In much earlier versions of Shorewall, I had a setup that had two ISP''s that I was load balancing outbound requests via custom ip rules and routes. Shorewall didn''t yet have it''s multi-isp capabilities, so it wasn''t very involved in the functionality of this configuration. I could happily eliminate one ISP from all routes by taking down the corresponding interface physically (unplug it) or virtually (ifdown). Routing of outbound requests immediately failed over to the sole remaining WAN connection. A while back, I upgraded to Shorewall''s built-in multi-isp config. I have managed to achieve everything the previous setup had (and a little more), with the exception of the failover mechanism above. I have tested both of my previous manual methods of failover, but neither works. I can even issue an "ip route flush cache" command following removal of one of the interfaces, but this doesn''t force the failover to the remaining ISP. I can''t restart Shorewall after downing an interface, because it complains loudly about not being able to find the interface address. While I KNOW Shorewall wasn''t designed for any sort of automatic failover, I''m wondering what you folks use for manual failover routines. I''m trying to come up with something simple that anyone near the firewall can do, as I''m not always physically present to change the Shorewall config and restart it. Does anyone have any suggestions? ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Thu, 2006-08-17 at 08:36 -0700, List Receiver wrote:> I can''t restart Shorewall after downing an > interface, because it complains loudly about not being able to find the > interface address.The new ''optional'' provider option introduced in 3.2.2 is intended to solve that problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> In much earlier versions of Shorewall, I had a setup that had two ISP''s > that I was load balancing outbound requests via custom ip rules and > routes. Shorewall didn''t yet have it''s multi-isp capabilities, so it > wasn''t very involved in the functionality of this configuration. I > could happily eliminate one ISP from all routes by taking down the > corresponding interface physically (unplug it) or virtually (ifdown). > Routing of outbound requests immediately failed over to the sole > remaining WAN connection. >Isn''t a good idea if you can share this scripts with the communit, or even integrate them as a new feature of shorewall. Some way you can ''ping'' a defined host to decide if that ISP is ok and if is not remove it from routing and disable NATs from that ISP.> While I KNOW Shorewall wasn''t designed for any sort of automatic > failover, I''m wondering what you folks use for manual failover routines. > I''m trying to come up with something simple that anyone near the > firewall can do, as I''m not always physically present to change the > Shorewall config and restart it. > > Does anyone have any suggestions?So if you share knowlegde.. you make the world better. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I noticed that in the docs. I may upgrade just to try it. Any idea if my mechanisms of manual failover would work if I did restart Shorewall after downing the dead interface? -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, August 17, 2006 8:53 AM To: Shorewall Users Subject: Re: [Shorewall-users] Manual failover for multi-isp setup On Thu, 2006-08-17 at 08:36 -0700, List Receiver wrote:> I can''t restart Shorewall after downing an interface, because it > complains loudly about not being able to find the interface address.The new ''optional'' provider option introduced in 3.2.2 is intended to solve that problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
List Receiver wrote:> I noticed that in the docs. I may upgrade just to try it. > > Any idea if my mechanisms of manual failover would work if I did restart > Shorewall after downing the dead interface? >Should work -- there is at least one other user that employs that approach. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> List Receiver wrote: >> I noticed that in the docs. I may upgrade just to try it. >> >> Any idea if my mechanisms of manual failover would work if I did restart >> Shorewall after downing the dead interface? >> > > Should work -- there is at least one other user that employs that approach.If you use Tom''s new optional flag on multi-ISP interfaces there is no need for failover and monitoring. Just run shorewall restart (or shorewall-lite restart as it is in my case) and it will set up routes with whatever providers are available. I use this feature to balance over 3 ADSL links and whenever one goes down, i just flag that shorewall needs restarting in my /etc/ppp/ip-down.local script. Then i have a cron script that just checks whether a restart is needed and does it if so. I''ll be publishing these scripts soon at http://linuxman.wikispaces.com/Clustering+Shorewall - stay tuned. Paul ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Paul Gear wrote:> ... > I use this feature to balance over 3 ADSL links and whenever one goes > down, i just flag that shorewall needs restarting in my > /etc/ppp/ip-down.local script. Then i have a cron script that just > checks whether a restart is needed and does it if so. I''ll be > publishing these scripts soon at > http://linuxman.wikispaces.com/Clustering+Shorewall - stay tuned.Published now. Paul ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642