Shorewall users - Mar 2006 - multiple isp. masqueraded machines somtimes work and sometimes not

Hello !
Last time I tried multiple isp on local network (test machines) it
worked now I configured a network but facing a different problem. the
problem is at sometimes Few of my local machines (masqueraded) do work
properly and sometimes don''t.
The second thing is related to IP failover. i got this informative
link from the shorewall mailing list
http://sourceforge.net/mailarchive/message.php?msg_id=14146091
ging to try:
> | John:
 > |
 > | I *think* all you would need to do is delete, then re-add the fwmark to
the
 > | working providers lookup table, then flush the cache. I''d be
interested in
 > | working with you off list to see what we could come up with. Email me
 > | off list if your interested.
 > |
 > | For the fallover issue, there are some proc settings that you can
play with.
 > | http://mailman.ds9a.nl/pipermail/lartc/2002q4/005274.html and the reply
 > | is about the best info I could find regarding these settings. If
anybody knows
 > | of some better documentation of these settings, I''d love to
here from you.
 > |
 > | FWIW, I tried changing some of the settings, in /proc/sys/net/ipv4/route
 > | echo 1 > gc_interval
 > | echo 1 > gc_timeout
 > | echo 1 > gc_elasticity
 > | echo 2 > max_delay
 > | echo 1 > min_delay
I hope someone has already tried the options provided in link above,
or share some  details.

I followed the document on http://www.shorewall.net/MultiISP.html  and
configured the firewall as follows:
ISP1 has the gw= 61.95.234.1, ethernet card=eth1 with ip=61.95.239.13
ISP2 has the gw=59.144.170.1 ethernet card=eth0 with ip=159.144.170.16
Local network is connected to eth2


/etc/shorewall/providers
############################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY       
 OPTIONS         COPY
ISP1    1       1       main            eth1            61.95.234.1   
     track,balance    eth2
ISP2    2       2       main            eth0            59.144.170.1  
     track,balance    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/interfaces
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net         eth0          detect        routeback
loc         eth2          detect        routeback
net         eth1        detect   routeback
road    tun+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


masq file
/etc/shorewall/masq
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0             192.168.1.25              59.144.170.16
eth0             192.168.1.145             59.144.170.16
eth0             192.168.1.14             59.144.170.16
eth0             192.168.1.133             59.144.170.16
eth0             192.168.1.130             59.144.170.16
eth0             61.95.239.13             59.144.170.16
eth0             192.168.1.131             59.144.170.16
eth0             192.168.1.29              59.144.170.16
eth0             192.168.1.238             59.144.170.16
eth0             192.168.1.122             59.144.170.16
eth0             192.168.1.34              59.144.170.16
eth0             192.168.1.25              59.144.170.16
eth0             192.168.1.22              59.144.170.16
eth0             192.168.1.110             59.144.170.16
eth0             192.168.1.101             59.144.170.16
eth0             192.168.1.36              59.144.170.16
eth0             192.168.1.2               59.144.170.16
eth0             192.168.1.106             59.144.170.16
eth0             192.168.1.41              59.144.170.16
eth0             192.168.1.100             59.144.170.16
eth0             192.168.1.40              59.144.170.16
eth0             192.168.1.132             59.144.170.16
eth1             192.168.1.25              61.95.239.13
eth1             192.168.1.145             61.95.239.13
eth1             192.168.1.14             61.95.239.13
eth1             159.144.170.16           61.95.239.13
eth1             192.168.1.133             61.95.239.13
eth1             192.168.1.130             61.95.239.13
eth1             192.168.1.131             61.95.239.13
eth1             192.168.1.29              61.95.239.13
eth1             192.168.1.238             61.95.239.13
eth1             192.168.1.122             61.95.239.13
eth1             192.168.1.34              61.95.239.13
eth1             192.168.1.25              61.95.239.13
eth1             192.168.1.22              61.95.239.13
eth1             192.168.1.110             61.95.239.13
eth1             192.168.1.101             61.95.239.13
eth1             192.168.1.36              61.95.239.13
eth1             192.168.1.2               61.95.239.13
eth1             192.168.1.106             61.95.239.13
eth1             192.168.1.41              61.95.239.13
eth1             192.168.1.100             61.95.239.13
eth1             192.168.1.40              61.95.239.13
eth1             192.168.1.132             61.95.239.13
#############################################################
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


/etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG             LIMIT:BURST
#                                               LEVEL
loc             net             ACCEPT
net             all             DROP            info
road            loc             ACCEPT
road            $FW             ACCEPT
loc             road            ACCEPT
net             net             DROP
#
# THE FOLLOWING POLICY MUST BE LAST
#
all             all             REJECT         info
#LAST LINE -- DO NOT REMOVE


/etc/shorewall/zones
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
loc     ipv4
net     ipv4
road    ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Rules (/etc/shorewall/rules)
#############################################################################################################
#ACTION SOURCE          DEST            PROTO   DEST    SOURCE        
 ORIGINARATE             USER/
#                                               PORT    PORT(S)       
 DEST   LIMIT            GROUP
ACCEPT  $FW     all     all     -       -
ACCEPT  net     $FW     tcp    110,80,21,25     -       -
ACCEPT  net:3.12.4.2    $FW     tcp     22        -
ACCEPT:info  loc     net     tcp   80,53,21,110,25,443,22
ACCEPT:info  loc     net    udp 53
ACCEPT:info  loc     net      icmp -
ACCEPT  net     $FW     udp     1194
ACCEPT  loc     $FW     icmp     8      -     192.168.1.129
DROP all all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--
Regards
Anuj
===========Linux Rocks
World''s Best Sites:
http://www.tldp.org/
http://www.ibiblio.org/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Monday 27 March 2006 03:03, Anuj Singh wrote:
> Hello !
> Last time I tried multiple isp on local network (test machines) it
> worked now I configured a network but facing a different problem. the
> problem is at sometimes Few of my local machines (masqueraded) do work
> properly and sometimes don''t.
Do you have both firewall interfaces cabled to the same hub/switch?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Yes both are connected to the same switch.

About the ip failover tomorrow I am going to try this script in
crontab... just an idea....lets see if it works...it should work as
after a defined time in crontab the following script will run and if
my fw is unable to ping www.google.com then it will change my gateway
as well as restart the shorewall...but the point to check is how long
does it takes to find host unreachable....
#!/bin/sh
CABLE_IP=ISP1 gw ip
DSL_IP=ISP2 gw ip

## function to switch to dsl router
switch_dsl()
{
route del default
route add default gw $DSL_IP
}

## function to switch to cable router
switch_cable()
{
route del default
route add default gw $CABLE_IP
}

if ping -c1 -q www.google.com >/dev/null 2>&1; then
# since we can ping google we''re online so we exit.
exit 0
else
# internet is down, let''s switch to other router
if route -n | grep ''^0.0.0.0'' | grep "$CABLE_IP";
then
switch_dsl
else
switch_cable
shorewall restart
fi
fi


thanks and regards
Anuj




On 3/27/06, Tom Eastep <teastep@shorewall.net>
wrote:
> On Monday 27 March 2006 03:03, Anuj Singh wrote:
> > Hello !
> > Last time I tried multiple isp on local network (test machines) it
> > worked now I configured a network but facing a different problem. the
> > problem is at sometimes Few of my local machines (masqueraded) do work
> > properly and sometimes don''t.
>
> Do you have both firewall interfaces cabled to the same hub/switch?
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

--
===========Linux Rocks
World''s Best Sites:
http://www.tldp.org/
http://www.ibiblio.org/


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Mon, March 27, 2006 10:23, Anuj Singh wrote:
> Yes both are connected to the same switch.
That''s your answer. If the two interfaces are on different IP networks
and
you do not use Proxy ARP, it will be sufficient to specify
''arp_ignore=1''
on both interfaces (/etc/shorewall/interfaces). They cannot be on the same
IP network and you cannot use Proxy ARP with that physical network
topology without using ebtables. You will probably have to restart your
firewall after making this change to get the upstream router(s) to get the
correct ARP information.
>
> About the ip failover
Other folks have posted similar scripts, although most run the script as a
daemon rather than scheduling it via cron.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Hiii!
After working on the problem  I found that one of the dns entry was wrong
(This is a remote network and basic configuratins were done by some other)
... after entering the proper nameserves I checked the performance and so
far there is no problem with both the isp''s working.

now about ip failover I tried this script: called switch.sh
#vi switch.sh

#!/bin/sh
ISP1=61.95.234.1
ISP2=59.144.170.1
switch_dsl()
{
route del default
route add default gw $ISP2
}
switch_cable()
{
route del default
route add default gw $ISP1
}
if ping -c1 -q www.yahoo.com >/dev/null 2>&1; then
echo Gateway is alive.
ip route show
exit 0
else
if route -n | grep ''^0.0.0.0'' | grep "$ISP1"; then
switch_dsl
ip route flush cache
shorewall restart /shorewall2
route -n
else
switch_cable
fi
fi


The os is suse and I am still working on making a daemon on it. At the
moment I added it''s entry in the crontab to run in every 5 minutes.

I found that if i add my shorewall restart it again changes the default
gateway to the 1st ISP defined in /etc/shorewall/providers file. which is
unplugged ot not working ( it still works for a while .. probably due to ip
route cache)
now to make it switching properly between the gateways I copied the whole
/etc/shorewall directory to a different location say /shorewall2 with a
change in providers file ...i.e. i defined just oppsite ISP''s (changed
1st
isp to 2 and 2nd ISP to 1)


#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
 OPTIONS         COPY
ISP1    1       1       main            eth0            
59.144.170.1<http://61.95.234.1/>
    track,balance    eth2
ISP2    2       2       main            eth1          
61.95.234.1<http://59.144.170.1/>
    track,balance    eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

and defined it in my script (showed above in the script with directory
/shorewall2 )now it was switching the ISP''s but i found it not working
for
local network...
By default after a shorewall restart command it makes default gw= ISP1 in
providers file.


In the last  I made another change in the script is to make it to only chane
the gateway and no shorewall restart. this time the internet was working on
local network. Just checkd for few minutes after flushing the ip route
cache.

#!/bin/sh
ISP1=61.95.234.1
ISP2=59.144.170.1
switch_dsl()
{
route del default
route add default gw $ISP2
}
switch_cable()
{
route del default
route add default gw $ISP1
}
if ping -c5 -q www.yahoo.com >/dev/null 2>&1; then
echo Gateway is alive.
ip route show
exit 0
else
if route -n | grep ''^0.0.0.0'' | grep "$ISP1"; then
switch_dsl
ip route flush cache
#shorewall restart /shorewall2
route -n
else
switch_cable
fi
fi



Tomorrow the load on the network will be full and going to check the
performance.
Tom I would like to check other scripts too....if you can provide the links
or more details related to ip failover.

I will update with more....
Thanks and regards
Anuj


On 3/28/06, Tom Eastep <teastep@shorewall.net>
wrote:
>
>
> On Mon, March 27, 2006 10:23, Anuj Singh wrote:
> > Yes both are connected to the same switch.
>
> That''s your answer. If the two interfaces are on different IP
networks and
> you do not use Proxy ARP, it will be sufficient to specify
''arp_ignore=1''
> on both interfaces (/etc/shorewall/interfaces). They cannot be on the same
> IP network and you cannot use Proxy ARP with that physical network
> topology without using ebtables. You will probably have to restart your
> firewall after making this change to get the upstream router(s) to get the
> correct ARP information.
>
> >
> > About the ip failover
>
> Other folks have posted similar scripts, although most run the script as a
>
> daemon rather than scheduling it via cron.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language
> that extends applications into web and mobile media. Attend the live
> webcast
> and join the prime developer group breaking into this new coding
> territory!
>
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642<http://sel.as-us.falkag.net/sel?cmdlnk&kid%110944&bid$1720&dat%121642>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

Anuj Singh wrote:
> Hiii!
> After working on the problem  I found that one of the dns entry was wrong
> (This is a remote network and basic configuratins were done by some other)
> ... after entering the proper nameserves I checked the performance and so
> far there is no problem with both the isp''s working.
> 
> now about ip failover I tried this script: called switch.sh
> #vi switch.sh
> 
> #!/bin/sh
> ISP1=61.95.234.1
> ISP2=59.144.170.1
> switch_dsl()
> {
> route del default
> route add default gw $ISP2
> }
> switch_cable()
> {
> route del default
> route add default gw $ISP1
> }
> if ping -c1 -q www.yahoo.com >/dev/null 2>&1; then
> echo Gateway is alive.
> ip route show
> exit 0
> else
> if route -n | grep ''^0.0.0.0'' | grep "$ISP1";
then
> switch_dsl
> ip route flush cache
> shorewall restart /shorewall2
> route -n
> else
> switch_cable
> fi
> fi
> 
You should really be using "ip route" here and not plain
"route".
Try "ip route ls" to see the difference in the output from just using 
"route". Using just "route" you will be unable to observe
the multi-hop
gateways that would be present, for example from my 2 gateway box:


[root@shore jerry]# /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.10.0.2       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
10.3.0.10       0.0.0.0         255.255.255.255 UH    0      0        0 eth1
10.3.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.5.0.0        10.10.0.2       255.255.255.0   UG    0      0        0 tun0
24.78.192.0     0.0.0.0         255.255.254.0   U     0      0        0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth2
0.0.0.0         24.78.192.1     0.0.0.0         UG    0      0        0 eth2

and the same box:

[root@shore jerry]# /sbin/ip route ls
10.10.0.2 dev tun0  proto kernel  scope link  src 10.10.0.1
10.3.0.10 dev eth1  scope link  src 10.3.0.75
10.3.0.0/24 dev eth0  proto kernel  scope link  src 10.3.0.106
10.5.0.0/24 via 10.10.0.2 dev tun0
24.78.192.0/23 dev eth2  proto kernel  scope link  src 24.78.192.127
169.254.0.0/16 dev eth2  scope link
default
         nexthop via 24.78.192.1  dev eth2 weight 10
         nexthop via 10.3.0.1  dev eth0 weight 1

Note the 2 default gateways that are present when using "ip route"
> 
> The os is suse and I am still working on making a daemon on it. At the
> moment I added it''s entry in the crontab to run in every 5
minutes.
> 
> I found that if i add my shorewall restart it again changes the default
> gateway to the 1st ISP defined in /etc/shorewall/providers file. which is
> unplugged ot not working ( it still works for a while .. probably due to ip
> route cache)
Yes, the route cache is playing games here. Those /proc entries, that 
you had re-posted from my earlier email, change the time it takes to 
declare a gateway unavailable and to try the other remaining available 
gateway.
> now to make it switching properly between the gateways I copied the whole
> /etc/shorewall directory to a different location say /shorewall2 with a
> change in providers file ...i.e. i defined just oppsite ISP''s
(changed 1st
> isp to 2 and 2nd ISP to 1)
>
I think you should leave the providers file alone and just use a 
different tcrules file to favor the working isp, in your second 
shorewall directory.
> 
> #NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
>  OPTIONS         COPY
> ISP1    1       1       main            eth0            
> 59.144.170.1<http://61.95.234.1/>
>     track,balance    eth2
> ISP2    2       2       main            eth1          
> 61.95.234.1<http://59.144.170.1/>
>     track,balance    eth2
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> and defined it in my script (showed above in the script with directory
> /shorewall2 )now it was switching the ISP''s but i found it not
working for
> local network...
> By default after a shorewall restart command it makes default gw= ISP1 in
> providers file.
> 
You should be checking the gateway with "ip route ls"
> 
> In the last  I made another change in the script is to make it to only
chane
> the gateway and no shorewall restart. this time the internet was working on
> local network. Just checkd for few minutes after flushing the ip route
> cache.
> 
> #!/bin/sh
> ISP1=61.95.234.1
> ISP2=59.144.170.1
> switch_dsl()
> {
> route del default
> route add default gw $ISP2
> }
> switch_cable()
> {
> route del default
> route add default gw $ISP1
> }
> if ping -c5 -q www.yahoo.com >/dev/null 2>&1; then
> echo Gateway is alive.
> ip route show
> exit 0
> else
> if route -n | grep ''^0.0.0.0'' | grep "$ISP1";
then
> switch_dsl
> ip route flush cache
> #shorewall restart /shorewall2
> route -n
> else
> switch_cable
> fi
> fi
> 
> 
Without restarting shorewall when both isp are up, the advanced routing 
tables will not be created or used, leaving you without access though 
both providers, just the one that you have the default gateway pointed 
to will work.
> 
> Tomorrow the load on the network will be full and going to check the
> performance.
> Tom I would like to check other scripts too....if you can provide the links
> or more details related to ip failover.
> 
> I will update with more....
> Thanks and regards
> Anuj
> 
Just my 2 cents worth.
Good luck,

Jerry



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642