Dears, I''m stuck with configuring Shorewall for dual ISP with dynamic IP. The main goal is to use ISP-1 for general traffic and ISP-0 for specific traffic like POP - SMTP - VPN I made a basic system which daesn''t work refered "WORKNOT" _____________________ _____________________ ________ | | | | | | | Mail Server | | Shorewall |--------------| ISP-0 | | IP: 192.168.155.200 | | | |________| | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | ________ | GTW:192.168.155.250 | | |------ | | |_____________________| |_____________________| |-------| ISP-1 | |________| Traffic seems to be correctly routed but I have "Timeouts" on packets for POP & SMTP going through ISP-0 In the course to debug I connected this system to our actual Shorewall system to get one ISP from there and the second directely and it works, this system is refered as "WORKING" _____________________ _____________________ __________________ ________ | | | | | | | | | Mail Server | | Shorewall |--------------| Actual Shorewall |------------| ISP-0 | | IP: 192.168.155.200 | | | |__________________| |________| | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | ________ | GTW:192.168.155.250 | | |------ | | |_____________________| |_____________________| |-------| ISP-1 | |________| My issue consist in the fact that except changing some IP address parameters the setup of shorewall is identical between systems but gives different results. I wondered first if the problem is not coming from the "detect" parameter for gateway in "providers" and made a special script that updated providers to write the right value for both ISPs but didn''t solve anything. I''m lost for now Looking forward to hearing from you soon. Best regards, Jean-Francois Bogaerts ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Dears, I''m stuck with configuring Shorewall for dual ISP with dynamic IP. The main goal is to use ISP-1 for general traffic and ISP-0 for specific traffic like POP - SMTP - VPN I made a basic system which daesn''t work refered "WORKNOT" _____________________ _____________________ ________ | | | | | | | Mail Server | | Shorewall |--------------| ISP-0 | | IP: 192.168.155.200 | | | |________| | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | ________ | GTW:192.168.155.250 | | |------ | | |_____________________| |_____________________| |-------| ISP-1 | |________| Traffic seems to be correctly routed but I have "Timeouts" on packets for POP & SMTP going through ISP-0 In the course to debug I connected this system to our actual Shorewall system to get one ISP from there and the second directely and it works, this system is refered as "WORKING" _____________________ _____________________ __________________ ________ | | | | | | | | | Mail Server | | Shorewall |--------------| Actual Shorewall |------------| ISP-0 | | IP: 192.168.155.200 | | | |__________________| |________| | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | ________ | GTW:192.168.155.250 | | |------ | | |_____________________| |_____________________| |-------| ISP-1 | |________| My issue consist in the fact that except changing some IP address parameters the setup of shorewall is identical between systems but gives different results. I wondered first if the problem is not coming from the "detect" parameter for gateway in "providers" and made a special script that updated providers to write the right value for both ISPs but didn''t solve anything. I''m lost for now Looking forward to hearing from you soon. Best regards, Jean-Francois Bogaerts ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Bogaerts@Studiotech.be wrote:> Dears, > > > I''m stuck with configuring Shorewall for dual ISP with dynamic IP. > > The main goal is to use ISP-1 for general traffic and ISP-0 for specific > traffic like POP - SMTP - VPN > > I made a basic system which daesn''t work refered "WORKNOT" > > _____________________ _____________________ > ________ > | | | | | > | > | Mail Server | | Shorewall |--------------| > ISP-0 | > | IP: 192.168.155.200 | | | > |________| > | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | > ________ > | GTW:192.168.155.250 | | |------ | > | > |_____________________| |_____________________| |-------| > ISP-1 | > > |________|Please forward the ASCII art as attachments -- your mailer is folding it, making it un-recognizable. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Bogaerts@Studiotech.be wrote: >> Dears, >> >> >> I''m stuck with configuring Shorewall for dual ISP with dynamic IP. >> >> The main goal is to use ISP-1 for general traffic and ISP-0 for specific >> traffic like POP - SMTP - VPN >> >> I made a basic system which daesn''t work refered "WORKNOT" >> >> _____________________ _____________________ >> ________ >> | | | | | >> | >> | Mail Server | | Shorewall |--------------| >> ISP-0 | >> | IP: 192.168.155.200 | | | >> |________| >> | DNS:192.168.155.250 |---------------| IP: 192.168.155.250 | >> ________ >> | GTW:192.168.155.250 | | |------ | >> | >> |_____________________| |_____________________| |-------| >> ISP-1 | >> >> |________| > > > Please forward the ASCII art as attachments -- your mailer is folding > it, making it un-recognizable.Never mind -- I spent a few minutes with an editor and managed to get the ASCII art unfolded (see attachment). Two things: a) You have an absurd entry in your tcrules file; I suspect that it looks like this: 1:P eth0 0.0.0.0/0 icmp That''s virtually guaranteed to break something. b) The connections via port 110 are getting established. So I assume that the timeouts have something to do with MTU path discovery (which the first item can certainly break). Given that inserting the ''Actual Shorewall'' fixes the problem, I''m assuming that the ''Actual Shorewall'' is setting CLAMPMSS=Yes in shorewall.conf; your multi-ISP configuration does not have that setting. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Dear Tom, Many thanks for your prompt answer. OOOOOOps , The ICMP entry was just added during the debug process trying lots of stupid things :-) Indeed your right regarding CLAMPMSS parameter. It''s off in the dual ISP system while ON in the actual I''m actually away from the hardware but will test tomorrow and let you know Rgds, Jean-Francois Bogaerts ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H