Shorewall users - Nov 2007 - Mutiple ip addresses to the second interface

Hello,

I am trying to configure multi-isp system using the latest
Bering-uClibc 3.1-beta1. I have two dual port cards (first
is e100 based driver and the second is tulip) and they are
all recognized and able to assign IP. I have a block of 32
and 8 IPs respectively from each ISP that I am trying to 
assign to the two interfaces, no matter what I do, only first
listed ISP gets assigned the multiple aliases but not the second
one.

Out of curiosity I tried to assign aliases to local and dmz
interfaces and they get assigned. Tried to move the second
isp from eth1 to eth2 (ie second card) and that made no 
difference. Changed the order of the cards and made no difference.
I am thinking that it may have to do with some settings I am
doing in the shorewall. Here is some info of my settings:

1. providers
abc  1    1       main   eth0    1.2.3.1    track,balance    eth1,eth3
xyz  2    2       main   eth2    4.5.6.17   track,balance=2  eth1,eth3

2. masq
eth0            4.5.6.18           1.2.3.2
eth0            eth1               1.2.3.2
eth0            eth3               1.2.3.2
eth2            1.2.3.2            4.5.6.18
eth2            eth1               4.5.6.18
eth2            eth3               4.5.6.18

3. interfaces
#abc
net  eth0  detect  tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians
#xyz
net  eth2  detect  tcpflags,blacklist,norfc1918,routefilter,nosmurfs,logmartians
loc    eth1            192.168.5.255
dmz    eth3            192.168.6.255

4. route_rules
-                       11.22.33.4             abc       1000
-                       11.22.33.5             abc       1000
-                       22.33.44.6             xyz       1000
-                       22.33.45.7             xyz       1000

Appreciate any feedback.

Thanks
__
Seva

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

imap@adari.net wrote:
> Hello,
> 
> I am trying to configure multi-isp system using the latest
> Bering-uClibc 3.1-beta1. I have two dual port cards (first
> is e100 based driver and the second is tulip) and they are
> all recognized and able to assign IP. I have a block of 32
> and 8 IPs respectively from each ISP that I am trying to 
> assign to the two interfaces, no matter what I do, only first
> listed ISP gets assigned the multiple aliases but not the second
> one.
How are you assigning your IP addresses and "aliases"?

What is the output of "ip addr show"?

What should "ip addr show" display?

I have not worked with shorewall in a multi-isp setup, but I''ve done
plenty of setups with secondary IP''s, including multiple public IP
addresses on multiple interfaces (using proxy-arp).  In general, I would
recommend setting up the IP address(es) prior to starting shorewall.  I
like to use the iproute2 command, ie:

  ip addr add 11.22.33.44/24 dev eth0

...which can be run auto-magically by folding it into the ifup/ifdown
configuration (/etc/network/interfaces and related files), typically as
an "up" or "post-up" command that gets run after the
interface comes up.

- --
Charles Steinkuehler
charles@steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHMMNkLywbqEHdNFwRArCaAJ9+IQTG+/zZC2pv9VAYFVcvphSPAwCguIbN
XF2GvNnOHoxDMzYgQZBbrsg=G8C/
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

imap@adari.net wrote:
> Hello,
> 
> I am trying to configure multi-isp system using the latest
> Bering-uClibc 3.1-beta1. I have two dual port cards (first
> is e100 based driver and the second is tulip) and they are
> all recognized and able to assign IP. I have a block of 32
> and 8 IPs respectively from each ISP that I am trying to 
> assign to the two interfaces, no matter what I do, only first
> listed ISP gets assigned the multiple aliases but not the second
> one.
How are you trying to assign these ''aliases''?
/etc/network/interfaces?

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

> > I am trying to configure multi-isp system using the latest
> > Bering-uClibc 3.1-beta1. I have two dual port cards (first
> > is e100 based driver and the second is tulip) and they are
> > all recognized and able to assign IP. I have a block of 32
> > and 8 IPs respectively from each ISP that I am trying to 
> > assign to the two interfaces, no matter what I do, only first
> > listed ISP gets assigned the multiple aliases but not the second
> > one.
> 
> How are you trying to assign these ''aliases''?
/etc/network/interfaces?
> 
> -Tom
Yes, aliases set in /etc/network/interfaces.

Thanks





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

imap@adari.net wrote:
>>> I am trying to configure multi-isp system using the latest
>>> Bering-uClibc 3.1-beta1. I have two dual port cards (first
>>> is e100 based driver and the second is tulip) and they are
>>> all recognized and able to assign IP. I have a block of 32
>>> and 8 IPs respectively from each ISP that I am trying to 
>>> assign to the two interfaces, no matter what I do, only first
>>> listed ISP gets assigned the multiple aliases but not the second
>>> one.
>> How are you trying to assign these ''aliases''?
/etc/network/interfaces?
>>
>> -Tom
> 
> Yes, aliases set in /etc/network/interfaces.
Then be sure that ADD_IP_ALIASES and ADD_SNAT_ALIASES are both set to
''No'' in shorewall.conf.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

> > I am trying to configure multi-isp system using the latest
> > Bering-uClibc 3.1-beta1. I have two dual port cards (first
> > is e100 based driver and the second is tulip) and they are
> > all recognized and able to assign IP. I have a block of 32
> > and 8 IPs respectively from each ISP that I am trying to 
> > assign to the two interfaces, no matter what I do, only first
> > listed ISP gets assigned the multiple aliases but not the second
> > one.
> 
> How are you assigning your IP addresses and "aliases"?
Aliases are assigned in /etc/network/interfaces
> What is the output of "ip addr show"?
I currently have working lrp with single isp with 32 block and
the corresponding aliases working. The one that I am building is
right now a stand alone machine connected to a console and hence
please bear with me on the following shortened description:

1. lo: ..
2. dummy0: ..
3. eth0 ...
   inet 1.2.3.2/27 brd x.y.z.31 scope global eth0
   inet 1.2.3.3/27 scope global secondary eth0:3
                   .
                   .
   inet 1.2.3.30/27 scope global secondary eth0:30

4. eth1
   inet 192.168.5.2/24 brd 255.255.255.0 scope global eth1
   inet 192.168.5.30/24 scope global secondary eth1:30

3. eth2 ...
   inet 4.5.6.18/29 brd 4.5.6.23 scope global eth2

4. eth3
   inet 192.168.6.2/24 brd 255.255.255.0 scope global eth3
   inet 192.168.6.30/24 scope global secondary eth3:30
> What should "ip addr show" display?
I expected to see the aliases entry for ''eth2'' interface as
well
(which is the second isp link).
> I have not worked with shorewall in a multi-isp setup, but I''ve
done
> plenty of setups with secondary IP''s, including multiple public IP
> addresses on multiple interfaces (using proxy-arp).  In general, I would
> recommend setting up the IP address(es) prior to starting shorewall.  I
> like to use the iproute2 command, ie:
> 
>   ip addr add 11.22.33.44/24 dev eth0
Yes this how it is done, via package etc.lrp, with entries of the
following kind in /etc/network/interfaces:

up ip address add 4.5.6.19/29 dev eth2 label eth2:19

As I have indicated before, similar to the above entries under eth0, 
eth1 and eth3 all show up right aliases for ''ip addr'' command.
> ...which can be run auto-magically by folding it into the ifup/ifdown
> configuration (/etc/network/interfaces and related files), typically as
> an "up" or "post-up" command that gets run after the
interface comes up.
> 
Thanks


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Quoting Tom Eastep <teastep@shorewall.net>:
> imap@adari.net wrote:
> >>> I am trying to configure multi-isp system using the latest
> >>> Bering-uClibc 3.1-beta1. I have two dual port cards (first
> >>> is e100 based driver and the second is tulip) and they are
> >>> all recognized and able to assign IP. I have a block of 32
> >>> and 8 IPs respectively from each ISP that I am trying to 
> >>> assign to the two interfaces, no matter what I do, only first
> >>> listed ISP gets assigned the multiple aliases but not the
second
> >>> one.
> >> How are you trying to assign these ''aliases''?
/etc/network/interfaces?
> >>
> >> -Tom
> > 
> > Yes, aliases set in /etc/network/interfaces.
> 
> Then be sure that ADD_IP_ALIASES and ADD_SNAT_ALIASES are both set to
> ''No'' in shorewall.conf.
> 
> -Tom
I did but, had no effect. I had left the default value of ''No''
for
RETAIN_ALIASES. Does this parameter have a bearing?

Thanks





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

imap@adari.net wrote:
> Quoting Tom Eastep <teastep@shorewall.net>:
> 
>> imap@adari.net wrote:
>>>>> I am trying to configure multi-isp system using the latest
>>>>> Bering-uClibc 3.1-beta1. I have two dual port cards (first
>>>>> is e100 based driver and the second is tulip) and they are
>>>>> all recognized and able to assign IP. I have a block of 32
>>>>> and 8 IPs respectively from each ISP that I am trying to 
>>>>> assign to the two interfaces, no matter what I do, only
first
>>>>> listed ISP gets assigned the multiple aliases but not the
second
>>>>> one.
>>>> How are you trying to assign these ''aliases''?
/etc/network/interfaces?
>>>>
>>>> -Tom
>>> Yes, aliases set in /etc/network/interfaces.
>> Then be sure that ADD_IP_ALIASES and ADD_SNAT_ALIASES are both set to
>> ''No'' in shorewall.conf.
>>
>> -Tom
> 
> I did but, had no effect. I had left the default value of
''No'' for
> RETAIN_ALIASES. Does this parameter have a bearing?
Only if one of the others is set.

You can eliminate Shorewall by doing:

ifdown eth2
ifup eth2

Are the aliases there? If so, then "shorewall restart". Did they
disappear? If so, then Shorewall is the problem -- otherwise, it is not.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

> >>>>> I am trying to configure multi-isp system using the
latest
> >>>>> Bering-uClibc 3.1-beta1. I have two dual port cards
(first
> >>>>> is e100 based driver and the second is tulip) and they
are
> >>>>> all recognized and able to assign IP. I have a block
of 32
> >>>>> and 8 IPs respectively from each ISP that I am trying
to
> >>>>> assign to the two interfaces, no matter what I do,
only first
> >>>>> listed ISP gets assigned the multiple aliases but not
the second
> >>>>> one.
> >>>> How are you trying to assign these
''aliases''? /etc/network/interfaces?
> >>>>
> >>>> -Tom
> >>> Yes, aliases set in /etc/network/interfaces.
> >> Then be sure that ADD_IP_ALIASES and ADD_SNAT_ALIASES are both set
to
> >> ''No'' in shorewall.conf.
> >>
> >> -Tom
> > 
> > I did but, had no effect. I had left the default value of
''No'' for
> > RETAIN_ALIASES. Does this parameter have a bearing?
> 
> Only if one of the others is set.
> 
> You can eliminate Shorewall by doing:
> 
> ifdown eth2
> ifup eth2
> 
> Are the aliases there? If so, then "shorewall restart". Did they
> disappear? If so, then Shorewall is the problem -- otherwise, it is not.
> 
> -Tom
> -- 
Thank you for your help. Problem is solved, but I don''t know what fixed
it though! Here is what I have done.

1. Just to isolate the issue, removed the shorewall package and
booted the system, still the same (ie no aliases showed up for 
second isp)

2. Replaced all the isp''s IPs with private class C, with one alias 
and it showed up along with all others

3. Now replaced the private class C with isp''s IP address and just
one alias and that showed up. then put in the remaining and those
showed up as well

4. Added showewall package and still aliases showed up still. Then I
restored the default setting for ADD_IP_ALIASES=Yes and the restart
still worked.

Now the system is working as expected, but as I said, I don''t know
what was the culprit before and no idea what fixed it.

Thanks to you and all others who responded.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/