I have been trying to follow the advice of http://shorewall.net/MultiISP.html I have a network with servers and clients. I want all new incoming traffic from the internet to go to the servers via CBL. I want all new outgoing traffic from the local clients to go to the internet via DSL. With the configuration below, all internet traffic ONLY goes thru providers:#1. If I flip the numbers in providers then this flips which gateway internet traffic uses. I cannot get tcrules OR route_rules to take effect whatsoever! Why would shorewall be ignoring my changes to those two files? Can someone help me determine what is going on here? I''d love to post more info if I knew what to post. Thanks! This sure has been an interesting project! Stefan # rpm -qa | grep -e shorewall -e iproute -e iptables -e ipset iptables-devel-1.3.5-3mdv2007.0 shorewall-doc-3.2.3-2mdv2007.0 iptables-1.3.5-3mdv2007.0 iproute2-2.6.16-3mdk ipset-2.2.9-1mdv2007.0 shorewall-3.2.3-2mdv2007.0 iproute2-doc-2.6.16-3mdk interfaces: loc0 eth0 172.16.254.255 net eth2 64.123.54.223 norfc1819,routefilter,blacklist,routeback net eth3 24.182.140.87 norfc1819,routefilter,blacklist,routeback masq: eth2 24.182.140.82 64.123.54.218 eth3 64.123.54.218 24.182.140.82 eth2 eth0 64.123.54.218 eth3 eth0 24.182.140.82 providers: CBL 1 1 main eth3 24.182.140.81 track,balance eth0 DSL 2 2 main eth2 64.123.54.222 track,balance eth0 tcrules: 1:P 0.0.0.0/0 1:P $FW 2:P 172.16.254.2 0.0.0.0/0 all route_rules: 172.16.254.2 0.0.0.0/0 DSL 1000 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Stefan Adams wrote:> I''d love to post more info if I knew what to post.You, like most other people, can''t find http://www.shorewall.net/support.htm even though it is linked prominently from the home page under the "Support" label http://www.shorewall.net/support.htm gives detailed instructions for obtaining Shorewall support. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Actually, I had found support.htm. That''s how I found the mailing list. Are you suggesting that I didn''t do a good job following the rules for tracking down the problem myself? I realize that now and have been working toward the solution. :( Sorry!! The #1 thing that I notice thus far is this: # ip rule ls 0: from all lookup local 1000: from all lookup CBL No matter what I seem to do so far, "from all lookup CBL" is ALWAYS the first entry and therefore it''s sucking up all of my traffic. Your MultiISP page does not show this entry at all. Can you give me a hint as to why that may be ALWAYS appearing as rule #1? Anyway, I''m continuing down the path to following all the rules! :) Thanks! Stefan On 9/23/06, Tom Eastep <teastep@shorewall.net> wrote:> > Stefan Adams wrote: > > > I''d love to post more info if I knew what to post. > > You, like most other people, can''t find > http://www.shorewall.net/support.htm even though it is linked > prominently from the home page under the "Support" label > > http://www.shorewall.net/support.htm gives detailed instructions for > obtaining Shorewall support. > > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share > your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Ok, so per Tom''s advice, I heeded (at least more closely) the rules to follow prior to requesting support. I got it working!! Here was the problem: ''ip rule ls'' showed that the rules were never being flushed upon network/shorewall restarts. So now, network stop includes ''ip rules flush'' and network start includes ''ip rule add from all pref 32766 table main'' and ''ip rule add from all pref 32767 table default''. After that, a shorewall restart generates the rest of the rules fresh from scratch as no rules from previous attempts are maintained. Does this make sense? This is the only way that I could get my changes to route_rules to take effect because once rules were added, they would never go away. This doesn''t seem right to me. Thanks for thoughts! Stefan On 9/23/06, Stefan Adams <stefan@borgia.com> wrote:> > I have been trying to follow the advice of > http://shorewall.net/MultiISP.html > > I have a network with servers and clients. I want all new incoming > traffic from the internet to go to the servers via CBL. I want all new > outgoing traffic from the local clients to go to the internet via DSL. > > With the configuration below, all internet traffic ONLY goes thru > providers:#1. If I flip the numbers in providers then this flips which > gateway internet traffic uses. I cannot get tcrules OR route_rules to take > effect whatsoever! Why would shorewall be ignoring my changes to those two > files? Can someone help me determine what is going on here? I''d love to > post more info if I knew what to post. > > Thanks! This sure has been an interesting project! > Stefan > > # rpm -qa | grep -e shorewall -e iproute -e iptables -e ipset > iptables-devel-1.3.5-3mdv2007.0 > shorewall-doc-3.2.3-2mdv2007.0 > iptables-1.3.5-3mdv2007.0 > iproute2-2.6.16-3mdk > ipset-2.2.9-1mdv2007.0 > shorewall-3.2.3-2mdv2007.0 > iproute2-doc-2.6.16-3mdk > > interfaces: > loc0 eth0 172.16.254.255 > net eth2 64.123.54.223 > norfc1819,routefilter,blacklist,routeback > net eth3 24.182.140.87 > norfc1819,routefilter,blacklist,routeback > > masq: > eth2 24.182.140.82 64.123.54.218 > eth3 64.123.54.218 24.182.140.82 > eth2 eth0 64.123.54.218 > eth3 eth0 24.182.140.82 > > providers: > CBL 1 1 main eth3 24.182.140.81 > track,balance eth0 > DSL 2 2 main eth2 64.123.54.222 > track,balance eth0 > > tcrules: > 1:P 0.0.0.0/0 > 1:P $FW > 2:P 172.16.254.2 0.0.0.0/0 all > > route_rules: > 172.16.254.2 0.0.0.0/0 DSL > 1000 > >------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Stefan Adams wrote:> Actually, I had found support.htm. That''s how I found the mailing list. > > Are you suggesting that I didn''t do a good job following the rules for > tracking down the problem myself?I was trying to draw your attention to the section of that article entitled: Problem Reporting Guidelines -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Stefan Adams wrote:> > After that, a shorewall restart generates the rest of the > rules fresh from scratch as no rules from previous attempts are maintained. > > Does this make sense? This is the only way that I could get my changes > to route_rules to take effect because once rules were added, they would > never go away. This doesn''t seem right to me.Please read the large WARNING in the section of the Multi-ISP documentation entitled "What an entry in the Providers File Does" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV