Dear list, Shorewall is running here with 2 ISP''s: ISP1: corporate ADSL-line with fixed set of IP''s ISP2: fast consumer-grade cable-connection with higher bandwidth All our main traffic (web, e-mail) is routed trough ISP1. Only for special purposes (frequent large ftp-transfers) ISP2 is used, configured trough tcrules. ISP2 is not so reliable as ISP1 (duh) and they sometimes change the IP-address of our connection. When the link is down, I''d like all traffic to go trough ISP1 and alert myself by e-mail. If the IP-address of ISP2 changes, I''d like networking and shorewall to be restarted in order to initialize correct routing and firewall rules. Which tools can be used to monitor connections (up-down, IP) and act uppon changes? Any experience? I''ve been looking into Paul Gear''s article but that doesn''t really implement what I want. I understood shorewall can be loaded with a different set of configuration files, so I could create files for every scenario and load them with appropriate command lines. -- Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 12-Sep-07, at 4:30 PM, Sjon Wijnolst wrote:> Which tools can be used to monitor connections (up-down, IP) and act > uppon changes? Any experience? I''ve been looking into Paul Gear''s > article but that doesn''t really implement what I want. I understood > shorewall can be loaded with a different set of configuration > files, so > I could create files for every scenario and load them with appropriate > command lines.the config files are not a problem - the problem is, how do you detect when the ISP goes down, or, more important, when i comes up again? I have been struggling with this for some time. When one ISP goes down, things get messed up until we notice and change the configuration - then we have to watch to see when it comes up. -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
As you are using an ADSL line - an ip-up script can be used by the ppp-daemon. I''d modify the script to actually perform the tasks you require. Cheers Joerg Sjon Wijnolst wrote:> Dear list, > > Shorewall is running here with 2 ISP''s: > ISP1: corporate ADSL-line with fixed set of IP''s > ISP2: fast consumer-grade cable-connection with higher bandwidth > All our main traffic (web, e-mail) is routed trough ISP1. Only for > special purposes (frequent large ftp-transfers) ISP2 is used, configured > trough tcrules. > > ISP2 is not so reliable as ISP1 (duh) and they sometimes change the > IP-address of our connection. When the link is down, I''d like all > traffic to go trough ISP1 and alert myself by e-mail. If the IP-address > of ISP2 changes, I''d like networking and shorewall to be restarted in > order to initialize correct routing and firewall rules. > > Which tools can be used to monitor connections (up-down, IP) and act > uppon changes? Any experience? I''ve been looking into Paul Gear''s > article but that doesn''t really implement what I want. I understood > shorewall can be loaded with a different set of configuration files, so > I could create files for every scenario and load them with appropriate > command lines. > > -- > Best regards, > Sjon Wijnolst > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Kenneth Gonsalves schreef:>On 12-Sep-07, at 4:30 PM, Sjon Wijnolst wrote: > >the config files are not a problem - the problem is, how do you >detect when the ISP goes down, or, more important, when i comes up >again? >That''s exactly where my problem is: monitoring the connection and acting upon events. Thank you for the summary :-) -- Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Joerg Mertin schreef:>As you are using an ADSL line - an ip-up script can be used by the >ppp-daemon. I''d modify the script to actually perform the tasks you require. > >The ADSL-line is supplied with an ethernet-router, no PPP-links required. My first concern is monitoring ISP2 for failing and ip-changes - a next step would be to also include failover for ISP1. Since that connection is very reliable, it is not my main concern. -- Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 9/12/07, Kenneth Gonsalves <lawgon@au-kbc.org> wrote:> > On 12-Sep-07, at 4:30 PM, Sjon Wijnolst wrote: > > > Which tools can be used to monitor connections (up-down, IP) and act > > uppon changes? Any experience? I''ve been looking into Paul Gear''s > > article but that doesn''t really implement what I want. I understood > > shorewall can be loaded with a different set of configuration > > files, so > > I could create files for every scenario and load them with appropriate > > command lines. > > the config files are not a problem - the problem is, how do you > detect when the ISP goes down, or, more important, when i comes up > again? I have been struggling with this for some time. When one ISP > goes down, things get messed up until we notice and change the > configuration - then we have to watch to see when it comes up. >I have two DSL lines, each of them is rather unreliable, going down and up frequently. My solution is to arping the gateways for the two lines every 5 seconds or so, and if a line is not responding, then add an ip rule to direct all traffic via another line. Then when the line is back, this ip rule is deleted. The actual script is very simple and it works well. This way shorewall doesn''t have to be restarted, and tc rules are also not affected. Regards, Gregory ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Grigory Mokhin schreef:>On 9/12/07, Kenneth Gonsalves <lawgon@au-kbc.org> wrote: > > >I have two DSL lines, each of them is rather unreliable, going down >and up frequently. My solution is to arping the gateways for the two >lines every 5 seconds or so, and if a line is not responding, then add >an ip rule to direct all traffic via another line. Then when the line >is back, this ip rule is deleted. The actual script is very simple and >it works well. This way shorewall doesn''t have to be restarted, and tc >rules are also not affected. > >That could be a solution for when ISP2 really goes down. Since this doesn''t happen every day, and I use tcrules to mark en direct traffic to one ISP or another, restarting Shorewall is needed and not a problem. With MultiISP-setup, Shorewall also sets the routing rules afaik. -- Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
In that case you could missuse the ddclient (used for dyndns). It checks the IP on the router - if the link fails - your interface goes down - e.g. no more connection - and the system will notice there is no IP. When the Interface comes back up - you can use that script to also trigger another script - adapted to your needs. Used that back in time - when I still used Dynamic IP''s ... Cheers Joerg -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 12-Sep-07, at 4:55 PM, Grigory Mokhin wrote:> is back, this ip rule is deleted. The actual script is very simple and > it works well. This way shorewall doesn''t have to be restarted, and tc > rules are also not affected.could you share the script? -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 12-Sep-07, at 4:55 PM, Sjon Wijnolst wrote:> The ADSL-line is supplied with an ethernet-router, no PPP-links > required. > > My first concern is monitoring ISP2 for failing and ip-changes - a > next > step would be to also include failover for ISP1. Since that connection > is very reliable, it is not my main concern.for me, all three are through routers - 1 is reliable, 2 is somewhat reliable and 3 is unreliable -- regards Kenneth Gonsalves Associate, NRC-FOSS lawgon@au-kbc.org http://nrcfosshelpline.in/web/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Ok. Do these routers have SNMP support ? e.g. could you query the interface port status of these routers through an snmp-get call ? If yes - it would be easy to set something up. Check the interface status (routine to cycle through the results). If one interface is down - issue a command to reroute the traffic through another gateway ... That''s what I did when I was still working at an ISP... Don''t have the code anymore - but it really was a 50liners written in perl with netsnmp support. Fairly easy. Cheers Joerg> for me, all three are through routers - 1 is reliable, 2 is somewhat > reliable and 3 is unreliable > >-- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 9/12/07, Sjon Wijnolst <sjon@salisbury.nl> wrote:> > > >I have two DSL lines, each of them is rather unreliable, going down > >and up frequently. My solution is to arping the gateways for the two > >lines every 5 seconds or so, and if a line is not responding, then add > >an ip rule to direct all traffic via another line. Then when the line > >is back, this ip rule is deleted. The actual script is very simple and > >it works well. This way shorewall doesn''t have to be restarted, and tc > >rules are also not affected. > > > > > That could be a solution for when ISP2 really goes down.That''s also a solution when the link seems to be up, but ISP''s gateway doesn''t respond, as it is often the case with DSL bridges.> Since this doesn''t happen every day, and I use tcrules to mark en direct > traffic to one ISP or another,Why do use tcrules for that? IP rules are used for routing, tc rules for shaping. Regards, Gregory ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On 9/12/07, Kenneth Gonsalves <lawgon@au-kbc.org> wrote:> > could you share the script? >Yes. http://ra.bofh.lv/mok/dualgw-failover Regards, Gregory ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Wed, Sep 12, 2007 at 01:25:03PM +0200, Sjon Wijnolst wrote:> Joerg Mertin schreef: > > >As you are using an ADSL line - an ip-up script can be used by the > >ppp-daemon. I''d modify the script to actually perform the tasks you require. > > > > > The ADSL-line is supplied with an ethernet-router, no PPP-links required.Since the cheap consumer ADSL routers are usually awful routers and buggy, limited NAT devices, I always try to arrange for the PPP tunnel to extend as far as the firewall behind it. Some routers call this ''PPPoE passthrough'', others make up names for it, but there''s several on the market that can do it. If you can avoid letting the consumer junk touch the IP packets, life tends to go much more smoothly. Having done that, your problem becomes trivial to solve. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Quoting Andrew Suffield <asuffield@suffields.me.uk>:> On Wed, Sep 12, 2007 at 01:25:03PM +0200, Sjon Wijnolst wrote: >> Joerg Mertin schreef: >> >> >As you are using an ADSL line - an ip-up script can be used by the >> >ppp-daemon. I''d modify the script to actually perform the tasks >> you require. >> > >> > >> The ADSL-line is supplied with an ethernet-router, no PPP-links required. > > Since the cheap consumer ADSL routers are usually awful routers and > buggy, limited NAT devices, I always try to arrange for the PPP tunnel > to extend as far as the firewall behind it. Some routers call this > ''PPPoE passthrough'', others make up names for it, but there''s several > on the market that can do it. If you can avoid letting the consumer > junk touch the IP packets, life tends to go much more smoothly. > > Having done that, your problem becomes trivial to solve. >I would strongly agree with Andrew on the router issue. At least if the PPPOE client is running on your Linux box you have much more control over how the link comes up and down. For instance you can configure how often the client checks the other end of the connection, if your DSL line is buggy it helps to minimise down time. Indeed a lot of DSL routers seem to give up after having a few problems until you reboot them. Not very good at all. As Andrew says most routers allow PPPOE passthru or bridging mode as I more often see it. I even go one step further and use a USB DSL modem and PPPOA instead. You don''t need an ethernet card and I have found the ping times significantly better. The Zoom 5510 and Dynamode USB modems are conexant based and therefore compatible with Linux. I here speedtouch are too but I haven''t come across them. I''ll shut up now. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
John Lewis wrote:> I would strongly agree with Andrew on the router issue. At least if > the PPPOE client is running on your Linux box you have much more > control over how the link comes up and down. For instance you can > configure how often the client checks the other end of the connection, > if your DSL line is buggy it helps to minimise down time. Indeed a lot > of DSL routers seem to give up after having a few problems until you > reboot them. Not very good at all. > > As Andrew says most routers allow PPPOE passthru or bridging mode as I > more often see it. I even go one step further and use a USB DSL modem > and PPPOA instead. You don''t need an ethernet card and I have found > the ping times significantly better. The Zoom 5510 and Dynamode USB > modems are conexant based and therefore compatible with Linux. I here > speedtouch are too but I haven''t come across them.Agreed ... Wrote a FAQ Entry for one of the Sconexant based USB modems :) http://firebird.solsys.org/mod.php?mod=faq&op=extlist&topicid=12&expand=yes#102 -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Joerg Mertin wrote:> John Lewis wrote: >> I would strongly agree with Andrew on the router issue. At least if >> the PPPOE client is running on your Linux box you have much more >> control over how the link comes up and down. For instance you can >> configure how often the client checks the other end of the connection, >> if your DSL line is buggy it helps to minimise down time. Indeed a lot >> of DSL routers seem to give up after having a few problems until you >> reboot them. Not very good at all. >> >> As Andrew says most routers allow PPPOE passthru or bridging mode as I >> more often see it. I even go one step further and use a USB DSL modem >> and PPPOA instead. You don''t need an ethernet card and I have found >> the ping times significantly better. The Zoom 5510 and Dynamode USB >> modems are conexant based and therefore compatible with Linux. I here >> speedtouch are too but I haven''t come across them. > > Agreed ... > Wrote a FAQ Entry for one of the Sconexant based USB modems :)Sorry - this link is wrong (IUt''s my Devel system ;) behind the Firewall). This is the right one ;) http://stargate.solsys.org/mod.php?mod=faq&op=extlist&topicid=12&expand=yes#102 -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Joerg Mertin wrote:> Joerg Mertin wrote: >> John Lewis wrote: >>> I would strongly agree with Andrew on the router issue. At least if >>> the PPPOE client is running on your Linux box you have much more >>> control over how the link comes up and down. For instance you can >>> configure how often the client checks the other end of the connection, >>> if your DSL line is buggy it helps to minimise down time. Indeed a lot >>> of DSL routers seem to give up after having a few problems until you >>> reboot them. Not very good at all. >>> >>> As Andrew says most routers allow PPPOE passthru or bridging mode as I >>> more often see it. I even go one step further and use a USB DSL modem >>> and PPPOA instead. You don''t need an ethernet card and I have found >>> the ping times significantly better. The Zoom 5510 and Dynamode USB >>> modems are conexant based and therefore compatible with Linux. I here >>> speedtouch are too but I haven''t come across them. >> Agreed ... >> Wrote a FAQ Entry for one of the Sconexant based USB modems :) > Sorry - this link is wrong (IUt''s my Devel system ;) behind the Firewall). > This is the right one ;) > http://stargate.solsys.org/mod.php?mod=faq&op=extlist&topicid=12&expand=yes#102Again ... it''s the https link :( Getting late over here... https://stargate.solsys.org/mod.php?mod=faq&op=extlist&topicid=12&expand=yes#102 Sorry for the spam :( -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Grigory Mokhin schreef:>>Since this doesn''t happen every day, and I use tcrules to mark en direct >>traffic to one ISP or another, >> >> > >Why do use tcrules for that? IP rules are used for routing, tc rules >for shaping. > >This is the way Shorewall''s MultiISP-documents instructs to configure Shorewall. AFAIK the entry''s in the file ''tcrules'' determine over which link traffic wil get sent out. Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield schreef:>>The ADSL-line is supplied with an ethernet-router, no PPP-links required. >> >> >Since the cheap consumer ADSL routers are usually awful routers and >buggy, limited NAT devices, I always try to arrange for the PPP tunnel >to extend as far as the firewall behind it. Some routers call this >''PPPoE passthrough'', others make up names for it, but there''s several >on the market that can do it. If you can avoid letting the consumer >junk touch the IP packets, life tends to go much more smoothly. > >Having done that, your problem becomes trivial to solve. > >For ISP1 (adsl): It''s not cheap consumer stuff, it''s a Arescom NetDSL 1000 supplied by the ISP. It bridges a subnet with 8 ip''s which is our private subnet. My Shorwall-box lives in the subnet to provide access (NAT) to the internet from the LAN. Both provider and ADSL-link are of professional level and show *very* little downtime. That''s why my first concern is to monitor ISP2. For ISP2 (cable): this is a consumer-grade link, just to expand our upload-capacity. The cable-modem plugs directly into the server trough ethernet. Thanks everybody for your comments. As I understand: monitoring the gateway from ISP2 is a good indication for the link being down or not. Are there any tools to do this or should I write a script myself for this? Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, Sep 18, 2007 at 09:01:12AM +0200, Sjon Wijnolst wrote:> Andrew Suffield schreef: > > >>The ADSL-line is supplied with an ethernet-router, no PPP-links required. > >> > >> > >Since the cheap consumer ADSL routers are usually awful routers and > >buggy, limited NAT devices, I always try to arrange for the PPP tunnel > >to extend as far as the firewall behind it. Some routers call this > >''PPPoE passthrough'', others make up names for it, but there''s several > >on the market that can do it. If you can avoid letting the consumer > >junk touch the IP packets, life tends to go much more smoothly. > > > >Having done that, your problem becomes trivial to solve. > > > > > For ISP1 (adsl): It''s not cheap consumer stuff, it''s a Arescom NetDSL > 1000 supplied by the ISP.If it doesn''t have 19" mounting brackets, it''s consumer stuff. An example of a non-consumer ADSL router would be something from the Cisco 1800 series. The important difference here is that the device''s own operating system (eg, IOS) would solve your problem and provide a strong failover mechanism on the physical layer, rather than trying to put it together using a linux host. That''s what you do when the uptime of the service is really important to you, and the reliability of the equipment on your end becomes a factor. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield schreef:>>For ISP1 (adsl): It''s not cheap consumer stuff, it''s a Arescom NetDSL >>1000 supplied by the ISP. >> >> >If it doesn''t have 19" mounting brackets, it''s consumer stuff. An >example of a non-consumer ADSL router would be something from the >Cisco 1800 series. The important difference here is that the device''s >own operating system (eg, IOS) would solve your problem and provide a >strong failover mechanism on the physical layer, rather than trying to >put it together using a linux host. That''s what you do when the uptime >of the service is really important to you, and the reliability of the >equipment on your end becomes a factor. > >Thank you for your reactions, but I think we misunderstand each other. No pun intented! I appreciate your reactions. Uptime is not of that critical importance, I''m very well aware of all the big-$ stuff which could be implemented when it is. For this customer, we''re talking small business: there was a business ADSL-line (isp1) which is perfectly fine. Maybe not the hardware you consider business, but it is supplied with a decent router for its purpose, has virtually no downtime and good SLA for $. Now, for some extra upload-bandwidth, we added a consumer cable-connection to isp2. To use this as transparent and convenient as possible, it would be nice if this connection IS used when it is fine and IS NOT used when it is down. My simple question remains: which tools can be used to monitor the extra connection and act uppon changes? 1) switch Shorewall-configuration to "isp1-only" set of files when isp2 goes down 2) restart Shorewall when the dynamic IP of isp2 has changed in order to implement correct routing rules Are there any people out there using multiple ISP''s and doing some kind of failover something like this situation? Best regards, Sjon Wijnolst ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/