Hi, I''ve this situation, maybe someone can help me. I''ve have a linux firewall bering uClibc 3.x box with 4 nic: eth0 connected to an ADSL router (ISP 1) eth1 connected to an HDSL router (ISP 2) eth2 connected to DMZ eth3 connected to my LAN tun0 VPN1 using ADSL line to another bering box tun1 VPN2 using HDSL line to another bering box (same as above) tun2 VPN3 using ADSL line to provide access to local lan for ROADWARRIORS I''ve implemented through shorewall config file "providers" the configuration for the two ISP Using tcrules shorewall config file, i decide what traffic from the local lan go out through a particular ISP Using route_rules shorewall config file i route some local lan ip to different ISP The default gateway on the bering box is the ip of the ADSL router (ISP1) What i want to do is to automatically switch in case of failure of one of the ISP, to the good one (like resetting the default gateway of bering to the good one) and at the same time automatically change the ip rules defined in the route_rules file and tcrules file. Now i just change the default gateway and manually change the ip rules if one of the ISP fail. Is the a system on linux to do that automagically? ciao ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! The answer is Load Balance. Read http://www.shorewall.net/MultiISP.html Best wishes!! Barreras Giacomo Lancella wrote:> Hi, > > I''ve this situation, maybe someone can help me. > > I''ve have a linux firewall bering uClibc 3.x box with 4 nic: > > > eth0 connected to an ADSL router (ISP 1) > > eth1 connected to an HDSL router (ISP 2) > > eth2 connected to DMZ > > eth3 connected to my LAN > > tun0 VPN1 using ADSL line to another bering box > > tun1 VPN2 using HDSL line to another bering box (same as above) > > tun2 VPN3 using ADSL line to provide access to local lan for ROADWARRIORS > > > I''ve implemented through shorewall config file "providers" the > configuration for the two ISP > > Using tcrules shorewall config file, i decide what traffic from the > local lan go out through a particular ISP > > Using route_rules shorewall config file i route some local lan ip to > different ISP > > > The default gateway on the bering box is the ip of the ADSL router (ISP1) > > > What i want to do is to automatically switch in case of failure of one > of the ISP, to the good one (like resetting the default gateway of > bering to the good one) and at the same time automatically change the > ip rules defined in the route_rules file and tcrules file. > > > Now i just change the default gateway and manually change the ip rules > if one of the ISP fail. Is the a system on linux to do that automagically? > > > ciao > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users- -- Saludos!! _____________________________ M.Sc. José Raúl Barreras Jefe de Seguridad Informática G3security 02-2242-259 / 02-2260-947 / 099735869 barreras@g3security.com http://www.g3security.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE77h1ZRbHiA+KaJkRAqlCAJ9H7ejrQJqmwf6GzDL/BnxYlWB56wCgsEJg m75mXPfgo4wjO1TvS7OjEQ4=UvHO -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I''ve not enabled load balance on the wan interfaces, because the HDSL line is not flat (i mean that we pay for how much traffic get passed through that line), so I''m only routing out mail traffic from the lan using tcrules through that interface, and the rest goes through the adsl line. Enabling load balance would balance and let the traffic goes on both line, or not? And anyway load balance cannot change (i believe!) the ip rules defined in tcrules and route_rules if one isp goes down. But maybe I''m wrong. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
From: Giacomo Lancella> And anyway load balance cannot change (i believe!) the ip rules defined > in tcrules and route_rules if one isp goes down. But maybe I''m wrong.You are right, unfortunately. You can find threads about this issue in the archives months ago. It looks like there are several partial solutions but nothing that works automatically (you need some sort of monitoring daemon that, when one line goes down, changes the shorewall config). Elio ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Elio Tondo wrote:> From: Giacomo Lancella > >> And anyway load balance cannot change (i believe!) the ip rules defined >> in tcrules and route_rules if one isp goes down. But maybe I''m wrong. > > You are right, unfortunately. You can find threads about this issue in the > archives months ago. It looks like there are several partial solutions but > nothing that works automatically (you need some sort of monitoring daemon > that, when one line goes down, changes the shorewall config).There''s no need to change the config under Shorewall 3.2.2 and later. Tom kindly implemented the ''optional'' providers flag for just this situation. Upgrade to 3.2.3 if you haven''t already, specify that the providers are optional, and things should just work. Note however, that sometimes (i haven''t tracked down what factors affect this) when one multi-ISP interface goes down, all multi-ISP routes are affected. If that''s the case, a shorewall(-lite) restart is required to restore full routing functionality. (See the notes in http://linuxman.wikispaces.com/Shorewall+basic+failover+with+heartbeat for details about how i do this.) Also, if your multi-ISP interface is on an Ethernet device rather than a PPP device, then you''ll need some sort of dead gateway detection script, or a routing daemon that senses the same thing, otherwise you''ll end up routing packets out an interface that gets no reply, so your client machines will experience extremely poor performance. Paul ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
From: "Paul Gear" <pgear@redlands.qld.edu.au>> There''s no need to change the config under Shorewall 3.2.2 and later. > Tom kindly implemented the ''optional'' providers flag for just this > situation. Upgrade to 3.2.3 if you haven''t already, specify that the > providers are optional, and things should just work.Thank you; I just missed this addition in the release notes. In any case, I see that the "dead interface" is checked at restart, and some sort of monitoring daemon to check for routing failures is still required.> (See the notes in > http://linuxman.wikispaces.com/Shorewall+basic+failover+with+heartbeat > for details about how i do this.)Very interesting article, thank you.> Also, if your multi-ISP interface is on an Ethernet device rather than a > PPP device, then you''ll need some sort of dead gateway detection script, > or a routing daemon that senses the same thing, otherwise you''ll end up > routing packets out an interface that gets no reply, so your client > machines will experience extremely poor performance.This is my case: two ADSL routers with two different ISPs, both with some public IP addresses available; each firewall uses a different IP on each router and there is no need for a true HA setup, just the modification of the default routing. Elio ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Giacomo Lancella wrote:> I''ve not enabled load balance on the wan interfaces, because the HDSL > line is not flat (i mean that we pay for how much traffic get passed > through that line), so I''m only routing out mail traffic from the lan > using tcrules through that interface, and the rest goes through the adsl > line. Enabling load balance would balance and let the traffic goes on > both line, or not? And anyway load balance cannot change (i believe!) > the ip rules defined in tcrules and route_rules if one isp goes down. > But maybe I''m wrong. >- From http://www.shorewall.net/MultiISP.html "If you are using /etc/shorewall/providers because you have multiple internet connections, we recommend that you specify ''balance'' even if you don''t need it. You can still use entries in /etc/shorewall/tcrules to force traffic to one provider or another." but... "What an entry in the Providers File Does NOT Do Given that Shorewall is simply a tool to configure Netfilter and does not run continuously in your system, entries in the providers file do not provide any automatic failover in the event of failure of one of your Internet connections." Maybe a solution could be have 2 configs, the 1st for ISP1 and the 2nd for ISP2. In crontab: 0/10 * * * * /usr/local/bin/isp-test.sh ISP1_IP A script like this: #!/bin/bash ping -c 1 $1 > /dev/null 2>&1 res=$? if [ "$res" != "0" ] then EXEC_THE_SCRIPT_TO_CONECT_ISP2 else EXEC_THE_SCRIPT_TO_CONECT_ISP1 fi You must add a additional control to check if the ISP1 change the status... (Sorry, I''m short of time right now...) Best wishes!! Barreras -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8wQnZRbHiA+KaJkRAlyEAJ42zb2Z/Tz4ziqP8bSM+BSrU5NjcQCfd4fc Uh64FrZ76ox2dyhU0aJ7DJg=fDJj -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642