Hi all, I''ve been following the discussions on implementing multiple ISP uplinks and I''ve read every bit of documentation I can find numerous times. However yesterday I noticed something a little weird. I have 4 interfaces - some LANs (eth0, eth2, eth3), a leased line (eth1) and a DSL uplink (ppp0) to different providers. The DSL uplink has a dynamic IP address and the leased line has a static IP address. I have specified track, balance and loose in the providers file for each of the providers. It looks like this: <snip> ISP1 1 1 main eth1 196.x.x.x balance,track,loose eth0,eth2,eth3 ISP2 2 2 main ppp0 detect balance,track,loose,optional eth0,eth2,eth3 </snip> Now from what I''ve read I believe that all packets arriving on the ppp0 interface should have their connection mark set to 2 as I''ve specified the track option. Is my understanding correct? If my understanding is correct then I need an explanation for the behaviour I''ve witnessed. In my tcrules file I have the following: <snip> RESTORE 0.0.0.0/0 0.0.0.0/0 all - - - 0 CONTINUE 0.0.0.0/0 0.0.0.0/0 all - - - !0 # Default all traffic out of the ISP1 line unless specified 1:P 0.0.0.0/0 0.0.0.0/0 all - - - 1:P $FW 0.0.0.0/0 all - - - SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 </snip> What I experience though is that when a connection comes into the FTP service on the firewall ppp0 interface, the reply packets all leave on the eth1 interface. Surely if the connection is tracked and marked then the reply packets should go out of the interface that the request came in on? Any ideas anyone? Regards, - Craig. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Craig M. Nicholson wrote:> > Surely if the connection is tracked and marked then the reply packets > should go out of the interface that the request came in on? > > Any ideas anyone? >Craig, Sorry -- I can''t comment without seeing a ''shorewall dump'' collected as described in great detail at http://www.shorewall.net/support.htm#guidelines. Also: a) Why are you specifying ''loose''? b) Where does this FTP server run? The firewall? In a local network? c) Is it the responses to the control connection (TCP port 21) that go out via ppp0 or is it active mode connections from the server back to the client that go out via ppp0? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Craig M. Nicholson wrote: > >> Surely if the connection is tracked and marked then the reply packets >> should go out of the interface that the request came in on? >> >> Any ideas anyone? >> > > Craig, > > Sorry -- I can''t comment without seeing a ''shorewall dump'' collected as > described in great detail at http://www.shorewall.net/support.htm#guidelines. Also: > > a) Why are you specifying ''loose''? > b) Where does this FTP server run? The firewall? In a local network? > c) Is it the responses to the control connection (TCP port 21) that go out via > ppp0 or is it active mode connections from the server back to the client that go > out via ppp0?Oops -- got the interfaces reversed. The last question should be: c) Is it the responses to the control connection (TCP port 21) that go out via eth1 or is it active mode connections from the server back to the client that go out via eth1? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV