Dear all, I have a multi-isp setup using DSL and leased line config for my firewall box using shorewall version 4.0.13. Clients behind the router can connect to the net without problem, they are always routed via the DSL (BusinessOne) provider. The problem i am having is that sometimes when the firewall tries to connect to the internet the connections time out (apt-get update, ping, traceroute etc), other times they are ok. I believe, and this is a guess, that the connection is sometimes going out the LeasedLine provider (which is currently not activated by the ISP hence the timeouts), via the balance attribute, as per the guide. I did however set the tc_rules to use the BusinessOne provider as the default provider for both clients behind the firewall and the firewall itself. I do have a standard single ISP DSL setup which i have reverted to for the time being, and that works fine for clients and the firewall without any issue whatsoever. I have followed the Multi-ISP guide to the best of my ability but i haven''t done something right because the firewall connections outbound only work half the time... many apologies if i have missed anything blatantly obvious, I know I have I just don''t know what. Many thanks and regards, Chris _________________________________________________________________ Win New York holidays with Kellogg’s & Live Search http://clk.atdmt.com/UKM/go/107571440/direct/01/ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Chris Morley wrote:> I have followed the Multi-ISP guide to the best of my ability but i > haven''t done something right because the firewall connections outbound > only work half the time... many apologies if i have missed anything > blatantly obvious, I know I have I just don''t know what.Two things: a) As the guide clearly points out, entries in tcrules are not enough to control traffic originating on the firewall (see the section entitled "Applications Running on the Firewall"). b) That being the case, running a multi-ISP configuration in which one interface appears to be up but isn''t is poor practice. c) Even if both connections were available, you have omitted the entries in /etc/shorewall/masq necessary to properly catch traffic that binds to one address but is forced to go out through the opposite interface. See the rules following this text "Regardless of whether you have masqueraded hosts or not, the following entries are required in /etc/shorewall/masq if you plan to redirect connections from the firewall using entries in /etc/shorewall/tcrules or if you specify balance on your providers." I would try adding the masq rules first -- if you still have problems then you need to disable the interface that isn''t working. The best way to do that is: a) add the ''optional'' option to the leased line (curiously you have specified it on the BusinessOne line but not on the leased line). b) Down the leased line interface until it is up and running. That way, you can use your single two-ISP configuration regardless of whether the leased line is up or not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/