Shorewall users - Aug 2007 - Multi-ISP + Traffic Shaping Problem (Shorewall 3.4.5)

Hi All,

I have a triple ISP, double DMZ, single LAN firewall that isn''t routing
traffic over the secondary and tertiary ISP''s.  All traffic is heading
out
over the primary link :(  Here''s a basic diagram of our firewall, the
modems
on the triplet of Internet connections simply hold up the PPPoA/E links and 
NAT the NET1/2/3 addresses to the respective outside IP:

                  +---------{*INTERNET*}--------+
                  |              |              |
              (modem1)       (modem2)       (modem3)
             172.16.3.1     172.16.4.1     172.16.5.1
                  |              |              |
                NET1           NET2           NET2
                  |              |              |
             172.16.3.2     172.16.4.1     172.16.5.2
               (eth3)         (eth4)         (eth5)
                  |              |              |
                +-+--------------+--------------+-+
10.10.100.0/24  |                                 |  10.10.101.0/24
DMZ1 - (eth1) --+             FIREWALL            +-- (eth2) - DMZ2
                |                                 |
                +----------------+----------------+
                                 |
                               (eth0)
                            10.10.10.0/24
                                LAN

Attached is a recent shorewall dump.  Below is the relevant files (let me know 
if I missed any):

The physical interfaces are abstracted out in the "params" file:
LAN_IF=eth0
DMZ1_IF=eth1
DMZ2_IF=eth2
NET_IF1=eth3
NET_IF2=eth4
NET_IF3=eth5

interfaces:
#ZONE	INTERFACE	BROADCAST	OPTIONS
lan	$LAN_IF		detect		routeback
dmz1	$DMZ1_IF	detect		-
dmz2	$DMZ2_IF	detect		-
net	$NET_IF1	detect		$NET_OPTIONS
net	$NET_IF2	detect		$NET_OPTIONS
net	$NET_IF3	detect		$NET_OPTIONS
... where
NET_OPTIONS=arp_filter,nosmurfs,tcpflags,routefilter

providers:
#NAME NUMBER MARK  DUPLICATE INTERFACE GATEWAY     OPTIONS   COPY
squid 1	     202   -         $LAN_IF   $PROXYSVR   loose     -
$ISP1 2	     1     main      $NET_IF1  $NET_IF1_GW $PROVOPTS $COPY
$ISP2 3	     2     main      $NET_IF2  $NET_IF2_GW $PROVOPTS $COPY
$ISP3 4	     3     main      $NET_IF3  $NET_IF3_GW $PROVOPTS $COPY
...where:
COPY=$LAN_IF,$DMZ1_IF,$DMZ2_IF (ie. eth0,eth1,eth2)
PROVOPTS=track,loose
The NET_IFx_GW variables are the ADSL modems'' IP''s (again,
defined in params)
as follows:
NET_IF1_GW=172.16.3.1
NET_IF2_GW=172.16.4.1
NET_IF3_GW=172.16.5.1

tcdevices:
#INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
$NET_IF1        $NET_IF1_IN     $NET_IF1_OUT
$NET_IF2        $NET_IF2_IN     $NET_IF2_OUT
$NET_IF3        $NET_IF3_IN     $NET_IF3_OUT

tcclasses:
#INTERFACE MARK RATE      CEIL      PRIORITY OPTIONS
#
# Primary Interface (ADSL2+ 24M/1.5M)
$NET_IF1   10   full      full      1        tcp-ack,tos-minimize-delay
$NET_IF1   20   9*full/10 9*full/10 2
$NET_IF1   30	6*full/10 6*full/10 3        default
#
# Secondary Interface (ADSL1 1.5M/256K)
$NET_IF2   40   full      full      4        tcp-ack,tos-minimize-delay
$NET_IF2   50   6*full/10 6*full/10 5        default
#
# Tertiary Interface (ADSL1 512K/128K)
$NET_IF3   60   full      full      6        default

tcrules:
#MARK SOURCE       DEST    PROTO DEST SOURCE USER TEST LENGTH TOS
#                                PORT PORT
10    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    0:512
20    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    513:
20    $LAN_NETWORK $ANY_IP tcp   $WWW
20    $LAN_NETWORK $ANY_IP tcp   $FTP
30    $LAN_NETWORK $ANY_IP tcp   nntp
40    $LAN_NETWORK $ANY_IP tcp   $STREAM
50    $LAN_NETWORK $ANY_IP tcp   $ALLMAIL
50    $LAN_NETWORK $ANY_IP tcp   $IM
50    $LAN_NETWORK $ANY_IP udp   $IM
50    $LAN_NETWORK $ANY_IP tcp   $P2P
50    $LAN_NETWORK $ANY_IP udp   $P2P
50    $LAN_NETWORK $ANY_IP tcp   $GAMES
50    $LAN_NETWORK $ANY_IP udp   $GAMES
50    $LAN_NETWORK $ANY_IP all

I thought I followed all the docs but I feel like I''ve missed something
really
basic.  Any insights?

Thanks in advance,

James
-- 
Test-tube babies shouldn''t throw stones.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

James Gray wrote:
> 
> I thought I followed all the docs but I feel like I''ve missed
something really
> basic.
Like maybe Shorewall FAQ 57?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> James Gray wrote:
> 
>> I thought I followed all the docs but I feel like I''ve missed
something really
>> basic.
> 
> Like maybe Shorewall FAQ 57?
> 
And if you follow that FAQ and still have problems, then please consider
this from the MultiISP article:

	Important

	If you specify ''balance'' and still find that all traffic is
	going out through only one provider, you may need to install a
	kernel built with CONFIG_IP_ROUTE_MULTIPATH_CACHED=n. Several
	users have reported that this change has corrected similar
	problems.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

James Gray wrote:
> The NET_IFx_GW variables are the ADSL modems'' IP''s
(again, defined in params)
> as follows:
> NET_IF1_GW=172.16.3.1
> NET_IF2_GW=172.16.4.1
> NET_IF3_GW=172.16.5.1
> 
> tcdevices:
> #INTERFACE      IN-BANDWITH     OUT-BANDWIDTH
> $NET_IF1        $NET_IF1_IN     $NET_IF1_OUT
> $NET_IF2        $NET_IF2_IN     $NET_IF2_OUT
> $NET_IF3        $NET_IF3_IN     $NET_IF3_OUT
> 
> tcclasses:
> #INTERFACE MARK RATE      CEIL      PRIORITY OPTIONS
> #
> # Primary Interface (ADSL2+ 24M/1.5M)
> $NET_IF1   10   full      full      1        tcp-ack,tos-minimize-delay
> $NET_IF1   20   9*full/10 9*full/10 2
> $NET_IF1   30	6*full/10 6*full/10 3        default
> #
> # Secondary Interface (ADSL1 1.5M/256K)
> $NET_IF2   40   full      full      4        tcp-ack,tos-minimize-delay
> $NET_IF2   50   6*full/10 6*full/10 5        default
> #
> # Tertiary Interface (ADSL1 512K/128K)
> $NET_IF3   60   full      full      6        default
> 
> tcrules:
> #MARK SOURCE       DEST    PROTO DEST SOURCE USER TEST LENGTH TOS
> #                                PORT PORT
> 10    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    0:512
> 20    $LAN_NETWORK $ANY_IP tcp   ssh  -      -    -    513:
> 20    $LAN_NETWORK $ANY_IP tcp   $WWW
> 20    $LAN_NETWORK $ANY_IP tcp   $FTP
> 30    $LAN_NETWORK $ANY_IP tcp   nntp
> 40    $LAN_NETWORK $ANY_IP tcp   $STREAM
> 50    $LAN_NETWORK $ANY_IP tcp   $ALLMAIL
> 50    $LAN_NETWORK $ANY_IP tcp   $IM
> 50    $LAN_NETWORK $ANY_IP udp   $IM
> 50    $LAN_NETWORK $ANY_IP tcp   $P2P
> 50    $LAN_NETWORK $ANY_IP udp   $P2P
> 50    $LAN_NETWORK $ANY_IP tcp   $GAMES
> 50    $LAN_NETWORK $ANY_IP udp   $GAMES
> 50    $LAN_NETWORK $ANY_IP all
> 
In taking another look at your configuration this morning, I see a couple of
more problems:

a)  You have MARK_IN_FORWARD_CHAIN=No in shorewall.conf so all of your
marking rules are going in the PREROUTING chain. With multi-ISP routing,
your traffic shaping marking must be done in the FORWARD chain.

b)  You have failed to grasp the notion that tcrules are
''last-match-wins''
not ''first-match''wins''. So all traffic through your
router is being marked
with fwmark = 50.

These two blunders have an effect on your multi-ISP problem. After
PREROUTING, all packets have a mark value of 50. That doesn''t match any
of
the fwmark values given for your Providers so traffic is routed according to
the ''main'' routing table.  Because you didn''t specify
''balance'' on your
providers, your main routing table has a single default route via eth3 so
all traffic is sent out of that interface.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> James Gray wrote:
> 
>> I thought I followed all the docs but I feel like I''ve missed
something really
>> basic.
> 
> Like maybe Shorewall FAQ 57?
> 
> -Tom
Thanks Tom.  I really appreciate the fast response :)  I''ve been doing 
most of the config offline using the 3.x PDF documentation, and it 
doesn''t lay it out as plainly as FAQ 57.  My bad.

I replaced "loose" with "balance" in the providers options. 
However,
after restarting shorewall (sudo service shorewall restart) the routing 
totally wigged out.  Traffic was going out on the two interfaces 
(ISP1/2) but if data was coming back, it wasn''t reaching the clients. 
I
reverted to the old config and all was good (all traffic on one interface).

I''ve simplified the config to ignore the 3rd ISP at this stage and
I''ll
see if the new (untried) 2 ISP config fairs any better.  Has anyone else 
seen this sort of problem though?  The traffic shaping rules are the 
same in the new config as my original post, but the providers file has 
had the 3rd ISP removed if anyone wants to look at the setup.

*Sigh*...more fiddling.  Again, thanks for your help Tom.

-- 
James





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

James Gray wrote:
> Tom Eastep wrote:
>> James Gray wrote:
>>
>>> I thought I followed all the docs but I feel like I''ve
missed something really
>>> basic.
>> Like maybe Shorewall FAQ 57?
>>
>> -Tom
> 
> Thanks Tom.  I really appreciate the fast response :)  I''ve been
doing
> most of the config offline using the 3.x PDF documentation, and it 
> doesn''t lay it out as plainly as FAQ 57.  My bad.
> 
> I replaced "loose" with "balance" in the providers
options.  However,
> after restarting shorewall (sudo service shorewall restart) the routing 
> totally wigged out.  Traffic was going out on the two interfaces 
> (ISP1/2) but if data was coming back, it wasn''t reaching the
clients.  I
> reverted to the old config and all was good (all traffic on one interface).
Your tcrules are so completely broken (see my other post) that this
isn''t surprising.

I suggest that you totally forget traffic shaping for the time being and
get multi-ISP working the way that you want it. Then *and only then*
should you add traffic shaping.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, 15 Aug 2007 09:55:06 am Tom Eastep wrote:
> James Gray wrote:
> > Tom Eastep wrote:
> >> James Gray wrote:
> >>> I thought I followed all the docs but I feel like
I''ve missed something
> >>> really basic.
> >>
> >> Like maybe Shorewall FAQ 57?
> >>
> >> -Tom
> >
> > Thanks Tom.  I really appreciate the fast response :)  I''ve
been doing
> > most of the config offline using the 3.x PDF documentation, and it
> > doesn''t lay it out as plainly as FAQ 57.  My bad.
> >
> > I replaced "loose" with "balance" in the providers
options.  However,
> > after restarting shorewall (sudo service shorewall restart) the
routing
> > totally wigged out.  Traffic was going out on the two interfaces
> > (ISP1/2) but if data was coming back, it wasn''t reaching the
clients.  I
> > reverted to the old config and all was good (all traffic on one
> > interface).
>
> Your tcrules are so completely broken (see my other post) that this
> isn''t surprising.
:P  Yep - I''ve reversed them (but am leaving them commented out for
now) and
re-read the documentation.  I''ve also fixed the MARK_IN_FORWARD_CHAIN
in
shorewall.conf.
> I suggest that you totally forget traffic shaping for the time being and
> get multi-ISP working the way that you want it. Then *and only then*
> should you add traffic shaping.
Yup.  I''m coming from a Cisco background and whilst I understand TCP/IP
networking, they way all this shaping and routing stuff happens in Linux is 
new.  I''m already on the road you have suggested - keep it simple, get
the
multi-ISP setup working, then worry about traffic shaping.

I really appreciate your help.  Do you have a paypal account for donations? 
(seriously)

Cheers,

James


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

James Gray wrote:
> 
> I really appreciate your help.  Do you have a paypal account for donations?
> (seriously)
>
Please see the Shorewall home page
(http://www.shorewall.net/shorewall_index.htm#Donations). I prefer that
donations be made to one of my charities or to a charity of your choice.

Thanks!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Wed, 15 Aug 2007 09:55:06 am Tom Eastep wrote:
> James Gray wrote:
> > Tom Eastep wrote:
> >> James Gray wrote:
> >>> I thought I followed all the docs but I feel like
I''ve missed something
> >>> really basic.
> >>
> >> Like maybe Shorewall FAQ 57?
> >>
> >> -Tom
> >
> > Thanks Tom.  I really appreciate the fast response :)  I''ve
been doing
> > most of the config offline using the 3.x PDF documentation, and it
> > doesn''t lay it out as plainly as FAQ 57.  My bad.
> >
> > I replaced "loose" with "balance" in the providers
options.  However,
> > after restarting shorewall (sudo service shorewall restart) the
routing
> > totally wigged out.  Traffic was going out on the two interfaces
> > (ISP1/2) but if data was coming back, it wasn''t reaching the
clients.  I
> > reverted to the old config and all was good (all traffic on one
> > interface).
>
> Your tcrules are so completely broken (see my other post) that this
> isn''t surprising.
>
> I suggest that you totally forget traffic shaping for the time being and
> get multi-ISP working the way that you want it. Then *and only then*
> should you add traffic shaping.
Ok.  I got the multi-ISP stuff going without any traffic shaping but
that''s
not particularly useful for us.  We must have certain traffic going out over 
specific links, otherwise the service will fail (tcpwrappers
"paranoid" and
certain services that must originate from one link or the other).  But 
there''s traffic that should be going over specific links over both, and
other
traffic bound to an interface that should be on the other :(

For instance, ALL ssh (tcp/22) traffic should be going out over NET_IF1 (eth3, 
via 172.16.3.1) with mark of 10 or 20.  But here''s a tcp trace from the
LAN:

$tcptraceroute XX.XX.XX.XX 22
Selected device eth0, address 10.10.10.74, port 37321 for outgoing packets
Tracing the path to XX.XX.XX.XX on TCP port 22 (ssh), 30 hops max
 1  10.10.10.1  0.727 ms  0.142 ms  0.128 ms
 2  172.16.4.1  0.859 ms  0.656 ms  0.643 ms  <--- *** NO! ***
 3  203.38.103.1  11.029 ms  10.983 ms  9.575 ms
 4  TenGigabitEthernet8-1.ken17.Sydney.telstra.net (203.50.20.27)  10.486 ms  
10.770 ms  11.849 ms
 5  ge-2-1-0-25.bdr5.hay.connect.com.au (203.63.130.250)  11.091 ms  10.497 ms  
12.283 ms
 6  gigabitethernet0-1.cor10.hay.connect.com.au (203.63.217.3)  11.623 ms  
11.821 ms  10.474 ms
 7  * * *

Hop #2 should be going out via 172.16.3.1.  The router it''s going
through is
actually NET_IF2 (eth4).  Consequently, the traffic is dropped because the 
destination will only accept connections from the first ISP (NET_IF1).  I 
thought the config below would achieve the desired result...but apparently 
not.

I''ve changed the providers OPTIONS for the two ISP''s to
"track,balance".
Which got things working...apart from this weird traffic/routing behaviour.  
Attached is another shorewall dump whilst running with the config below.

tcrules:
#MARK SOURCE        DEST    PROTO DEST     SOURCE   USER     TEST LENGTH TOS
#                                          PORT(S)  PORT(S)
50    $ANY_IP
50    $FW
50    $LAN_NETWORK  $ANY_IP udp	  $GAMES
50    $LAN_NETWORK  $ANY_IP tcp	  $GAMES
50    $LAN_NETWORK  $ANY_IP udp	  $P2P
50    $LAN_NETWORK  $ANY_IP tcp	  $P2P
50    $LAN_NETWORK  $ANY_IP udp	  $IM
50    $LAN_NETWORK  $ANY_IP tcp   $IM
50    $LAN_NETWORK  $ANY_IP tcp   $ALLMAIL
40    $LAN_NETWORK  $ANY_IP tcp   $STREAM
30    $LAN_NETWORK  $ANY_IP tcp   nntp
30    $DMZ1_NETWORK $ANY_IP tcp   $ALLMAIL
20    $LAN_NETWORK  $ANY_IP tcp   $FTP
20    $LAN_NETWORK  $ANY_IP tcp   $WWW
20    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    513:
10    $LAN_NETWORK  $ANY_IP tcp   domain
10    $LAN_NETWORK  $ANY_IP udp   domain
10    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    0:512

tcclasses:
#INTERFACE MARK RATE      CEIL      PRIORITY OPTIONS
$NET_IF1   10   full      full      1        tcp-ack,tos-minimize-delay
$NET_IF1   20   9*full/10 9*full/10 2
$NET_IF1   30   6*full/10 6*full/10 3        default

$NET_IF2   40   full      full      4        tcp-ack,tos-minimize-delay
$NET_IF2   50   6*full/10 6*full/10 5        default

providers:
#NAME NUMBER MARK DUPLICATE   INTERFACE   GATEWAY       OPTIONS   COPY
squid 1      202  -           $LAN_IF     $PROXYSVR     loose     -
$ISP1 2      1    main        $NET_IF1    $NET_IF1_GW   $PROVOPTS $COPY
$ISP2 3      2    main        $NET_IF2    $NET_IF2_GW   $PROVOPTS $COPY
(COPY=eth0,eth1,eth2)

What is left to make this work....it feels close :-/

Cheers,

James
-- 
"All snakes who wish to remain in Ireland will please raise their right 
hands."
		-- Saint Patrick



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

James Gray wrote:
> On Wed, 15 Aug 2007 09:55:06 am Tom Eastep wrote:
>> James Gray wrote:
>>> Tom Eastep wrote:
>>>> James Gray wrote:
>>>>> I thought I followed all the docs but I feel like
I''ve missed something
>>>>> really basic.
>>>> Like maybe Shorewall FAQ 57?
>>>>
>>>> -Tom
>>> Thanks Tom.  I really appreciate the fast response :) 
I''ve been doing
>>> most of the config offline using the 3.x PDF documentation, and it
>>> doesn''t lay it out as plainly as FAQ 57.  My bad.
>>>
>>> I replaced "loose" with "balance" in the
providers options.  However,
>>> after restarting shorewall (sudo service shorewall restart) the
routing
>>> totally wigged out.  Traffic was going out on the two interfaces
>>> (ISP1/2) but if data was coming back, it wasn''t reaching
the clients.  I
>>> reverted to the old config and all was good (all traffic on one
>>> interface).
>> Your tcrules are so completely broken (see my other post) that this
>> isn''t surprising.
>>
>> I suggest that you totally forget traffic shaping for the time being
and
>> get multi-ISP working the way that you want it. Then *and only then*
>> should you add traffic shaping.
> 
> Ok.  I got the multi-ISP stuff going without any traffic shaping but
that''s
> not particularly useful for us.  We must have certain traffic going out
over
> specific links, otherwise the service will fail (tcpwrappers
"paranoid" and
> certain services that must originate from one link or the other).  But 
> there''s traffic that should be going over specific links over
both, and other
> traffic bound to an interface that should be on the other :(
> 
> For instance, ALL ssh (tcp/22) traffic should be going out over NET_IF1
(eth3,
> via 172.16.3.1) with mark of 10 or 20.  But here''s a tcp trace
from the LAN:
> 
That is only for traffic control, that is in the forward chain. The mark
of 10 or 20 relates to routing and a provider how??
> $tcptraceroute XX.XX.XX.XX 22
> Selected device eth0, address 10.10.10.74, port 37321 for outgoing packets
> Tracing the path to XX.XX.XX.XX on TCP port 22 (ssh), 30 hops max
>  1  10.10.10.1  0.727 ms  0.142 ms  0.128 ms
>  2  172.16.4.1  0.859 ms  0.656 ms  0.643 ms  <--- *** NO! ***
>  3  203.38.103.1  11.029 ms  10.983 ms  9.575 ms
>  4  TenGigabitEthernet8-1.ken17.Sydney.telstra.net (203.50.20.27)  10.486
ms
> 10.770 ms  11.849 ms
>  5  ge-2-1-0-25.bdr5.hay.connect.com.au (203.63.130.250)  11.091 ms  10.497
ms
> 12.283 ms
>  6  gigabitethernet0-1.cor10.hay.connect.com.au (203.63.217.3)  11.623 ms  
> 11.821 ms  10.474 ms
>  7  * * *
> 
> Hop #2 should be going out via 172.16.3.1.  The router it''s going
through is
> actually NET_IF2 (eth4).  Consequently, the traffic is dropped because the 
> destination will only accept connections from the first ISP (NET_IF1).  I 
> thought the config below would achieve the desired result...but apparently 
> not.
> 
> I''ve changed the providers OPTIONS for the two ISP''s to
"track,balance".
> Which got things working...apart from this weird traffic/routing behaviour.
> Attached is another shorewall dump whilst running with the config below.
> 
> tcrules:
> #MARK SOURCE        DEST    PROTO DEST     SOURCE   USER     TEST LENGTH
TOS
> #                                          PORT(S)  PORT(S)
<snip>
> 20    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    513:
> 10    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    0:512
> 

the routing rules:

0:	from all lookup local
10001:	from all fwmark 0x1 lookup IINET
10002:	from all fwmark 0x2 lookup TELSTRA
10202:	from all fwmark 0xca lookup squid
20256:	from 172.16.3.2 lookup IINET
20512:	from 172.16.4.2 lookup TELSTRA
32766:	from all lookup main
32767:	from all lookup default

When using the tcrules file to override balancing to use only one isp,
you should be using the providers'' mark here (in the tcpre chain, that
is part of the prerouting chain) to direct traffic into the providers''
routing table to pick your preferred isp. You''ll need to use something
like:

1:P    $LAN_NETWORK  $ANY_IP tcp   ssh

1 = mark of your "preferred" provider
P = use mark in prerouting chain
> 
> What is left to make this work....it feels close :-/
> 
> Cheers,
> 
> James
> 
Hope that is your fix..

Jerry



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

From: "Jerry Vonau"
>> For instance, ALL ssh (tcp/22) traffic should be going out over NET_IF1
(eth3,
>> via 172.16.3.1) with mark of 10 or 20.  But here''s a tcp trace
from the LAN:
>
> That is only for traffic control, that is in the forward chain. The mark
> of 10 or 20 relates to routing and a provider how??
Thanks Jerry.  I was of the understanding that as the marks 10/20 are associated
with the interface for the required ISP, that traffic so marked will be routed
out that ISP:

tcclasses:
#INTERFACE MARK RATE      CEIL       PRIORITY OPTIONS
$NET_IF1   10   full      full       1        tcp-ack,tos-minimize-delay
$NET_IF1   20   9*full/10 9*full/10  2
$NET_IF1   30   6*full/10 6*full/10  3        default
...etc
>> tcrules:
>> #MARK SOURCE        DEST    PROTO DEST     SOURCE   USER     TEST
LENGTH TOS
>> #                                          PORT(S)  PORT(S)
<snip>
>> 20    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    513:
>> 10    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    0:512
>
> the routing rules:
>
> 0:	from all lookup local
> 10001:	from all fwmark 0x1 lookup IINET
> 10002:	from all fwmark 0x2 lookup TELSTRA
> 10202:	from all fwmark 0xca lookup squid
> 20256:	from 172.16.3.2 lookup IINET
> 20512:	from 172.16.4.2 lookup TELSTRA
> 32766:	from all lookup main
> 32767:	from all lookup default
> 
> When using the tcrules file to override balancing to use only one isp,
> you should be using the providers'' mark here (in the tcpre chain,
that
> is part of the prerouting chain) to direct traffic into the
providers''
> routing table to pick your preferred isp. You''ll need to use
something like:
> 
> 1:P    $LAN_NETWORK  $ANY_IP tcp   ssh
> 
> 1 = mark of your "preferred" provider
> P = use mark in prerouting chain
Wont that bypass the traffic shaping?  That''s a show stopper for us. 
We rely heavily on SSH and it can''t really be delayed waiting for Joe
User to finish downloading a CD ISO :(  Maybe I should be using classes in the
tcrules instead:

providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY      OPTIONS   COPY
$ISP1 1      1    main      $NET_IF1  $NET_IF1_GW  $PROVOPTS $COPY
$ISP2 2      2    main      $NET_IF2  $NET_IF2_GW  $PROVOPTS $COPY
squid 3      202  -         $LAN_IF   $PROXYSVR    loose     -

tcrules:
#MARK SOURCE        DEST    PROTO DEST     SOURCE   USER     TEST LENGTH TOS
#                                          PORT(S)  PORT(S)
-- Snipped --
1:120    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    513:
1:110    $LAN_NETWORK  $ANY_IP tcp   ssh     -         -        -    0:512 

Or is this a two-step process?  One rule in the prerouting chain to force a
specific ISP, then another rule in the forward chain to mark the traffic for
shaping?
>> What is left to make this work....it feels close :-/
>
> Hope that is your fix..
Me too Jerry :)  I''ll give it a shot, but like I said, even if the
routing works we need the traffic shaping too.

Cheers,

James

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/