is it essential? Do i need to
have connmark
> for ''track'' to work?
From the documentation:
-----------------------------------------------------------------------------
If you specify track, then connections which have had at least one packet 
arrive on the interface listed in the INTERFACE column have their connection 
mark set to the value in the MARK column. In the PREROUTING chain, packets 
with that connmark have their packet mark set to that value; packets so 
marked then bypass any prerouting rules that you create 
in /etc/shorewall/tcrules. This ensures that packets associated with 
connections from outside are always routed out of the correct interface.
-----------------------------------------------------------------------------
In other words, if you have two internet interfaces (eth0 and eth1) and if an 
internet hosts connects through eth0 to an application running on your 
firewall (or on a system behind your firewall), ''track''
prevents the
responses from being sent out through eth1.

Stated another way, if you run internet-accessible servers then you need 
''track''.

If you do not specify ''track'' then you do not need CONNMARK
target support and
connmark match support.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key