Hi All, After scheduling some downtime (see my previous threads on this topic) I did manage to get a semi-working setup in that all the "business" traffic was routed from the LAN (eth0) via the primary ADSL2+ link (eth3) and all other traffic routed to the ADSL1 unmetered link (eth4). The problem is that all traffic on eth4 (the ADSL1 link) was coming back as "martian". I went through the multi-ISP how-to, applied the patch (running Shorewall 3.4.6), got rid of the "routefilter" option on eth3 and eth4, all with the same results. I''ve reverted back to the old single-ISP link setup until I can get a better handle on how to proceed. Attached is a dump while running the multi-ISP config plus all the config files I used at the time (all "missing" config files are left with default values). Many thanks in advance, James -- Baby On Board. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
James Gray wrote: got rid of the "routefilter" option on eth3 and> eth4, all with the same results.If ''routefilter'' isn''t specified on any interface and and ROUTE_FILTER=No in shorewall.conf, then Shorewall 3.4.6 does nothing WRT rp_filter settings. As a consequence, we see the following in /proc from your dump: /proc/sys/net/ipv4/conf/eth4/rp_filter = 1 /proc/sys/net/ipv4/conf/eth4/log_martians = 1 Treatment of these /proc options is improved in Shorewall 4.0 -- see the 4.0.4 release notes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, 2 Oct 2007 03:13:25 pm Tom Eastep wrote:> James Gray wrote: > got rid of the "routefilter" option on eth3 and > > > eth4, all with the same results. > > If ''routefilter'' isn''t specified on any interface and and > ROUTE_FILTER=No in shorewall.conf, then Shorewall 3.4.6 does nothing WRT > rp_filter settings. As a consequence, we see the following in /proc from > your dump: > > /proc/sys/net/ipv4/conf/eth4/rp_filter = 1 > /proc/sys/net/ipv4/conf/eth4/log_martians = 1 > > Treatment of these /proc options is improved in Shorewall 4.0 -- see the > 4.0.4 release notes.Thanks for such a fast response Tom. So reading between the lines, upgrade to 4.0.4 and try again (after reading the release notes)? Are the configuration file compatible? Cheers, James -- People often find it easier to be a result of the past than a cause of the future. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
James Gray wrote:> > Thanks for such a fast response Tom. So reading between the lines, upgrade to > 4.0.4 and try again (after reading the release notes)?Well, I might have started by just typing: echo 0 > /proc/sys/net/ipv4/conf/eth4/rp_filter but upgrading will make this part of the configuration more automatic. Are the configuration file compatible? So long as you are using Shorewall-shell, yes. But you will want to modify your /etc/shorewall/interfaces file to specify exactly the value (0 or 1) that you want for ''routefilter'' on each interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Tue, 2 Oct 2007 11:35:30 pm Tom Eastep wrote:> James Gray wrote: > > Thanks for such a fast response Tom. So reading between the lines, > > upgrade to 4.0.4 and try again (after reading the release notes)? > > Well, I might have started by just typing: > > echo 0 > /proc/sys/net/ipv4/conf/eth4/rp_filterIndeed - this DID fix the problem. The options for eth4 I left with routefilter but manually did as suggested above. Sure enough, as soon as eth4''s rp_filter was set to zero, the martians went away and traffic started flowing.> but upgrading will make this part of the configuration more automatic. > > Are the configuration file compatible? > > So long as you are using Shorewall-shell, yes. But you will want to modify > your /etc/shorewall/interfaces file to specify exactly the value (0 or 1) > that you want for ''routefilter'' on each interface.OK, so something in the options like: ...,routefilter=1,...?? If this is documented in the release notes, please simply say RTFRN :) Thanks again for all your help, James -- If God is One, what is bad? -- Charles Manson ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
James Gray wrote:>> >> So long as you are using Shorewall-shell, yes. But you will want to modify >> your /etc/shorewall/interfaces file to specify exactly the value (0 or 1) >> that you want for ''routefilter'' on each interface. > > OK, so something in the options like: ...,routefilter=1,...?? If this is > documented in the release notes, please simply say RTFRN :) > >RTFRN ;-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/