Hi all I just implemented a squid proxy running *shorewall* as firewall and load balancer under f9. Kernel: 2.6.25-14.fc9.i686 The setup run fine except that *shorewall* doesn''t seem to untilize the two ISP connections and favours one of them and I have the feeling that the balancing is not working properly: If I just diconnect the defaultrouted ISP the internet connectivity for the proxy still persists via the default route. If I disconnect the other ''non-defaultroute'' ISP I have to restart the network service and *shorewall* before the proxy has connectivity again. The *shorewall* documentation states that the kernel is caching the routes and will use the same ISP again and again. Setting the Kernel Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n is supposed to solve this problem. So I went to build a new Kernel with this option but can''t find it. The only one comming close is: CONFIG_IP_ROUTE_MULTIPATH which is set to yes by default. *My question:* 1) Am I barking up the wrong tree in trying to build a new Kernel? a) if no: can I just add the Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n into the .config file before building the new kernel? b) is the problem more likely based on the *shorewall* coniguration? *here my ifconfig:* eth0 Link encap:Ethernet HWaddr 00:0F:FE:1A:47:01 inet addr:172.16.2.4 Bcast:172.16.3.255 Mask:255.255.0.0 eth1 Link encap:Ethernet HWaddr 00:0A:5E:514:27 inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0 eth1:1 Link encap:Ethernet HWaddr 00:0A:5E:514:27 inet addr:192.168.0.11 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:22 Base address:0xcc00 eth1:2 Link encap:Ethernet HWaddr 00:0A:5E:514:27 inet addr:192.168.0.12 Bcast:192.168.0.255 Mask:255.255.255.0 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 *The virtual interfaces are configured by shorewall masq:* #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth1:1 eth0 192.168.0.11-192.168.0.12 *Here my providers:* #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 1 main eth1:1 192.168.0.101 balance ISP2 2 2 main eth1:2 192.168.0.102 balance 192.168.0.101 and 102 are the two ISP router. Would be great if somebody has some input for me!! Thanks ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hinrich Fraemcke wrote:> Hi all > > I just implemented a squid proxy running *shorewall* as firewall and > load balancer under f9. > > Kernel: 2.6.25-14.fc9.i686 > > The setup run fine except that *shorewall* doesn''t seem to untilize the > two ISP connections and favours one of themShorewall itself has nothing to do with ISP selection. Once ''shorewall start'' completes, there is no Shorewall code running in your system at all.> and I have the feeling that > the balancing is not working properly: > > If I just diconnect the defaultrouted ISP the internet connectivity for > the proxy still persists via the default route. > If I disconnect the other ''non-defaultroute'' ISP I have to restart the > network service and *shorewall* before the proxy has connectivity again.I couldn''t follow that at all. If you are using balancing, both ISPs have a part of the default route. But the Multi-ISP documentation clearly states that there is no failover capability in what Shorewall configures and if a connection fails, ''shorewall restart'' is required (assuming that both connections are marked as ''optional'').> > The *shorewall* documentation states that the kernel is caching the > routes and will use the same ISP again and again.That is necessary -- you can''t have a single connection ping-ponging packets between the two ISPs!> Setting the Kernel Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n is supposed > to solve this problem.It *was* supposed to solve that problem but it didn''t work -- it prevented balancing from working at all. It is even mentioned in the Shorewall Multi-ISP doc.> > So I went to build a new Kernel with this option but can''t find it. The > only one comming close is: CONFIG_IP_ROUTE_MULTIPATH which is set to yes > by default. > > *My question:* > > 1) Am I barking up the wrong tree in trying to build a new Kernel?Almost certainly.> > a) if no: can I just add the Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n > into the .config file before building the new kernel?CONFIG_IP_ROUTE_MULTIPATH_CACHED has been de-implemented because it was broken. Forget about it!> b) is the problem more likely based on the *shorewall* coniguration? >Hard to say. Multi-ISP works differently for connections originating on the firewall itself which is what occurs when you run a Proxy on the firewall. See http://www.shorewall.net/MultiISP.html#Local.> > *here my ifconfig:*Please see http://www.shorewall.net/support.htm#Guidelines -- we need to see the output of ''shorewall dump'' in order to be able to help you further. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Shorewall Geek wrote:> Hard to say. Multi-ISP works differently for connections originating on > the firewall itself which is what occurs when you run a Proxy on the > firewall. See http://www.shorewall.net/MultiISP.html#Local. >One thing you might try is to set the ''loose'' option on both providers. Note that doing so will prevent you from being able to pick a provider by having a firewall-resident application bind to a particular external address. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/