hi all. second post; first one was put in moderator queue, so I cancelled it. so, I setup a machine connecting an internal net (the intra zone) to 4 ADSL lines (don''t ask for reasons) of the same ISP (the inet zone) but it also connects to an external net (the fcq zone). the problem is that all the traffic is being handled by only one of the ADSL lines, as I can see in my mrtg graphics[1]. the only details I see are: a) the gateway for all the ADSL lines is the same: 200.3.60.3; and b) this lines work via PPPoE (someone asked me about this in the IRC channel). here[2] you''ll find my interfaces, providers and shorewall dump. if you need more data, just let me know. -- [1] http://pigmea.fcq.unc.edu.ar/mrtg/, the ppp lines [2] http://martina.fcq.unc.edu.ar/~mdione/shorewall/ -- Marcos Dione Departamento de Cómputos Facultad de Ciencias Químicas - UNC ---------------------------------------------------------------- Facultad de Ciencias QuÃmicas - Universidad Nacional de CÃrdoba [Adjunto extraÃdo: Tipo de adjunto original: "text/plain", nombre: "interfaces"] [Adjunto extraÃdo: Tipo de adjunto original: "text/plain", nombre: "providers"] [Adjunto extraÃdo: Tipo de adjunto original: "text/plain", nombre: "shorewall_dump"] Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Marcos Dione wrote:> hi all. second post; first one was put in moderator queue, so I cancelled > it. > > so, I setup a machine connecting an internal net (the intra zone) to 4 ADSL > lines (don''t ask for reasons) of the same ISP (the inet zone) but it also > connects to an external net (the fcq zone). the problem is that all the traffic > is being handled by only one of the ADSL lines, as I can see in my mrtg > graphics[1]. > > the only details I see are: a) the gateway for all the ADSL lines is the > same: 200.3.60.3; and b) this lines work via PPPoE (someone asked me about this > in the IRC channel). >I will start by saying that I cannot explain why traffic is unbalanced the way it is although I suspect that it has to do with the fact that the gateway is identical on all 4 interfaces. But I would suggest trying the following: a) Set the ''track'' option on each of your providers. b) Include ''eth0'' in the COPY column of each provider. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
sorry tom, I forgot to hit the «reply to all» button :-| Quoting Tom Eastep <teastep@shorewall.net>:> I will start by saying that I cannot explain why traffic is > unbalanced the way > it is although I suspect that it has to do with the fact that the gateway is > identical on all 4 interfaces.I suspected the same, but I used to have this same setup with iptables/iproute2 commands working fine.> But I would suggest trying the following: > > a) Set the ''track'' option on each of your providers.forgot to mention: I already tried the track option. also, I understand that option is for connections coming from, in this case, the inet zone to the firewall or the intra zone, not for connections originated rom the firewall or the intra zone.> b) Include ''eth0'' in the COPY column of each provider.right. also forgot to mention that the testing traffic (large http downloads and two bittorrents) is from the intra zone, not the fcq zone. I tried both changes and the problem persists. there''s a new shorewall_dump here[1]. I''ve been looking at the differences between both reports, and besides the marking tables and some modifications to the routing tables, I hadn''t seen nothing too relevant. of course, it could be something too subtle for me... -- [1] https://martina.fcq.unc.edu.ar/~mdione/shorewall/20060623/shorewall_dump -- Marcos Dione Departamento de Cómputos Facultad de Ciencias Químicas - UNC ---------------------------------------------------------------- Facultad de Ciencias QuÃmicas - Universidad Nacional de CÃrdoba Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Marcos Dione wrote:> I tried both changes and the problem persists. there''s a new shorewall_dump > here[1]. I''ve been looking at the differences between both reports, and > besides the marking tables and some modifications to the routing tables, I > hadn''t seen nothing too relevant. of course, it could be something too subtle > for me...I don''t see anything. Sorry, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Marcos Dione wrote: > >> I tried both changes and the problem persists. there''s a new shorewall_dump >> here[1]. I''ve been looking at the differences between both reports, and >> besides the marking tables and some modifications to the routing tables, I >> hadn''t seen nothing too relevant. of course, it could be something too subtle >> for me... > > I don''t see anything.It''s interesting that traffic originating from the firewall (mostly DNS lookups) seems to be somewhat balanced whereas forwarded traffic is using ppp3 exclusively. One other thing -- the routing rules look like you specified the ''loose'' option for each provider yet the /etc/shorewall/providers file that you posted did not show that option. If you are not specifying ''loose'', I would appreciate seeing a trace of "shorewall [re]start" so I can determine why the rules are being omitted. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
----- Original Message -----> It''s interesting that traffic originating from the firewall (mostly > DNS lookups) > seems to be somewhat balanced whereas forwarded traffic is using ppp3 > exclusively.I''m not trying to hijack this thread because I don''t care if my balancing works correctly, but I have the exact same behavior on my system. Traffic originating from the firewall gets balanced while traffic that is masqueraded does not. I don''t know how to read the shorewall dumps, but the providers file looks nearly identical to mine (only difference is that I use track) Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Marcos Dione wrote:> sorry tom, I forgot to hit the «reply to all» button :-| > > Quoting Tom Eastep <teastep@shorewall.net>: >> I will start by saying that I cannot explain why traffic is >> unbalanced the way >> it is although I suspect that it has to do with the fact that the gateway is >> identical on all 4 interfaces. > > I suspected the same, but I used to have this same setup with > iptables/iproute2 commands working fine. >It would be interesting to see the output of "shorwall dump" which your home-made rulesets in place. We might be able to see what the key difference is. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Marcos Dione wrote: >> sorry tom, I forgot to hit the «reply to all» button :-| >> >> Quoting Tom Eastep <teastep@shorewall.net>: >>> I will start by saying that I cannot explain why traffic is >>> unbalanced the way >>> it is although I suspect that it has to do with the fact that the gateway is >>> identical on all 4 interfaces. >> I suspected the same, but I used to have this same setup with >> iptables/iproute2 commands working fine. >> > > It would be interesting to see the output of "shorwall dump" which your > home-made rulesets in place. We might be able to see what the key difference is. >I suspect that the home-made rule set is using snat for the masq''ing, in the dumps posted there is just masquerade in the ppp(0-3)_masq rules, while the MultiISP page clearly show that you should be using snat. In shorewall that is done by using the third column in the masq file to state the external ip for that interface. Hoping that is the fix for you, Jerry Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Quoting Tom Eastep <teastep@shorewall.net>:> Tom Eastep wrote: > One other thing -- the routing rules look like you specified the > ''loose'' option > for each provider yet the /etc/shorewall/providers file that you > posted did not > show that option. If you are not specifying ''loose'', I would > appreciate seeing a > trace of "shorewall [re]start" so I can determine why the rules are > being omitted.here[1] you can find one. -- [1] http://martina.fcq.unc.edu.ar/~mdione/shorewall/20060626/shorewall_trace -- Marcos Dione Departamento de Cómputos Facultad de Ciencias Químicas - UNC ---------------------------------------------------------------- Facultad de Ciencias QuÃmicas - Universidad Nacional de CÃrdoba Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Quoting Jerry Vonau <jvonau@shaw.ca>:> I suspect that the home-made rule set is using snat for the masq''ing, in > the dumps posted there is just masquerade in the ppp(0-3)_masq rules, > while the MultiISP page clearly show that you should be using snat. In > shorewall that is done by using the third column in the masq file to > state the external ip for that interface.no, the ADSL lines have dynamic IPs, so I''m using MASQ instead of SNAT. -- Marcos Dione Departamento de Cómputos Facultad de Ciencias Químicas - UNC ---------------------------------------------------------------- Facultad de Ciencias QuÃmicas - Universidad Nacional de CÃrdoba Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Marcos Dione wrote:> Quoting Tom Eastep <teastep@shorewall.net>: >> Tom Eastep wrote: >> One other thing -- the routing rules look like you specified the >> ''loose'' option >> for each provider yet the /etc/shorewall/providers file that you >> posted did not >> show that option. If you are not specifying ''loose'', I would >> appreciate seeing a >> trace of "shorewall [re]start" so I can determine why the rules are >> being omitted. > > here[1] you can find one. > > -- > [1] http://martina.fcq.unc.edu.ar/~mdione/shorewall/20060626/shorewall_traceYou haven''t applied the errata fix for this problem. http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.7/known_problems.txt -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Quoting Tom Eastep <teastep@shorewall.net>:> It would be interesting to see the output of "shorwall dump" which your > home-made rulesets in place. We might be able to see what the key > difference is.I got the dump[1]. I have to add that the original setup was such a complete mess (it involved *two* machines, ip/iptables rules and route decitions scattered among them), so maybe this is not complete enough. -- [1] https://martina.fcq.unc.edu.ar/~mdione/shorewall/20060627/shorewall_dump -- Marcos Dione Departamento de Cómputos Facultad de Ciencias Químicas - UNC ---------------------------------------------------------------- Facultad de Ciencias QuÃmicas - Universidad Nacional de CÃrdoba Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Russel wrote:> I''m not trying to hijack this thread because I don''t care if my > balancing works correctly, but I have the exact same behavior on my > system. Traffic originating from the firewall gets balanced while > traffic that is masqueraded does not. > > I don''t know how to read the shorewall dumps, but the providers file > looks nearly identical to mine (only difference is that I use track) >So your connections are also PPPoE? And which kernel version are you running? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642