Shorewall users - Mar 2006 - Multi ISP question..

I''ve been reading the MultiISP page and I feel a bit puzzled regarding
a
few points.

My Setup will be 2 aDSL connections using simple Zyxel adsl modems and
pppoe.

Thus when the connections come up they will be named ppp0 and ppp1 in a
randon fashion.

However  the setup in providers file ( INTERFACE  field )  requires  you
to know the interface  that will be used against a specific provider.

But there is no way one can be sure that ISP1 will be ppp0 and the and
ISP2 ppp1.
This gets more complicated with the masq setup when routing smtp or whatever
traffic through a Certain ISP.

Questions:

a)  Is it right the Intrface field in the in the interfaces file be ppp+ ??????

b) Can MultiISP function with pppoe, or is it  better to choose  a different
approach ???.

Please advise.

Regards....








-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Tuesday 07 March 2006 07:57, lharry@freemail.gr wrote:
>
> Questions:
>
> a)  Is it right the Intrface field in the in the interfaces file be ppp+
> ??????
No. And if you can''t describe to Shorewall which ISP corresponds to
which
device, Shorewall certainly can''t figure it out for itself. Solving
this
problem requires quite a bit of scripting on your part (PPP ip-up script 
saves away the ISP->pppX correspondence so that you can set shell variables 
in /etc/shorewall/params.

Note also that most (all) PPPoE products on Linux can''t properly bring
up two
lines to two ISPs; the default gateway will usually be determined by which 
ISP connects first. 
>
> b) Can MultiISP function with pppoe, or is it  better to choose  a
> different approach ???.
>
With these low-cost lines, it takes a lot of effort on your part to make this 
work (check the list archives for posts from Jerry Voneau on this subject). 
And it''s not effort that Shorewall will give you any help with (now or
in the
future). In my view, this setup won''t be easy until the vendor ifup
scripts
get a lot smarter about dealing with multiple uplinks.

So think carefully before you commit to MultiISP in this environment -- you 
might be better off with two separate firewalls.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Dear Tom,
Thanks for your immediate response to my questions.
> On Tuesday 07 March 2006 07:57, lharry@freemail.gr wrote:
> 
> >
> > Questions:
> >
> > a)  Is it right the Intrface field in the in the interfaces file be
ppp+
> > ??????
> 
> No. And if you can''t describe to Shorewall which ISP corresponds
to which=20
> device, Shorewall certainly can''t figure it out for itself.
Solving this=20
> problem requires quite a bit of scripting on your part (PPP ip-up script=20
> saves away the ISP->pppX correspondence so that you can set shell
variables> =20
> in /etc/shorewall/params.
> 
> Note also that most (all) PPPoE products on Linux can''t properly
bring up t> wo=20
> lines to two ISPs; the default gateway will usually be determined by
which> =20
> ISP connects first.=20
> 
> >
> > b) Can MultiISP function with pppoe, or is it  better to choose  a
> > different approach ???.
> >
> 
> With these low-cost lines, it takes a lot of effort on your part to make
th> is=20
> work (check the list archives for posts from Jerry Voneau on this
subject).> =20
> And it''s not effort that Shorewall will give you any help with
(now or in t> he=20
> future). In my view, this setup won''t be easy until the vendor
ifup scripts> =20
> get a lot smarter about dealing with multiple uplinks.
> 
> So think carefully before you commit to MultiISP in this environment --
you> =20
> might be better off with two separate firewalls.
This is indeed a strange suggestion. So where the bandwidth balancing should
take place??
On a third Firewall behind the front ones??
Regards .......



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Hi. Some idea here. how about changing both the modems to act as a
router? So that you can get eth0 and eth1. That is what i did last
time.

On 3/9/06, lharry@freemail.gr <lharry@freemail.gr>
wrote:
>
> Dear Tom,
> Thanks for your immediate response to my questions.
>
> > On Tuesday 07 March 2006 07:57, lharry@freemail.gr wrote:
> >
> > >
> > > Questions:
> > >
> > > a)  Is it right the Intrface field in the in the interfaces file
be ppp+
> > > ??????
> >
> > No. And if you can''t describe to Shorewall which ISP
corresponds to which=20
> > device, Shorewall certainly can''t figure it out for itself.
Solving this=20
> > problem requires quite a bit of scripting on your part (PPP ip-up
script=20
> > saves away the ISP->pppX correspondence so that you can set shell
variables> > =20
> > in /etc/shorewall/params.
> >
> > Note also that most (all) PPPoE products on Linux can''t
properly bring up t> > wo=20
> > lines to two ISPs; the default gateway will usually be determined by
which> > =20
> > ISP connects first.=20
> >
> > >
> > > b) Can MultiISP function with pppoe, or is it  better to choose 
a
> > > different approach ???.
> > >
> >
> > With these low-cost lines, it takes a lot of effort on your part to
make th> > is=20
> > work (check the list archives for posts from Jerry Voneau on this
subject).> > =20
> > And it''s not effort that Shorewall will give you any help
with (now or in t> > he=20
> > future). In my view, this setup won''t be easy until the
vendor ifup scripts> > =20
> > get a lot smarter about dealing with multiple uplinks.
> >
> > So think carefully before you commit to MultiISP in this environment
-- you> > =20
> > might be better off with two separate firewalls.
>
> This is indeed a strange suggestion. So where the bandwidth balancing
should take place??
> On a third Firewall behind the front ones??
> Regards .......
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
webcast
> and join the prime developer group breaking into this new coding territory!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

--
Regards,

Wong Chee Chun
Network Engineer
Softmy Co. Ltd
(http://www.softmy.com)


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Thanks..
As a matter of fact I was thinking to move torwards this scenario.
One thing that bugs me though is what happens when the DSL link goes down, 
propably the firewall ( running on linux ) routing mechanism will not be aware
of it correct??

Are you using RFC1918 addresses on your routers/modems or your modems give you
the external ip that your ISP provides ( I think this is called half Bridge mode
) ??

Is you setup functioning OK as far as balancing is concerned ??

Thanks in advance man..
Regards....
> Hi. Some idea here. how about changing both the modems to act as a
> router? So that you can get eth0 and eth1. That is what i did last
> time.
> 
> On 3/9/06, lharry@freemail.gr <lharry@freemail.gr> wrote:
> >
> > Dear Tom,
> > Thanks for your immediate response to my questions.
> >
> > > On Tuesday 07 March 2006 07:57, lharry@freemail.gr wrote:
> > >
> > > >
> > > > Questions:
> > > >
> > > > a)  Is it right the Intrface field in the in the interfaces
file be p> pp+
> > > > ??????
> > >
> > > No. And if you can''t describe to Shorewall which ISP
corresponds to whi> ch=3D20
> > > device, Shorewall certainly can''t figure it out for
itself. Solving thi> s=3D20
> > > problem requires quite a bit of scripting on your part (PPP ip-up
scrip> t=3D20
> > > saves away the ISP->pppX correspondence so that you can set
shell varia> bles=3D
> > > =3D20
> > > in /etc/shorewall/params.
> > >
> > > Note also that most (all) PPPoE products on Linux can''t
properly bring > up t=3D
> > > wo=3D20
> > > lines to two ISPs; the default gateway will usually be determined
by wh> ich=3D
> > > =3D20
> > > ISP connects first.=3D20
> > >
> > > >
> > > > b) Can MultiISP function with pppoe, or is it  better to
choose  a
> > > > different approach ???.
> > > >
> > >
> > > With these low-cost lines, it takes a lot of effort on your part
to mak> e th=3D
> > > is=3D20
> > > work (check the list archives for posts from Jerry Voneau on this
subje> ct).=3D
> > > =3D20
> > > And it''s not effort that Shorewall will give you any
help with (now or > in t=3D
> > > he=3D20
> > > future). In my view, this setup won''t be easy until the
vendor ifup scr> ipts=3D
> > > =3D20
> > > get a lot smarter about dealing with multiple uplinks.
> > >
> > > So think carefully before you commit to MultiISP in this
environment -->  you=3D
> > > =3D20
> > > might be better off with two separate firewalls.
> >
> > This is indeed a strange suggestion. So where the bandwidth balancing
sho> uld take place??
> > On a third Firewall behind the front ones??
> > Regards .......
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting
langua> ge
> > that extends applications into web and mobile media. Attend the live
webc> ast
> > and join the prime developer group breaking into this new coding
territor> y!
> >
http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat>
=3D121642
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
> 
> 
> --
> Regards,
> 
> Wong Chee Chun
> Network Engineer
> Softmy Co. Ltd
> (http://www.softmy.com)
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
webcast
> and join the prime developer group breaking into this new coding territory!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wednesday 08 March 2006 23:00, lharry@freemail.gr wrote:
> >
> > So think carefully before you commit to MultiISP in this environment
--
> > you= =20
> > might be better off with two separate firewalls.
>
> This is indeed a strange suggestion. So where the bandwidth balancing
> should take place?? On a third Firewall behind the front ones??
> 
Exactly where in your original post did you list bandwidth balancing as a 
requirement? 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thursday 09 March 2006 01:11, grharry@freemail.gr
wrote:
> Thanks..
> As a matter of fact I was thinking to move torwards this scenario.
> One thing that bugs me though is what happens when the DSL link goes down,
> propably the firewall ( running on linux ) routing mechanism will not be
> aware of it correct??
That''s correct (and spelled out explicitly in the Shorewall MultiISP 
documentation).

I think you probably want to use RFC 1918 IP addresses so that they can be 
static as far as your firewall goes; otherwise, you haven''t solved your
original problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key