I have decided against the solution I was working on that I referred to in my previous post "Traffic from other firewall", it is way too messy and would be a nightmare to debug in the future. Instead, I have decided to devote a dual psu, dual hd machine into a dedicated shorewall firewall to replace the m0n0wall unit as the main firewall. I have purchased an older Dell 2450 machine for this purpose. I have no problems getting it working as a single interface machine, I have lots of experience with Shorewall, but I am looking for some guidance on the multiple interface/multiple ISP configuration which I have never done before. This is not a simple (!) load balancing solution, I do not want dynamic balancing. Let me detail the feeds and tell you what I am trying to achieve. ISP1: Static IP, Fixed guaranteed bandwidth, expensive, want to keep for VOIP. ISP2: ADSL, dhcp, cheap, want to route outgoing browsing traffic so guests and staff do not load ISP1. ISP3: Cable internet, reserved IP, cheap, lousy quality, want to serve internal webcam on it. Is listing the feeds in the providers file the way to go, or should I just establish zones for each and use rules to route? I am a bit lost here so I need the help of the esteemed list members to put me on the right track. It''s hard to simulate this setup in the lab so I need to get it right from the start. -- Chris Mason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Chris Mason (Lists) wrote:> I have decided against the solution I was working on that I referred > to in my previous post "Traffic from other firewall", it is way too > messy and would be a nightmare to debug in the future. > > Instead, I have decided to devote a dual psu, dual hd machine into a > dedicated shorewall firewall to replace the m0n0wall unit as the main > firewall. > I have purchased an older Dell 2450 machine for this purpose. > > I have no problems getting it working as a single interface machine, I > have lots of experience with Shorewall, but I am looking for some > guidance on the multiple interface/multiple ISP configuration which I > have never done before. > > This is not a simple (!) load balancing solution, I do not want > dynamic balancing. Let me detail the feeds and tell you what I am > trying to achieve. > > ISP1: Static IP, Fixed guaranteed bandwidth, expensive, want to keep > for VOIP. > ISP2: ADSL, dhcp, cheap, want to route outgoing browsing traffic so > guests and staff do not load ISP1. > ISP3: Cable internet, reserved IP, cheap, lousy quality, want to serve > internal webcam on it. > > Is listing the feeds in the providers file the way to go, or should I > just establish zones for each and use rules to route? I am a bit lost > here so I need the help of the esteemed list members to put me on the > right track. It''s hard to simulate this setup in the lab so I need to > get it right from the start. >Sounds like a great case study for shorewall. :) -- Ray Booysen rj_booysen@rjb.za.net ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Ray Booysen wrote:> > Sounds like a great case study for shorewall. :)I''m game - anyone want to start it off? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
How about a little RTFM to start? http://www.shorewall.net/MultiISP.html Alex Martin http://www.rettc.com Chris Mason (Lists) wrote:> Ray Booysen wrote: >> >> Sounds like a great case study for shorewall. :) > I''m game - anyone want to start it off? > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Alex Martin wrote:> How about a little RTFM to start? > > http://www.shorewall.net/MultiISP.html >I''ve read it extensively. I know about the configuration options. However, multi-isp is hard to lab test and simulate and I have to install and get working in a short time, my users and the client will be very unhappy if I have to experiment and make extensive changes, so I am requesting some advice from list members who have done this kind of installation on the best approach. I thought that was the point of a collaborative list. -- Chris Mason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Chris Mason (Lists) wrote:> Alex Martin wrote: > >> How about a little RTFM to start? >> >> http://www.shorewall.net/MultiISP.html >> > I''ve read it extensively. I know about the configuration options. > However, multi-isp is hard to lab test and simulate and I have to > install and get working in a short time, my users and the client will be > very unhappy if I have to experiment and make extensive changes, so I am > requesting some advice from list members who have done this kind of > installation on the best approach. > I thought that was the point of a collaborative list. >Why don''t you start with posting what you propose to run in the configuration files and some clearly stated objectives? Just a heads up, having more that one dynamic ip address could be problematic. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> ISP1: Static IP, Fixed guaranteed bandwidth, expensive, want to keep > for VOIP. > ISP2: ADSL, dhcp, cheap, want to route outgoing browsing traffic so > guests and staff do not load ISP1. > ISP3: Cable internet, reserved IP, cheap, lousy quality, want to serve > internal webcam on it.You''ll need to setup your ISPs in the providers file. The settings in the tcrules file are used direct traffic out of a particular interface. This should be pretty straight-forward. Here is an example of what your tcrules file might look like: # MARK SOURCE DEST PROTO 3:P webcam-ip-address 0.0.0.0/0 all 2:P list-of-ip-addresses-or-subnets-for-clients-to-surf-the-web 0.0.0.0/0 all 1:P ip-address-of-VOIP-devices 0.0.0.0/0 all This example will mark all trafic originating from the webcam-ip-address with a 3 - which will direct that traffic to ISP 3 (your cable internet provider). Everything from your client''s will get sent out through #2, and all VOIP stuff will go over #1. When the tcrules file is evaluated, it is the last match that is used. Keep that in mind if you have problems with traffic heading out through the wrong interface. You would also need to setup your providers in the providers file. With my particular setup, I wasn''t doing any load balancing, but I was advised to use the track and balance options in the providers file. The track option requires certain kernel options (CONNMARK target and connmark match support). Hope that points you in the right direction. RUSSEL RILEY ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> Why don''t you start with posting what you propose to run in the > configuration files and some clearly stated objectives?I''m really looking for more general observations and experiences on the kind of installation I am attempting and listed at the start of the post before I get into specific configurations. If I don''t know which approach is the right one there''s little point editing the configuration files. I will elaborate below.> > Just a heads up, having more that one dynamic ip address could be > problematic.Although the CATV feed ip is dynamic once the IP has been obtained via dhcp the techs at Cable TV are reserving it for me and binding it to the MAC address, so I am treating is as static. This is because their system does not allow them to provision a static IP. The Setup LAN - 192.168.0.0/24 - guest and office worker computers, servers. ISP1: Static IP, Fixed guaranteed bandwidth, expensive, want to keep for VOIP. ISP2: ADSL, dhcp, cheap, want to route outgoing browsing traffic so guests and staff do not load ISP1. ISP3: Cable internet, reserved IP, cheap, lousy quality, want to serve internal webcam on it. The Objectives: Incorporate three ISP feeds to the firewall. Allow no browsing traffic over ISP1 to conserve the bandwidth Install Squid proxy and route Squid traffic through ISP2 Traffic shape or QOS Note: dynamic load balancing is not an objective, static load balancing is preferred. The issues Should I use the providers configuration options or is that for load balancing similar feeds? Can I have a default route through ISP1 then route specific traffic, i.e. http, out specific interfaces, is that a better approach than the providers file? General approach questions. -- Chris Mason NetConcepts -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Chris Mason (Lists) wrote:> >> Why don''t you start with posting what you propose to run in the >> configuration files and some clearly stated objectives? > > > I''m really looking for more general observations and experiences on the > kind of installation I am attempting and listed at the start of the post > before I get into specific configurations. If I don''t know which > approach is the right one there''s little point editing the configuration > files. > I will elaborate below. > >> >> Just a heads up, having more that one dynamic ip address could be >> problematic. > > Although the CATV feed ip is dynamic once the IP has been obtained via > dhcp the techs at Cable TV are reserving it for me and binding it to the > MAC address, so I am treating is as static. This is because their system > does not allow them to provision a static IP.Like I said, 2 or more dhcp assigned addresses are a problem, have look at this thread in the email archives "Shorewall with multiple providers - basically three-in-one" started by Russel, who replied to you also. In short dhcp replaces the default gateway. I have some patches that work around that, based on fedora''s init layout. I submitted them to fedora''s bugzilla as an enhancement.> > > The Setup > LAN - 192.168.0.0/24 - guest and office worker computers, servers. > ISP1: Static IP, Fixed guaranteed bandwidth, expensive, want to keep for > VOIP. > ISP2: ADSL, dhcp, cheap, want to route outgoing browsing traffic so > guests and staff do not load ISP1. > ISP3: Cable internet, reserved IP, cheap, lousy quality, want to serve > internal webcam on it. > > The Objectives: > Incorporate three ISP feeds to the firewall. > Allow no browsing traffic over ISP1 to conserve the bandwidth > Install Squid proxy and route Squid traffic through ISP2 > Traffic shape or QOS > > Note: dynamic load balancing is not an objective, static load balancing > is preferred. > > The issues > Should I use the providers configuration options or is that for load > balancing similar feeds?You''ll need to use the providers file, to setup the advanced routing tables and "ip rules", or do it in your own script.> Can I have a default route through ISP1 then route specific traffic, > i.e. http, out specific interfaces, is that a better approach than the > providers file? >How did you plan on doing that without the advanced routing tables? No, from experence you''ll need to have a multi-hop gateway anyway, and then use fwmarks to tag the traffic as needed. The tcrules file will setup the fwmarks for you.> General approach questions. >General answers. Jerry ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> > Like I said, 2 or more dhcp assigned addresses are a problem, have > look at this thread in the email archives "Shorewall with multiple > providers - basically three-in-one" started by Russel, who replied to > you also. In short dhcp replaces the default gateway. I have some > patches that work around that, based on fedora''s init layout. I > submitted them to fedora''s bugzilla as an enhancement.It won''t be DHCP, once I have the IP I will write a static IP configuration file.>> Should I use the providers configuration options or is that for load >> balancing similar feeds? > > > You''ll need to use the providers file, to setup the advanced routing > tables and "ip rules", or do it in your own script. > >> Can I have a default route through ISP1 then route specific traffic, >> i.e. http, out specific interfaces, is that a better approach than >> the providers file? >> > How did you plan on doing that without the advanced routing tables? > No, from experence you''ll need to have a multi-hop gateway anyway, and > then use fwmarks to tag the traffic as needed. The tcrules file will > setup the fwmarks for you. > >> General approach questions. >> > General answers. > > Jerry >Excellent comments, thanks. Saved me a lot of time messing with any other approach. Thanks, Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642