I am trying to route Firewall traffic out one of my Isp''s with squid running on the FW. With high marks yes I have tried this first #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS 256 $FW 0.0.0.0/0 tcp 80,443,3128 256:P eth1 0.0.0.0/0 tcp 80,443,3128 I tried this as well with this entry in tcrules 768 $FW:$ETH2_IP 0.0.0.0/0 tcp 80,443,3128 768:P eth1 0.0.0.0/0 tcp 80,443,3128 when I tried the above in tcrules I also add this to providers #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY fwout 5 768 - eth2 detect com 1 256 main eth2 detect track,balance eth1 atg 2 512 main eth0 66.224.62.97 track,balance eth1 Thanks Mike ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> I am trying to route Firewall traffic out > one of my Isp''s with squid running on the FW. > With high marks yesMike, Now read the part of the Multi-ISP document entitled "Applications Running on the Firewall" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
I put my internal ip 10.194.79.2 in tcp outgoing many days ago because squid would not work at all. Thanks Mike ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
After reading a post somewhere about squid I had
somehow deducted to put my internal Ip in tcp outgoing
in squid.conf. After doing that squid worked and I had
left it at that.
Since that does not make sense now. I entered my
eth2 ip address which is dynamic in tcp outgoing
and it works. Everything is going out that eth2 interface
now from squid on the firewall.
So I have two questions
1. How do I enter this in squid conf for
a dynamic address. Would the shorewall
varible work $eth2_IP?
2. In the first post is my configuration
correct for forcing traffic out the Isp
desired?
Thanks
Mike
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> After reading a post somewhere about squid I had > somehow deducted to put my internal Ip in tcp outgoing > in squid.conf. After doing that squid worked and I had > left it at that. > Since that does not make sense now. I entered my > eth2 ip address which is dynamic in tcp outgoing > and it works. Everything is going out that eth2 interface > now from squid on the firewall. > So I have two questions > 1. How do I enter this in squid conf for > a dynamic address.There is no way, as far as I know.> > 2. In the first post is my configuration > correct for forcing traffic out the Isp > desired?The whole point of the section that I referred you to is that no one has discovered a foolproof way using just policy routing to force all traffic originating on the firewall out of one interface or the other. Plus, when I only see two or three lines out of an entire router/firewall configuration, I can''t possibly tell you whether they are correct. But I would have thought that the first rule should have been coded with $ETH1_IP rather than $ETH2_IP. And of course, you need the appropriate entry in /etc/shorewall/masq... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
The whole point of the section that I referred you to is that no one has
discovered a foolproof way using just policy routing to force all
traffic originating on the firewall out of one interface or the other.
Plus, when I only see two or three lines out of an entire
router/firewall configuration, I can''t possibly tell you whether they
are correct. But I would have thought that the first rule should have
been coded with $ETH1_IP rather than $ETH2_IP. And of course, you need
the appropriate entry in /etc/shorewall/masq...
Since that is the case maybe this would be a more logical
choice. Eth0 will have a 768 up and back frac T-1 and eth2 will
be a 4mb down and 500kbit up.
Would the firewall running squid honor the balance option
to give more bandwidth to eth2?
Thanks
Mike
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> The whole point of the section that I referred you to is that no one has > discovered a foolproof way using just policy routing to force all > traffic originating on the firewall out of one interface or the other. > Plus, when I only see two or three lines out of an entire > router/firewall configuration, I can''t possibly tell you whether they > are correct. But I would have thought that the first rule should have > been coded with $ETH1_IP rather than $ETH2_IP. And of course, you need > the appropriate entry in /etc/shorewall/masq... > > Since that is the case maybe this would be a more logical > choice. Eth0 will have a 768 up and back frac T-1 and eth2 will > be a 4mb down and 500kbit up. > Would the firewall running squid honor the balance option > to give more bandwidth to eth2?I don''t know. I get conflicting reports and since I can''t test this stuff myself, I''m afraid that I can''t help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Mike Lander wrote:> ... > Since that is the case maybe this would be a more logical > choice. Eth0 will have a 768 up and back frac T-1 and eth2 will > be a 4mb down and 500kbit up. > Would the firewall running squid honor the balance option > to give more bandwidth to eth2?I run three 1500/256 ADSL links on my firewalls, and squid on a box in the DMZ behind it, and it does a reasonable job of load-balancing the three. You can see the MRTG graphs of the firewall''s DSL interfaces: http://penguin.redlands.qld.edu.au/mrtg-public/pelican/weekly.html Note however that this is not exactly the same situation, because squid is on a separate box. In my configuration, dsl2 has a weight of 4 and dsl1 & dsl3 have weights of 3. Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV