hi, forgot to put a subject, so am resending hi, I have been trying to set up shorewall for 2 ISPs and nothing fancy but am facing the problem that smtp,pop,ssh,ping and irc dont go through when I enable the masq. I am running Mandriva 2007. My setup is: eth0 192.168.2.201 - local lan eth2 202.x.x.3 gateway 202.x.x.1 isp1 eth3 222.x.x.3 gateway 222.x.x.1 isp2 my rules.drakx file: ACCEPT net fw udp 110,25,22 - ACCEPT net fw tcp 22,6670,110,25,22 - REDIRECT loc 3128 tcp www - my providers file: isp1 2 2 main eth2 202.x.x.1 balance,track eth0 isp2 1 1 main eth3 202.x.x.1 balance,track eth0 my masq file: eth2 202.x.x.3 222.x.x.3 eth3 222.x.x.3 202.x.x.3 If i comment out the entries in the masq file, everything works, but all traffic goes through eth2 only. If i enable the masq file, http works, load is balanced, but smtp,pop,ssh,ping and irc dont go through. Any clues? -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> hi, > > forgot to put a subject, so am resending > > hi, > > I have been trying to set up shorewall for 2 ISPs and nothing fancy > but am facing the problem that smtp,pop,ssh,ping and irc dont go > through when I enable the masq. I am running Mandriva 2007. My setup is: > > eth0 192.168.2.201 - local lan > eth2 202.x.x.3 gateway 202.x.x.1 isp1 > eth3 222.x.x.3 gateway 222.x.x.1 isp2 > > my rules.drakx file: > > ACCEPT net fw udp 110,25,22 - > ACCEPT net fw tcp 22,6670,110,25,22 - > REDIRECT loc 3128 tcp www - > > my providers file: > > isp1 2 2 main eth2 202.x.x.1 > balance,track eth0 > isp2 1 1 main eth3 202.x.x.1 balance,track eth0 > > my masq file: > > eth2 202.x.x.3 222.x.x.3 > eth3 222.x.x.3 202.x.x.3 >Try: eth2 222.x.x.3 202.x.x.3 eth3 202.x.x.3 222.x.x.3 I think you have it reversed Regards. Harry.> If i comment out the entries in the masq file, everything works, but > all traffic goes through eth2 only. If i enable the masq file, http > works, load is balanced, but smtp,pop,ssh,ping and irc dont go > through. Any clues? > > >------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 12-Jul-07, at 12:12 PM, Harry Lachanas wrote:> Try: > eth2 222.x.x.3 202.x.x.3 > eth3 202.x.x.3 222.x.x.3 > > I think you have it reversedthats a typo - i was x-outing the ips - it is correct that is: eth2 eth3ip eth2ip eth3 eth2ip eth3ip -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
> > my providers file: > > isp1 2 2 main eth2 202.x.x.1 > balance,track eth0 > isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >I''ve also noticed that the gateway of both ISP1,ISP2 is the same ???? Is this a multilink setup or just another typo ??? remember The columns are NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 12-Jul-07, at 1:23 PM, Harry Lachanas wrote:>> >> my providers file: >> >> isp1 2 2 main eth2 202.x.x.1 >> balance,track eth0 >> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >> > > I''ve also noticed that the gateway of both ISP1,ISP2 is the same ???? > > Is this a multilink setup or just another typo ??? > > remember > The columns are > > NAME NUMBER MARK DUPLICATE INTERFACE > GATEWAY OPTIONS COPYx-outing has messed up things: providers file: bsnl 2 2 main eth2 192.168.10.1 balance, track eth0 net4india 1 1 main eth3 202.71.146.209 balance, track eth0 masq file: eth2 202.71.146.210 192.168.10.3 eth3 192.168.10.3 202.71.146.210 rules file: ACCEPT net fw udp 110,25,22 - ACCEPT net fw tcp 22,6670,110,25,22 - REDIRECT loc 3128 tcp www - when masq file is commented out, everything works, but only eth2 gets traffic, otherwise balancing works, but ping, smtp, pop, irc etc dont work -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> hi, > > forgot to put a subject, so am resending > > hi, > > I have been trying to set up shorewall for 2 ISPs and nothing fancy > but am facing the problem that smtp,pop,ssh,ping and irc dont go > through when I enable the masq. I am running Mandriva 2007. My setup is: > > eth0 192.168.2.201 - local lan > eth2 202.x.x.3 gateway 202.x.x.1 isp1 > eth3 222.x.x.3 gateway 222.x.x.1 isp2 > > my rules.drakx file: > > ACCEPT net fw udp 110,25,22 - > ACCEPT net fw tcp 22,6670,110,25,22 - > REDIRECT loc 3128 tcp www - > > my providers file: > > isp1 2 2 main eth2 202.x.x.1 > balance,track eth0 > isp2 1 1 main eth3 202.x.x.1 balance,track eth0 > > my masq file: > > eth2 202.x.x.3 222.x.x.3 > eth3 222.x.x.3 202.x.x.3 > > If i comment out the entries in the masq file, everything works, but > all traffic goes through eth2 only. If i enable the masq file, http > works, load is balanced, but smtp,pop,ssh,ping and irc dont go > through. Any clues? > >Please supply the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Kenneth Gonsalves wrote: >> hi, >> >> forgot to put a subject, so am resending >> >> hi, >> >> I have been trying to set up shorewall for 2 ISPs and nothing fancy >> but am facing the problem that smtp,pop,ssh,ping and irc dont go >> through when I enable the masq. I am running Mandriva 2007. My setup is: >> >> eth0 192.168.2.201 - local lan >> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >> >> my rules.drakx file: >> >> ACCEPT net fw udp 110,25,22 - >> ACCEPT net fw tcp 22,6670,110,25,22 - >> REDIRECT loc 3128 tcp www - >> >> my providers file: >> >> isp1 2 2 main eth2 202.x.x.1 >> balance,track eth0 >> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >> >> my masq file: >> >> eth2 202.x.x.3 222.x.x.3 >> eth3 222.x.x.3 202.x.x.3 >> >> If i comment out the entries in the masq file, everything works, but >> all traffic goes through eth2 only. If i enable the masq file, http >> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >> through. Any clues? >> >> > > Please supply the output of "shorewall dump" collected as described at > http://www.shorewall.net/support.htm#Guidelines. >Also, the output of this command would be helpful: gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHED -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 12-Jul-07, at 7:16 PM, Tom Eastep wrote:> Kenneth Gonsalves wrote: >> hi, >> >> forgot to put a subject, so am resending >> >> hi, >> >> I have been trying to set up shorewall for 2 ISPs and nothing fancy >> but am facing the problem that smtp,pop,ssh,ping and irc dont go >> through when I enable the masq. I am running Mandriva 2007. My >> setup is: >> >> eth0 192.168.2.201 - local lan >> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >> >> my rules.drakx file: >> >> ACCEPT net fw udp 110,25,22 - >> ACCEPT net fw tcp 22,6670,110,25,22 - >> REDIRECT loc 3128 tcp www - >> >> my providers file: >> >> isp1 2 2 main eth2 202.x.x.1 >> balance,track eth0 >> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >> >> my masq file: >> >> eth2 202.x.x.3 222.x.x.3 >> eth3 222.x.x.3 202.x.x.3 >> >> If i comment out the entries in the masq file, everything works, but >> all traffic goes through eth2 only. If i enable the masq file, http >> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >> through. Any clues? >> >> > > Please supply the output of "shorewall dump" collected as described at > http://www.shorewall.net/support.htm#Guidelines.action attempted: ping from 192.168.2.130 to 64.233.187.99 and status.txt.gz is attached - sorry for not following the guidelines -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 12-Jul-07, at 7:38 PM, Tom Eastep wrote:> Tom Eastep wrote: >> Kenneth Gonsalves wrote: >>> hi, >>> >>> forgot to put a subject, so am resending >>> >>> hi, >>> >>> I have been trying to set up shorewall for 2 ISPs and nothing fancy >>> but am facing the problem that smtp,pop,ssh,ping and irc dont go >>> through when I enable the masq. I am running Mandriva 2007. My >>> setup is: >>> >>> eth0 192.168.2.201 - local lan >>> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >>> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >>> >>> my rules.drakx file: >>> >>> ACCEPT net fw udp 110,25,22 - >>> ACCEPT net fw tcp 22,6670,110,25,22 - >>> REDIRECT loc 3128 tcp www - >>> >>> my providers file: >>> >>> isp1 2 2 main eth2 202.x.x.1 >>> balance,track eth0 >>> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >>> >>> my masq file: >>> >>> eth2 202.x.x.3 222.x.x.3 >>> eth3 222.x.x.3 202.x.x.3 >>> >>> If i comment out the entries in the masq file, everything works, but >>> all traffic goes through eth2 only. If i enable the masq file, http >>> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >>> through. Any clues? >>> >>> >> >> Please supply the output of "shorewall dump" collected as >> described at >> http://www.shorewall.net/support.htm#Guidelines. >> > > Also, the output of this command would be helpful: > > gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHEDoutput is: CONFIG_IP_ROUTE_MULTIPATH_CACHED=y -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> On 12-Jul-07, at 7:38 PM, Tom Eastep wrote: > >> Tom Eastep wrote: >>> Kenneth Gonsalves wrote: >>>> hi, >>>> >>>> forgot to put a subject, so am resending >>>> >>>> hi, >>>> >>>> I have been trying to set up shorewall for 2 ISPs and nothing fancy >>>> but am facing the problem that smtp,pop,ssh,ping and irc dont go >>>> through when I enable the masq. I am running Mandriva 2007. My >>>> setup is: >>>> >>>> eth0 192.168.2.201 - local lan >>>> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >>>> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >>>> >>>> my rules.drakx file: >>>> >>>> ACCEPT net fw udp 110,25,22 - >>>> ACCEPT net fw tcp 22,6670,110,25,22 - >>>> REDIRECT loc 3128 tcp www - >>>> >>>> my providers file: >>>> >>>> isp1 2 2 main eth2 202.x.x.1 >>>> balance,track eth0 >>>> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >>>> >>>> my masq file: >>>> >>>> eth2 202.x.x.3 222.x.x.3 >>>> eth3 222.x.x.3 202.x.x.3 >>>> >>>> If i comment out the entries in the masq file, everything works, but >>>> all traffic goes through eth2 only. If i enable the masq file, http >>>> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >>>> through. Any clues? >>>> >>>> >>> Please supply the output of "shorewall dump" collected as >>> described at >>> http://www.shorewall.net/support.htm#Guidelines. >>> >> Also, the output of this command would be helpful: >> >> gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHED > > output is: > > CONFIG_IP_ROUTE_MULTIPATH_CACHED=y > >Shorewall multiISP support does not work correctly with kernels built with that option. That is mentioned in the Shorewall MultiISP article. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Kenneth Gonsalves wrote: >> On 12-Jul-07, at 7:38 PM, Tom Eastep wrote: >> >>> Tom Eastep wrote: >>>> Kenneth Gonsalves wrote: >>>>> hi, >>>>> >>>>> forgot to put a subject, so am resending >>>>> >>>>> hi, >>>>> >>>>> I have been trying to set up shorewall for 2 ISPs and nothing fancy >>>>> but am facing the problem that smtp,pop,ssh,ping and irc dont go >>>>> through when I enable the masq. I am running Mandriva 2007. My >>>>> setup is: >>>>> >>>>> eth0 192.168.2.201 - local lan >>>>> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >>>>> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >>>>> >>>>> my rules.drakx file: >>>>> >>>>> ACCEPT net fw udp 110,25,22 - >>>>> ACCEPT net fw tcp 22,6670,110,25,22 - >>>>> REDIRECT loc 3128 tcp www - >>>>> >>>>> my providers file: >>>>> >>>>> isp1 2 2 main eth2 202.x.x.1 >>>>> balance,track eth0 >>>>> isp2 1 1 main eth3 202.x.x.1 balance,track eth0 >>>>> >>>>> my masq file: >>>>> >>>>> eth2 202.x.x.3 222.x.x.3 >>>>> eth3 222.x.x.3 202.x.x.3 >>>>> >>>>> If i comment out the entries in the masq file, everything works, but >>>>> all traffic goes through eth2 only. If i enable the masq file, http >>>>> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >>>>> through. Any clues? >>>>> >>>>> >>>> Please supply the output of "shorewall dump" collected as >>>> described at >>>> http://www.shorewall.net/support.htm#Guidelines. >>>> >>> Also, the output of this command would be helpful: >>> >>> gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHED >> output is: >> >> CONFIG_IP_ROUTE_MULTIPATH_CACHED=y >> >> > > Shorewall multiISP support does not work correctly with kernels built > with that option. That is mentioned in the Shorewall MultiISP article.I notice too that route filtering is enabled on both eth2 and eth3 yet martian logging is disabled. You may be having a lot of packets silently dropped as martians. Note: It may be your distribution (/etc/sysctl.conf or something similar) that is enabling route filtering. I personally recommend disabling route filtering in multi-ISP configurations. Finally, do you have eth2 and eth3 connected to a common hub/switch? That also can cause havoc in these configurations. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 13-Jul-07, at 8:10 PM, Tom Eastep wrote:>> Shorewall multiISP support does not work correctly with kernels built >> with that option. That is mentioned in the Shorewall MultiISP >> article. > > I notice too that route filtering is enabled on both eth2 and eth3 yet > martian logging is disabled. You may be having a lot of packets > silently > dropped as martians. Note: It may be your distribution (/etc/ > sysctl.conf or > something similar) that is enabling route filtering. > > I personally recommend disabling route filtering in multi-ISP > configurations.will try that> > Finally, do you have eth2 and eth3 connected to a common hub/ > switch? That > also can cause havoc in these configurations.no, both are connected to the modems at one end and the firewall computer at the other -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 13-Jul-07, at 8:10 PM, Tom Eastep wrote:> Tom Eastep wrote: >> Kenneth Gonsalves wrote: >>> On 12-Jul-07, at 7:38 PM, Tom Eastep wrote: >>> >>>> Tom Eastep wrote: >>>>> Kenneth Gonsalves wrote: >>>>>> hi, >>>>>> >>>>>> forgot to put a subject, so am resending >>>>>> >>>>>> hi, >>>>>> >>>>>> I have been trying to set up shorewall for 2 ISPs and nothing >>>>>> fancy >>>>>> but am facing the problem that smtp,pop,ssh,ping and irc dont go >>>>>> through when I enable the masq. I am running Mandriva 2007. My >>>>>> setup is: >>>>>> >>>>>> eth0 192.168.2.201 - local lan >>>>>> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >>>>>> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >>>>>> >>>>>> my rules.drakx file: >>>>>> >>>>>> ACCEPT net fw udp 110,25,22 - >>>>>> ACCEPT net fw tcp 22,6670,110,25,22 - >>>>>> REDIRECT loc 3128 tcp www - >>>>>> >>>>>> my providers file: >>>>>> >>>>>> isp1 2 2 main eth2 202.x.x.1 >>>>>> balance,track eth0 >>>>>> isp2 1 1 main eth3 202.x.x.1 >>>>>> balance,track eth0 >>>>>> >>>>>> my masq file: >>>>>> >>>>>> eth2 202.x.x.3 222.x.x.3 >>>>>> eth3 222.x.x.3 202.x.x.3 >>>>>> >>>>>> If i comment out the entries in the masq file, everything >>>>>> works, but >>>>>> all traffic goes through eth2 only. If i enable the masq file, >>>>>> http >>>>>> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >>>>>> through. Any clues? >>>>>> >>>>>> >>>>> Please supply the output of "shorewall dump" collected as >>>>> described at >>>>> http://www.shorewall.net/support.htm#Guidelines. >>>>> >>>> Also, the output of this command would be helpful: >>>> >>>> gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHED >>> output is: >>> >>> CONFIG_IP_ROUTE_MULTIPATH_CACHED=y >>> >>> >> >> Shorewall multiISP support does not work correctly with kernels built >> with that option. That is mentioned in the Shorewall MultiISP >> article. > > I notice too that route filtering is enabled on both eth2 and eth3 yet > martian logging is disabled. You may be having a lot of packets > silently > dropped as martians. Note: It may be your distribution (/etc/ > sysctl.conf or > something similar) that is enabling route filtering. > > I personally recommend disabling route filtering in multi-ISP > configurations. > > Finally, do you have eth2 and eth3 connected to a common hub/ > switch? That > also can cause havoc in these configurations.i disabled CONFIG_IP_ROUTE_MULTIPATH_CACHED, but still no joy - balancing works perfectly for http - but not for smtp etc -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> On 13-Jul-07, at 8:10 PM, Tom Eastep wrote: > >> Tom Eastep wrote: >>> Kenneth Gonsalves wrote: >>>> On 12-Jul-07, at 7:38 PM, Tom Eastep wrote: >>>> >>>>> Tom Eastep wrote: >>>>>> Kenneth Gonsalves wrote: >>>>>>> hi, >>>>>>> >>>>>>> forgot to put a subject, so am resending >>>>>>> >>>>>>> hi, >>>>>>> >>>>>>> I have been trying to set up shorewall for 2 ISPs and nothing >>>>>>> fancy >>>>>>> but am facing the problem that smtp,pop,ssh,ping and irc dont go >>>>>>> through when I enable the masq. I am running Mandriva 2007. My >>>>>>> setup is: >>>>>>> >>>>>>> eth0 192.168.2.201 - local lan >>>>>>> eth2 202.x.x.3 gateway 202.x.x.1 isp1 >>>>>>> eth3 222.x.x.3 gateway 222.x.x.1 isp2 >>>>>>> >>>>>>> my rules.drakx file: >>>>>>> >>>>>>> ACCEPT net fw udp 110,25,22 - >>>>>>> ACCEPT net fw tcp 22,6670,110,25,22 - >>>>>>> REDIRECT loc 3128 tcp www - >>>>>>> >>>>>>> my providers file: >>>>>>> >>>>>>> isp1 2 2 main eth2 202.x.x.1 >>>>>>> balance,track eth0 >>>>>>> isp2 1 1 main eth3 202.x.x.1 >>>>>>> balance,track eth0 >>>>>>> >>>>>>> my masq file: >>>>>>> >>>>>>> eth2 202.x.x.3 222.x.x.3 >>>>>>> eth3 222.x.x.3 202.x.x.3 >>>>>>> >>>>>>> If i comment out the entries in the masq file, everything >>>>>>> works, but >>>>>>> all traffic goes through eth2 only. If i enable the masq file, >>>>>>> http >>>>>>> works, load is balanced, but smtp,pop,ssh,ping and irc dont go >>>>>>> through. Any clues? >>>>>>> >>>>>>> >>>>>> Please supply the output of "shorewall dump" collected as >>>>>> described at >>>>>> http://www.shorewall.net/support.htm#Guidelines. >>>>>> >>>>> Also, the output of this command would be helpful: >>>>> >>>>> gzip -dc /proc/config.gz | grep CONFIG_IP_ROUTE_MULTIPATH_CACHED >>>> output is: >>>> >>>> CONFIG_IP_ROUTE_MULTIPATH_CACHED=y >>>> >>>> >>> Shorewall multiISP support does not work correctly with kernels built >>> with that option. That is mentioned in the Shorewall MultiISP >>> article. >> I notice too that route filtering is enabled on both eth2 and eth3 yet >> martian logging is disabled. You may be having a lot of packets >> silently >> dropped as martians. Note: It may be your distribution (/etc/ >> sysctl.conf or >> something similar) that is enabling route filtering. >> >> I personally recommend disabling route filtering in multi-ISP >> configurations. >> >> Finally, do you have eth2 and eth3 connected to a common hub/ >> switch? That >> also can cause havoc in these configurations. > > i disabled CONFIG_IP_ROUTE_MULTIPATH_CACHED, but still no joy - > balancing works perfectly for http - but not for smtp etc >http is being proxied so it all outgoing connections are from the firewall. One potential problem in your configuration is that you are not masquerading the local network (192.168.2.0/24) out of eth3. So no local traffic can work through eth3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 14-Jul-07, at 7:59 PM, Tom Eastep wrote:>> balancing works perfectly for http - but not for smtp etc >> > > http is being proxied so it all outgoing connections are from the > firewall. > One potential problem in your configuration is that you are not > masquerading > the local network (192.168.2.0/24) out of eth3. So no local traffic > can work > through eth3.I did that and everything is fine. Now I have to add a third isp - what will the masq file look like then? -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> On 14-Jul-07, at 7:59 PM, Tom Eastep wrote: > >>> balancing works perfectly for http - but not for smtp etc >>> >> http is being proxied so it all outgoing connections are from the >> firewall. >> One potential problem in your configuration is that you are not >> masquerading >> the local network (192.168.2.0/24) out of eth3. So no local traffic >> can work >> through eth3. > > I did that and everything is fine. Now I have to add a third isp - > what will the masq file look like then? >For each of N firewall external addresses, you need to consider what happens if a connection with that address as SOURCE is sent out of each of M external interfaces. And for each of L local LANs, you need to consider traffic that originates on that LAN and that is sent out of each of the M external interfaces. Follow the above advice and it will work for N external addresses on M external interfaces with L internal LANs for all values of L, M and N. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Kenneth Gonsalves wrote: >> Now I have to add a third isp - >> what will the masq file look like then? >> > > For each of N firewall external addresses, you need to consider what > happens if a connection with that address as SOURCE is sent out of each > of M external interfaces. > > And for each of L local LANs, you need to consider traffic that > originates on that LAN and that is sent out of each of the M external > interfaces. > > Follow the above advice and it will work for N external addresses on M > external interfaces with L internal LANs for all values of L, M and N.I''ve added a section to http://www1.shorewall.net/MultiISP.html which should clarify. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 16-Jul-07, at 11:56 PM, Tom Eastep wrote:>> >> Follow the above advice and it will work for N external addresses >> on M >> external interfaces with L internal LANs for all values of L, M >> and N. > > I''ve added a section to http://www1.shorewall.net/MultiISP.html > which should > clarify.I had more or less figured that out on my own, but it is nice to see it in black and white. I really appreciate the time you have taken to clarify the points and the documentation. I configured it and it is working (touch wood). The output of ip route ls is: [root@agni lawgon]# ip route ls 202.71.146.208/28 dev eth1 proto kernel scope link src 202.71.146.210 metric 5 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.201 metric 5 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.3 metric 5 192.168.107.0/24 dev eth3 proto kernel scope link src 192.168.107.55 metric 5 default nexthop via 202.71.146.209 dev eth1 weight 1 nexthop via 192.168.10.1 dev eth2 weight 2 nexthop via 192.168.107.1 dev eth3 weight 2 default via 192.168.107.1 dev eth3 metric 5 i am worried about the last line - eth3 is an unreliable ISP, but it is shown as default. I want eth1 as default. I have listed eth3 last in every config, so how do I prevent it from being the default. -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Kenneth Gonsalves wrote:> > [root@agni lawgon]# ip route ls > 202.71.146.208/28 dev eth1 proto kernel scope link src > 202.71.146.210 metric 5 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.201 > metric 5 > 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.3 > metric 5 > 192.168.107.0/24 dev eth3 proto kernel scope link src > 192.168.107.55 metric 5 > default > nexthop via 202.71.146.209 dev eth1 weight 1 > nexthop via 192.168.10.1 dev eth2 weight 2 > nexthop via 192.168.107.1 dev eth3 weight 2 > default via 192.168.107.1 dev eth3 metric 5 > > i am worried about the last line - eth3 is an unreliable ISP, but it > is shown as default. I want eth1 as default. I have listed eth3 last > in every config, so how do I prevent it from being the default.I don''t know -- Shorewall isn''t doing that; you are in the rest of your routing configuration. The fact that it has a metric of 5 prevents it from being replaced by the route above it (which Shorewall *is* generating). But so long as the route above it is in place, the last one is irrelevant. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
On 17-Jul-07, at 7:18 AM, Tom Eastep wrote:>> i am worried about the last line - eth3 is an unreliable ISP, but it >> is shown as default. I want eth1 as default. I have listed eth3 last >> in every config, so how do I prevent it from being the default. > > I don''t know -- Shorewall isn''t doing that; you are in the rest of > your > routing configuration. The fact that it has a metric of 5 prevents it > from being replaced by the route above it (which Shorewall *is* > generating). But so long as the route above it is in place, the > last one > is irrelevant.metric is automatically set by the mandriva gui interface - I will read up on that and change it. Thanks again - if you are ever in Chennai, beer is on me. -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/