In case this will help anyone else, or perhaps you will all tell me how to do this better, I''m attaching a perl script that I made to govern our dual PPP connections. In our case, we have one static WAN line, and two PPP (static IP) lines. The static line is stable, and, unless the modem overheats, it never has trouble. But the PPP lines _regularly_ are going down on me. They went down a few times on a weekend that I was away, and our internet was out for more than 36 hours. Even though we are sharing the lines, when ONE ppp line goes down, the shorewall configuration is unable to find a route out, and therefore, there is no internet for any of the lines. Naturally, I needed some solution to this dilemma, and restarting shorewall wasn''t the only requirement. The PPP line would not always come back. So, at first, I made a script that would manipulate the providers file according the the lines that were UP, but that didn''t seem to work out well. After many hours of frustration in not having the script do its job properly, I stumbled across a website that gave me the reason why: pppoeconf is unreliable. I switched to using "ifdown ppp0; sleep 3; ifup ppp0" instead of "poff ppp0; pon ppp0". That did it. Now the lines actually come up when called. :) So, attached is the script, with a few minor adjustments, that we use here. If it helps anyone, great. I use it via a cronjob that runs every minute. So the lines should never be down much more than a minute. --Erik. --Forwarded Message Attachment-- From: rgm@htt-consult.com To: shorewall-users@lists.sourceforge.net Date: Sun, 6 Jul 2008 16:31:38 -0400 Subject: [Shorewall-users] Shirewall and ppp interface I well, my ISP just worked with me to switch in my new gateway. After the switch and bringing up the ppp interface, the new gateway was access the Internet just fine, but none of systems behind it were. Scratched my head, and after some fumbling, I discovered that it seems like I have to restart shorewall after ppp interface is brought up. So. How do I ensure that shorewall is restarted whenever the ppp interface is restarted (can happen for any number of reasons). What is the proper command. shorewall restart recompiles all the files and that seems more than is needed. _________________________________________________________________ Need to know now? Get instant answers with Windows Live Messenger. http://www.windowslive.com/messenger/connect_your_way.html?ocid=TXT_TAGLM_WL_messenger_072008 ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Mon, 2008-07-07 at 00:55 -0700, Erik Mundall wrote:> But the PPP lines _regularly_ are going down on me. They went down a > few times on a weekend that I was away, and our internet was out for > more than 36 hours. Even though we are sharing the lines, when ONE > ppp line goes down, the shorewall configuration is unable to find a > route out, and therefore, there is no internet for any of the lines.This smells fishy. I have a dual link configuration, both are dynamic (cable and PPPoE) but when one goes out the other continues to work just fine with no manipulation of shorewall''s installed configuration needed (routing or rules). What doesn''t happen (yet) unfortunately is removing the default route for the one that went down. But that does not prevent the surviving connection from passing traffic.> Naturally, I needed some solution to this dilemma, and restarting > shorewall wasn''t the only requirement.You should not need to restart shorewall when a link goes down.> The PPP line would not always come back.Yes. I have this problem too. The cable connection is even worse. Even though it''s DHCP, if the provider''s equipment or the cable modem they provided me gets power cycled, I need to request a DHCP lease (even if the one I had at the outage was still valid) before traffic will flow. So if I were to put some kind of monitor on that line for outages, for every "ping" I do to see if the line is back up, I actually first have to renew the lease. Silly, yes.> So, at first, I made a script that would manipulate the providers file > according the the lines that were UP, but that didn''t seem to work out > well.And should be completely unnecessary.> So, attached is the script, with a few minor adjustments, that we use > here. If it helps anyone, great. I use it via a cronjob that runs > every minute. So the lines should never be down much more than a > minute.I didn''t look at the script but it sounds like you are making this problem more complicated than it should be. b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Mon, 2008-07-07 at 08:39 -0400, Brian J. Murrell wrote:> On Mon, 2008-07-07 at 00:55 -0700, Erik Mundall wrote: > > But the PPP lines _regularly_ are going down on me. They went down a > > few times on a weekend that I was away, and our internet was out for > > more than 36 hours. Even though we are sharing the lines, when ONE > > ppp line goes down, the shorewall configuration is unable to find a > > route out, and therefore, there is no internet for any of the lines. > > This smells fishy. I have a dual link configuration, both are dynamic > (cable and PPPoE) but when one goes out the other continues to work just > fine with no manipulation of shorewall's installed configuration needed > (routing or rules). What doesn't happen (yet) unfortunately is removing > the default route for the one that went down. But that does not prevent > the surviving connection from passing traffic. >Did you mean "for *only* the one that went down"? This is in stark contrast to an earlier posting: http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg05090.html Did you use Andrew's solution that was posted?> > Naturally, I needed some solution to this dilemma, and restarting > > shorewall wasn't the only requirement. > > You should not need to restart shorewall when a link goes down. >If the ip address changed, wouldn't that need a restart, because there should be snat involved with a multi-isp setup?> > The PPP line would not always come back. > > Yes. I have this problem too. The cable connection is even worse. > Even though it's DHCP, if the provider's equipment or the cable modem > they provided me gets power cycled, I need to request a DHCP lease (even > if the one I had at the outage was still valid) before traffic will > flow. So if I were to put some kind of monitor on that line for > outages, for every "ping" I do to see if the line is back up, I actually > first have to renew the lease. Silly, yes. > > > So, at first, I made a script that would manipulate the providers file > > according the the lines that were UP, but that didn't seem to work out > > well. > > And should be completely unnecessary. > > > So, attached is the script, with a few minor adjustments, that we use > > here. If it helps anyone, great. I use it via a cronjob that runs > > every minute. So the lines should never be down much more than a > > minute.Might want to use "/sbin/shorewall restart" in place of "/etc/init.d/shorewall restart" in your script. Then, when version 4.2 is released, you could add the new "-f" option to the restart call, if wanted/needed. Jerry. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Mon, 2008-07-07 at 13:38 -0500, Jerry Vonau wrote:> > Did you mean "for *only* the one that went down"? > This is in stark contrast to an earlier posting: > http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg05090.htmlHrm. Yes. My recollection is getting more clear.> Did you use Andrew''s solution that was posted?The solution I have in fact is that on any interface change I do a shorewall "restore". So I guess technically the solution the OP has but I don''t have to fiddle with any shorewall config, nor do I even recompile it. I simply reload the last configuration compiled.> > You should not need to restart shorewall when a link goes down. > > > > If the ip address changed, wouldn''t that need a restart, because there > should be snat involved with a multi-isp setup?Sure, when it comes back, iff the address changed. But not when it goes down, other than balancing default rule silliness.> Might want to use "/sbin/shorewall restart" in place of > "/etc/init.d/shorewall restart" in your script. Then, when version 4.2 > is released, you could add the new "-f" option to the restart call, if > wanted/needed.Yeah, which is basically what my shorewall-lite is doing. b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Brian J. Murrell wrote:> On Mon, 2008-07-07 at 13:38 -0500, Jerry Vonau wrote: >> >> Did you mean "for *only* the one that went down"? >> This is in stark contrast to an earlier posting: >> http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg05090.html > > Hrm. Yes. My recollection is getting more clear. > >> Did you use Andrew''s solution that was posted? > > The solution I have in fact is that on any interface change I do a > shorewall "restore". So I guess technically the solution the OP has but > I don''t have to fiddle with any shorewall config, nor do I even > recompile it. I simply reload the last configuration compiled.''shorewall/shorewall-lite restore'' does not reload the last configuration compiled -- it reloads the last configuration saved via ''shorewall/shorewall-lite save'' . Big difference...> >>> You should not need to restart shorewall when a link goes down. >>> >> If the ip address changed, wouldn''t that need a restart, because there >> should be snat involved with a multi-isp setup? > > Sure, when it comes back, iff the address changed. But not when it goes > down, other than balancing default rule silliness. > >> Might want to use "/sbin/shorewall restart" in place of >> "/etc/init.d/shorewall restart" in your script. Then, when version 4.2 >> is released, you could add the new "-f" option to the restart call, if >> wanted/needed. > > Yeah, which is basically what my shorewall-lite is doing.-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
On Mon, 2008-07-07 at 12:23 -0700, Tom Eastep wrote:> > ''shorewall/shorewall-lite restore'' does not reload the last configuration > compiled -- it reloads the last configuration saved via > ''shorewall/shorewall-lite save'' . Big difference...Indeed. You are correct. I tend to "shorewall-lite save" after I [re]load so for me it''s kinda like I described, but not technically an accurate description to be sure. :-) b. ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08
Brian J. Murrell escribió:> On Mon, 2008-07-07 at 00:55 -0700, Erik Mundall wrote: >> But the PPP lines _regularly_ are going down on me. They went down a >> few times on a weekend that I was away, and our internet was out for >> more than 36 hours. Even though we are sharing the lines, when ONE >> ppp line goes down, the shorewall configuration is unable to find a >> route out, and therefore, there is no internet for any of the lines. > > This smells fishy. I have a dual link configuration, both are dynamic > (cable and PPPoE) but when one goes out the other continues to work just > fine with no manipulation of shorewall''s installed configuration needed > (routing or rules). What doesn''t happen (yet) unfortunately is removing > the default route for the one that went down. But that does not prevent > the surviving connection from passing traffic.It''s not fishy it''s just what''s supposed to happen if your balancing between both providers and default route was replaced by the multihop one (or you didn''t have one in the first place for whatever reason). We deal with it adding to route_rules file: #SOURCE DEST PROVIDER PRIORITY # fallback rules when one multihop interface dies - 0.0.0.0/0 prov1 32768 - 0.0.0.0/0 prov2 32769 Where priority is whatever > than main and default tables are on your system (''ip rule list'' will tell). Then add ''shorewall restart'' to the appropriate ip-up.local file. Flagging the provider that tends to die as ''optional'' in providers file is also advisable :) With more than 2 providers it falls back to using only one of them, but that better than nothing :) Having shorewall setup a second multihop with only the non-optional providers that sits behind the normal one would make all this unnecessary though :) Regards, -- Angel Marin http://anmar.eu.org/ ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08