Hello! I''ve been running Shorewall for a few years now, and it''s performed well. I have a non-trivial setup, though, and it is rough around the edges when trying to deal with it. In particular, I have a dual WAN. One is cable modem (DHCP), and another is DSL modem (PPPoE). What''s more, the cable modem is a single IP address that often changes, while the DSL modem is a static IP address *range*. There is a "main" address that the PPP connection sets up, but it also accepts several other nearby addresses. I have this running right now with aliases for the ppp0 device. I''ve studied this document: http://shorewall.net/MultiISP.html There are 3 main problems I have: 1) If the router is rebooted while either the cable or the DSL is down, Shorewall won''t come up It requires *both* interfaces to be fully active before Shorewall will start. If either is down, my firewall is DOA, requiring manual intervention. I was hoping to set up a dual WAN setup for redundancy and safety, and unfortunately instead, this makes it *more* brittle. 2) Shorewall is a one-shot deal: it exists just to configure the kernel''s firewall settings. There''s no active monitor that can stay around and take care of things if either the cable or the DSL goes down. I''ve written a script that repeatedly pings both the cable and DSL connection, and attempts to give the command "ip route replace", with appropriate arguments, as needed. I''m wondering if there''s a more Shorewall-friendly way to do this? I''ve ran into trouble before, when I mess with the routing table and Shorewall doesn''t expect this. 3) If the PPP modem goes down, the ppp0 device disappears entirely. That''s unfortunate. Is there a way to make it behave like the eth* devices, where they are allowed be in "down" state and still exist as an active device within the kernel? The reason this is a requirement, is that the kernel will drop all routing and firewall rules associated with a device, when it disappears! So, if ppp0 disappears, it will later come back up... completely bare, as it will have no more firewall or router rules! I need to manually restart Shorewall whenever this happens. It''s really unfortunate that the developers of PPP in Linux chose to make the device disappear, instead of just keeping it around in a "down" state. Because I have a *range* of IP addresses coming to me via PPP, I can''t activate the built-in PPPoE protocol termination feature of the modem. If I do this, then the modem takes over the IP addresses, and only gives me a single IP address from it. I''m running Shorewall 4.2.10 on Debian. Is it worth upgrading to 4.4? What Shorewall output should I provide here, that might assist in asking for help? Thanks! Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On 20/09/2009 11:13, JoSH Lehan wrote:> 1) If the router is rebooted while either the cable or the DSL is down, > Shorewall won''t come up It requires *both* interfaces to be fully > active before Shorewall will start. If either is down, my firewall is > DOA, requiring manual intervention. > > I was hoping to set up a dual WAN setup for redundancy and safety, and > unfortunately instead, this makes it *more* brittle. > > 2) Shorewall is a one-shot deal: it exists just to configure the > kernel''s firewall settings. There''s no active monitor that can stay > around and take care of things if either the cable or the DSL goes down. > I''ve written a script that repeatedly pings both the cable and DSL > connection, and attempts to give the command "ip route replace", with > appropriate arguments, as needed. > > I''m wondering if there''s a more Shorewall-friendly way to do this? I''ve > ran into trouble before, when I mess with the routing table and > Shorewall doesn''t expect this.If your DSL link goes down, your ppp0 device disappears, and the scripts in /etc/ppp/ip-down.d/ are executed so you can take the appropriate measures.> 3) If the PPP modem goes down, the ppp0 device disappears entirely. > That''s unfortunate. Is there a way to make it behave like the eth* > devices, where they are allowed be in "down" state and still exist as an > active device within the kernel? > > The reason this is a requirement, is that the kernel will drop all > routing and firewall rules associated with a device, when it disappears! > So, if ppp0 disappears, it will later come back up... completely bare, > as it will have no more firewall or router rules! I need to manually > restart Shorewall whenever this happens. > > It''s really unfortunate that the developers of PPP in Linux chose to > make the device disappear, instead of just keeping it around in a "down" > state. Because I have a *range* of IP addresses coming to me via PPP, I > can''t activate the built-in PPPoE protocol termination feature of the > modem. If I do this, then the modem takes over the IP addresses, and > only gives me a single IP address from it.Are you sure your modem can''t take on it''s wan side the 1st public ip address, and then attributing on the lan side one of the public ip addresses from the public range ? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Josh, Unfortunately, since you do not really provide relevant details about your setup, my suggestions below are only guesses. On Sun, Sep 20, 2009 at 02:13:01AM -0700, JoSH Lehan wrote:> > 1) If the router is rebooted while either the cable or the DSL is down, > Shorewall won''t come up It requires *both* interfaces to be fully > active before Shorewall will start. If either is down, my firewall is > DOA, requiring manual intervention. > > I was hoping to set up a dual WAN setup for redundancy and safety, and > unfortunately instead, this makes it *more* brittle. >Have you tried specifying the interfaces as optional? That should fix all the problems you have described having.> > I''m running Shorewall 4.2.10 on Debian. Is it worth upgrading to 4.4? >I think that it is. I have a Lenny repository that has those packages: http://people.connexer.com/~roberto/debian/> What Shorewall output should I provide here, that might assist in asking > for help? >The output of ''shorewall dump'' at various stages (e.g., started with both providers and interfaces up and available, after one or the other interface has gone down, etc.). Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
My suggestion echoes Laurent Caron''s suggestion: there are scripts in /etc/ppp/ip-{up|down}.d that are executed when the PPTP link goes down, so you could brand the interface(s) as optional and execute shorewall restarts there. Similarly, there are scripts that can be executed whenever an ethernet interface goes up or down (in CentOS they''re in /etc/sysconfig/network-scripts/if{up|down}.d, not sure where they would be in Debian) - so those can also be used to do all of this manual intervention you mention. Using those, and some clever link state detection using ethtool, ip, or other network-related utilities you should be able to write some simple scripts that take care of the dynamic up/down states of the links. If there is DHCP involved in either of those, you should also look into your DHCP client''s hook scripts feature and use that as well. The tools are there, you''ll just have to invest some time into figuring things out. Cheers. Roberto C. Sánchez wrote: Josh, Unfortunately, since you do not really provide relevant details about your setup, my suggestions below are only guesses. On Sun, Sep 20, 2009 at 02:13:01AM -0700, JoSH Lehan wrote: 1) If the router is rebooted while either the cable or the DSL is down, Shorewall won''t come up It requires *both* interfaces to be fully active before Shorewall will start. If either is down, my firewall is DOA, requiring manual intervention. I was hoping to set up a dual WAN setup for redundancy and safety, and unfortunately instead, this makes it *more* brittle. all the problems you have described having. I''m running Shorewall 4.2.10 on Debian. Is it worth upgrading to 4.4? http://people.connexer.com/~roberto/debian/ What Shorewall output should I provide here, that might assist in asking for help? both providers and interfaces up and available, after one or the other interface has gone down, etc.). Regards, -Roberto ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Sun, Sep 20, 2009 at 02:13:01AM -0700, JoSH Lehan wrote:> 1) If the router is rebooted while either the cable or the DSL is down, > Shorewall won''t come up It requires *both* interfaces to be fully > active before Shorewall will start. If either is down, my firewall is > DOA, requiring manual intervention. > > I was hoping to set up a dual WAN setup for redundancy and safety, and > unfortunately instead, this makes it *more* brittle.You might be interested to add the ppp device to: /etc/default/shorewall:wait_interface Justin ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Also, if you''re looking for resiliency and fault tolerance, this isn''t going to do it for you either. That you''ll have no choice but to implement yourself (i.e. dynamically swapping default routes and whatnot). Importantly, the load balancing function of shorewall works fine until one of the links goes down. When it does, everyone who was using that link will be cut off. This isn''t because of Shorewall, it''s because of how linux routing works. This is a not-so-trivial problem to solve regardless of how it seems. I for one haven''t found an elegant solution (using Linux!) for circuit load-balancing/failover problem in a dual-ISP scenario. Perhaps if someone is aware of one they can offer some links/insight? Cheers. Diego Rivera wrote: My suggestion echoes Laurent Caron''s suggestion: there are scripts in /etc/ppp/ip-{up|down}.d that are executed when the PPTP link goes down, so you could brand the interface(s) as optional and execute shorewall restarts there. Similarly, there are scripts that can be executed whenever an ethernet interface goes up or down (in CentOS they''re in /etc/sysconfig/network-scripts/if{up|down}.d, not sure where they would be in Debian) - so those can also be used to do all of this manual intervention you mention. Using those, and some clever link state detection using ethtool, ip, or other network-related utilities you should be able to write some simple scripts that take care of the dynamic up/down states of the links. If there is DHCP involved in either of those, you should also look into your DHCP client''s hook scripts feature and use that as well. The tools are there, you''ll just have to invest some time into figuring things out. Cheers. Roberto C. Sánchez wrote: Josh, Unfortunately, since you do not really provide relevant details about your setup, my suggestions below are only guesses. On Sun, Sep 20, 2009 at 02:13:01AM -0700, JoSH Lehan wrote: 1) If the router is rebooted while either the cable or the DSL is down, Shorewall won''t come up It requires *both* interfaces to be fully active before Shorewall will start. If either is down, my firewall is DOA, requiring manual intervention. I was hoping to set up a dual WAN setup for redundancy and safety, and unfortunately instead, this makes it *more* brittle. all the problems you have described having. I''m running Shorewall 4.2.10 on Debian. Is it worth upgrading to 4.4? http://people.connexer.com/~roberto/debian/ What Shorewall output should I provide here, that might assist in asking for help? both providers and interfaces up and available, after one or the other interface has gone down, etc.). Regards, -Roberto ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On 20/09/2009 23:39, Diego Rivera wrote:> Also, if you''re looking for resiliency and fault tolerance, this isn''t > going to do it for you either. That you''ll have no choice but to > implement yourself (i.e. dynamically swapping default routes and > whatnot). Importantly, the load balancing function of shorewall works > fine until one of the links goes down. When it does, everyone who was > using that link will be cut off. This isn''t because of Shorewall, it''s > because of how linux routing works. > > This is a not-so-trivial problem to solve regardless of how it seems. I > for one haven''t found an elegant solution (using Linux!) for circuit > load-balancing/failover problem in a dual-ISP scenario. Perhaps if > someone is aware of one they can offer some links/insight?Since you''re using two (or more) different ISPs with IP pools coming from those ISPs, the failover will never be really clean. Having a /24 attributed to your company with redundant routers and redundant ISPs will allow you to announce this /24 on both ISPs network (providing they do support BGP) and will be clean. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Laurent CARON wrote:> If your DSL link goes down, your ppp0 device disappears, and the scripts > in /etc/ppp/ip-down.d/ are executed so you can take the appropriate > measures.I have placed "/sbin/shorewall restart" in a file in the ip-up.d directory. It still seems to be unreliable, though. I''d really like it if the device could stick around.> Are you sure your modem can''t take on it''s wan side the 1st public ip > address, and then attributing on the lan side one of the public ip > addresses from the public range ?Yes, I''m sure. If I activate the modem''s built-in PPPoE, it will terminate the PPP protocol within the modem. The modem does have an option to enable transparent bridging, but unfortunately, it only forwards a single IP address (the address allocated by PPP), and drops traffic intended for all other IP addresses. My ISP is AT&T DSL, and their so-called "static" IP addresses are really an abuse of the PPP and PPPoE specifications. The PPP protocol is only completed for a single IP address, and the other addresses are just passed through the same link, so unless the administrator manually adds them (via alias devices in Linux, for example), they will be unusable. It''s a shame that a PPP negotiation session can''t be done for each IP address in parallel. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Justin Pryzby wrote:> You might be interested to add the ppp device to: > > /etc/default/shorewall:wait_interfaceThanks. I tried that a while ago, but unfortunately, all it does is stall out the startup of Shorewall until that interface is up. Using this option, if one of the WAN connections is down, then Shorewall is blocked and won''t be started! I was hoping for something that would give some fault tolerance, and allow Shorewall to continue operating, even when some of the WAN connections are down. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
shorewall@krellan.com
2009-Sep-20 22:08 UTC
Re: [SPAM] Re: Dual WAN reliability help needed
Diego Rivera wrote:> Also, if you''re looking for resiliency and fault tolerance, this isn''t going to > do it for you either. That you''ll have no choice but to implement yourself > (i.e. dynamically swapping default routes and whatnot). Importantly, the load > balancing function of shorewall works fine until one of the links goes down. > When it does, everyone who was using that link will be cut off. This isn''t > because of Shorewall, it''s because of how linux routing works.That''s a shame. I kind of guessed that it would be a non-trivial problem. My script now changes the route with "ip default route". I wonder if it will also need to rewrite some of Shorewall''s configuration files, to try and steer traffic such that it avoids links that are down.> This is a not-so-trivial problem to solve regardless of how it seems. I for one > haven''t found an elegant solution (using Linux!) for circuit > load-balancing/failover problem in a dual-ISP scenario. Perhaps if someone is > aware of one they can offer some links/insight?Have you found a solution using another product, perhaps a dedicated piece of hardware? The Peplink Balance 20L router looks intriguing. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Roberto C. Sánchez wrote:> Unfortunately, since you do not really provide relevant details about > your setup, my suggestions below are only guesses.I''ll try to capture some details with "shorewall dump" next time the problems happen.> I think that it is. I have a Lenny repository that has those packages: > > http://people.connexer.com/~roberto/debian/Nice! Your repository is a good idea, but the next thing I was going to try would be to install Shorewall from source, and remove the Debian version entirely.> The output of ''shorewall dump'' at various stages (e.g., started with > both providers and interfaces up and available, after one or the other > interface has gone down, etc.).OK, thanks. Would any additional information about my setup help? Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
shorewall@krellan.com
2009-Sep-20 22:17 UTC
Re: [SPAM] Re: Dual WAN reliability help needed
Laurent CARON wrote:> Since you''re using two (or more) different ISPs with IP pools coming > from those ISPs, the failover will never be really clean.I understand that, and know that connections will be lost, when one ISP goes down. I do want the ability to make new connections, though, using the remaining ISP.> Having a /24 attributed to your company with redundant routers and > redundant ISPs will allow you to announce this /24 on both ISPs network > (providing they do support BGP) and will be clean.That would be sweet indeed. Unfortunately, I''m just a residential connection. Besides, wouldn''t very powerful routers be needed, and I''d need my own ASN number as well, to truly have my own IP addresses that would be independent of any ISP going down? Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On 21/09/2009 00:17, shorewall@krellan.com wrote:> That would be sweet indeed. Unfortunately, I''m just a residential > connection. Besides, wouldn''t very powerful routers be needed, and I''d > need my own ASN number as well, to truly have my own IP addresses that > would be independent of any ISP going down?Yup, you would need your own AS also. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On 21/09/2009 00:03, shorewall@krellan.com wrote:> Yes, I''m sure. If I activate the modem''s built-in PPPoE, it will > terminate the PPP protocol within the modem. The modem does have an > option to enable transparent bridging, but unfortunately, it only > forwards a single IP address (the address allocated by PPP), and drops > traffic intended for all other IP addresses. > > My ISP is AT&T DSL, and their so-called "static" IP addresses are really > an abuse of the PPP and PPPoE specifications. The PPP protocol is only > completed for a single IP address, and the other addresses are just > passed through the same link, so unless the administrator manually adds > them (via alias devices in Linux, for example), they will be unusable. > It''s a shame that a PPP negotiation session can''t be done for each IP > address in parallel.Here is how it works on my DSL link. I''ve got an interconnection IP which is used by the router itself, and a netblock (/27) routed through the interconnection IP. All my ip addresses are also passed through the same link (which is the way it works). Can you say which model of DSL modem you do have ? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Pablo Sebastian Greco
2009-Sep-20 22:56 UTC
Re: [SPAM] Re: Dual WAN reliability help needed
El 20/09/2009 19:17, shorewall@krellan.com escribió:> Laurent CARON wrote: > >> Since you''re using two (or more) different ISPs with IP pools coming >> from those ISPs, the failover will never be really clean. >> > I understand that, and know that connections will be lost, when one ISP > goes down. I do want the ability to make new connections, though, using > the remaining ISP. > > >> Having a /24 attributed to your company with redundant routers and >> redundant ISPs will allow you to announce this /24 on both ISPs network >> (providing they do support BGP) and will be clean. >> > That would be sweet indeed. Unfortunately, I''m just a residential > connection. Besides, wouldn''t very powerful routers be needed, and I''d > need my own ASN number as well, to truly have my own IP addresses that > would be independent of any ISP going down? > >I don''t use shorewall''s multiISP, I use my own scripts, but this should apply to. After you change the default route, I would recommend to do the following to delete everything that was going through the "down" connection. ip route flush cache conntrack -F HTH Pablo ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Sun, Sep 20, 2009 at 03:13:19PM -0700, JoSH Lehan wrote:> Roberto C. Sánchez wrote: > > Unfortunately, since you do not really provide relevant details about > > your setup, my suggestions below are only guesses. > > I''ll try to capture some details with "shorewall dump" next time the > problems happen. >For troubleshooting problems, that is really a necessity.> > I think that it is. I have a Lenny repository that has those packages: > > > > http://people.connexer.com/~roberto/debian/ > > Nice! Your repository is a good idea, but the next thing I was going to > try would be to install Shorewall from source, and remove the Debian > version entirely. >I am the maintainer of the official Debian Shorewall packages. However, since I run Lenny on my servers and want the latest Shorewall packages on them, I create a set of Lenny packages for each set og packages I create for Sid. I figure that they might be useful to other folks, so I make them available on my website.> > The output of ''shorewall dump'' at various stages (e.g., started with > > both providers and interfaces up and available, after one or the other > > interface has gone down, etc.). > > OK, thanks. Would any additional information about my setup help? >Nope. Everything relevant will be in the output of ''shorewall dump''. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
I know of routers by Cisco (perhaps linksys, others?) that are able to handle multiple uplinks in a load-balancing/failover scenario elegantly. I''m afraid I don''t have the models handy right now. However, don''t expect them to be cheap since this sort of solution is usually reserved for corporate customers for whom the loss of internet connectivity is a big no-no. I''ll forward whatever I find when I get back to the office from vacation. Cheers. shorewall@krellan.com wrote: Diego Rivera wrote: Also, if you''re looking for resiliency and fault tolerance, this isn''t going to do it for you either. That you''ll have no choice but to implement yourself (i.e. dynamically swapping default routes and whatnot). Importantly, the load balancing function of shorewall works fine until one of the links goes down. When it does, everyone who was using that link will be cut off. This isn''t because of Shorewall, it''s because of how linux routing works. That''s a shame. I kind of guessed that it would be a non-trivial problem. My script now changes the route with "ip default route". I wonder if it will also need to rewrite some of Shorewall''s configuration files, to try and steer traffic such that it avoids links that are down. This is a not-so-trivial problem to solve regardless of how it seems. I for one haven''t found an elegant solution (using Linux!) for circuit load-balancing/failover problem in a dual-ISP scenario. Perhaps if someone is aware of one they can offer some links/insight? Have you found a solution using another product, perhaps a dedicated piece of hardware? The Peplink Balance 20L router looks intriguing. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Diego Rivera Director / System Operations Roundbox Global : enterprise : technology : genius ------------------------------------------------------------------------------------------------------------------ Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695 email: diego.rivera@rbxglobal.com | www.rbxglobal.com ------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> > Have you found a solution using another product, perhaps a dedicated > piece of hardware? The Peplink Balance 20L router looks intriguing. > > Joshthis is interesting. any members here with experience of this hardware? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> > On 21/09/2009 00:17, shorewall@krellan.com wrote: > > That would be sweet indeed. Unfortunately, I''m just a residential > > connection. Besides, wouldn''t very powerful routers be needed, and I''d > > need my own ASN number as well, to truly have my own IP addresses that > > would be independent of any ISP going down? > > Yup, you would need your own AS also. >what''s an ASN number? ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
JoSH Lehan wrote:> Hello! I''ve been running Shorewall for a few years now, and it''s > performed well. > > I have a non-trivial setup, though, and it is rough around the edges > when trying to deal with it. In particular, I have a dual WAN. One is > cable modem (DHCP), and another is DSL modem (PPPoE). > > What''s more, the cable modem is a single IP address that often changes, > while the DSL modem is a static IP address *range*. There is a "main" > address that the PPP connection sets up, but it also accepts several > other nearby addresses. I have this running right now with aliases for > the ppp0 device. > > I''ve studied this document: > > http://shorewall.net/MultiISP.html > >I would suggest a) Don''t run pppoe on shorewall box, instead have both your modems run in routing mode and let them handle the pppoe story. ;-) b) have a look at gwping and swping ( section ) off the link U mentioned http://www.shorewall.net/MultiISP.html If you read these carefully U will come up with the solution ... Cheers, Harry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
>> This is a not-so-trivial problem to solve regardless of how it seems. I for one >> haven''t found an elegant solution (using Linux!) for circuit >>It''s not linux to blame, its the link type you are provided with. ( you get what ever you pay )>> load-balancing/failover problem in a dual-ISP scenario. Perhaps if someone is >> aware of one they can offer some links/insight? >>I think there is no such thing such a true fail-over product. Consider an a FTP session going out from an ISP provider in a multi ISP scenario during which the link fails, a) the remote FTP server has no idea about your second ISP provider. b) Once the link fails the session will be off no matter what ... Till then I''ll remain to my shorewall boxes supporting N providers ( thanks to vlans ) quite reliably with gwping-like solutions, with the above limitations of course. Harry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
shorewall@krellan.com wrote:>My ISP is AT&T DSL, and their so-called "static" IP addresses are really >an abuse of the PPP and PPPoE specifications. The PPP protocol is only >completed for a single IP address, and the other addresses are just >passed through the same link, so unless the administrator manually adds >them (via alias devices in Linux, for example), they will be unusable. >It''s a shame that a PPP negotiation session can''t be done for each IP >address in parallel.That''s actually the normal way of doing it - your router gets one address, and further addresses are simply routed to it. If your modem doesn''t cope with that then that''s your end that''s at fault. I can imagine a lot of consumer grade equipment being unable to do it. shorewall@krellan.com wrote:> > Having a /24 attributed to your company with redundant routers and >> redundant ISPs will allow you to announce this /24 on both ISPs network >> (providing they do support BGP) and will be clean. > >That would be sweet indeed. Unfortunately, I''m just a residential >connection. Besides, wouldn''t very powerful routers be needed, and I''d >need my own ASN number as well, to truly have my own IP addresses that >would be independent of any ISP going down?You don''t need powerful routers - I believe you can do BGP4 with a Linux box. Linux Advocate wrote:>what''s an ASN number?Autonomous System Number. The internet uses BGP4 for passing routing information about. The basic unit is an AS number which identifies a "chunk" of network - and then IP address blocks are associated with an AS number. To be a routable part of the internet, you get an IP allocation and an AS number - you then get to send out a route advertisement through any/all of your connections to peers, and that route gets propagated around so people know where to send packets. If a link goes down, route advertisements stop going out through it and the internet as a whole learns an alternate route to you. You can advertise routes through each link with a different cost metric (perhaps related to bandwidth costs, or link speed, etc) - so different bits of the internet could reach you by different means. It''s a fascinating subject to get into - we''ve been considering doing that at work to increase resilience since we run a lot of hosted services for customers. http://en.wikipedia.org/wiki/Autonomous_system_(Internet) There is another option no-one has mentioned. There are third parties that will provide a bonded service independent of your ISP. How it works is that they allocate you one or more IP address(es) from their assignment. All your inbound and outbound traffic goes via the third party, and then is encapsulated and routed via whatever connections you have available. At your end, you just need a small router capable of maintaining the multiple encapsulated tunnels and splitting/combining the traffic. You still have a single point of failure at each end. The router at your end is a failure point (but if it''s important then you can keep a spare or have a failover setup). The service provider at the other end is also a SPF, but if you choose right they are big enough to have the engineering setup and staff to manage it - rather than your usual "have you rebooted your router" script based support from your ISP. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On 21/09/2009 10:50, Simon Hobson wrote:> That''s actually the normal way of doing it - your router gets one > address, and further addresses are simply routed to it. If your modem > doesn''t cope with that then that''s your end that''s at fault. I can > imagine a lot of consumer grade equipment being unable to do it.I do use SOHO Netopia 2240 and they support it fine (should it help).> You don''t need powerful routers - I believe you can do BGP4 with a Linux box.We currently run 4 full views with two dell 1U boxes (for redundancy) without any problem (OpenBSD 4.5). ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Simon Hobson wrote:> That''s actually the normal way of doing it - your router gets one > address, and further addresses are simply routed to it. If your modem > doesn''t cope with that then that''s your end that''s at fault. I can > imagine a lot of consumer grade equipment being unable to do it.I used to have a real routing /30 subnet, a long time ago. It worked exactly as you said: I had an IP address on that routing subnet, and my router had its own IP address on another subnet. My router used both addresses to route everything between them. Worked perfectly. Unfortunately, with the class of service I have, I no longer have this. Instead, I have a single address, negotiated through PPP (it''s PPPoE). I don''t have a routing subnet. Instead, I just have a simple IP address, with a unique property: some of its neighbors also get routed to me. So, it''s as if I have multiple IP addresses, but I don''t have a formal routing subnet, or anything like that. I''d like to be able to configure these "bonus" IP addresses, and teach my router about them. I''ve been able to do this in Shorewall by adding static ppp0:0, ppp0:1, ppp0:2, etc. devices. Each of these aliases contains one of my "bonus" IP addresses. The main ppp0 device gets its IP address automatically assigned during the PPP negotiation, as expected. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Harry Lachanas wrote:> I think there is no such thing such a true fail-over product. > > Consider an a FTP session going out from an ISP provider in a multi ISP > scenario during which the link fails, > a) the remote FTP server has no idea about your second ISP provider. > b) Once the link fails the session will be off no matter what ... > > Till then I''ll remain to my shorewall boxes supporting N providers ( > thanks to vlans ) quite reliably with gwping-like solutions, with the > above limitations of course.That''s correct, in a casual "dual WAN" setup such as this. There''s no coordination between the various broadband providers. It''s expected that active sessions will be lost. The hope is that new sessions can automatically be configured to work correctly, though. New outgoing sessions should automatically be routed among the ISP''s that are still up. The goal is to prevent them from somehow erroneously selecting an ISP that is down, thus stalling out the new connection. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> The hope is that new sessions can automatically be configured to work > correctly, though. New outgoing sessions should automatically be routed > among the ISP''s that are still up. The goal is to prevent them from > somehow erroneously selecting an ISP that is down, thus stalling out the > new connection. > >Have your modems in router mode ... let them handle the pppoe trouble then Your friends are a) A little ping daemon ( shell script would suffice read carefully gwping ) also carefully select what to ping, do not ping China or Africa in order to determine your isp status ping something closer like your routers-modem external interface if static ip, if not ping a something further down the line. b) ip route replace default scope global nexthop via 10.0.0.1 dev ethxx weight yy nexthop via 10.0.1.1 weight zz dev eth(X) etc .... c) Determine your static routes ( must go through ISPx for this or that ... like ping ftp.example.org to determine the ISP status if dynamic ip etc etc ) d) to be fancy you can always have a look at ipt_condition .. ( included in xtables addons ) I like this module a lot which I think its misunderstood. e) coffee and lots of meditation ;-) If u feel that u need more help don''t hesitate to ask. Harry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Harry Lachanas wrote:> I would suggest > a) Don''t run pppoe on shorewall box, instead have both your modems run > in routing mode and let them handle the pppoe story. ;-)If I had just a single IP address coming in, I could do that. Unfortunately, I need to set up multiple IP addresses, so I can''t do that.> b) have a look at gwping and swping ( section ) off the link U > mentioned http://www.shorewall.net/MultiISP.htmlThanks, I have been looking at those scripts! I''m glad to see some text below, that almost exactly describes my situation: DSL with many "PPPoE static" IP addresses, and Cable with 1 dynamic IP address. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Roberto C. Sánchez wrote:> I am the maintainer of the official Debian Shorewall packages. However, > since I run Lenny on my servers and want the latest Shorewall packages > on them, I create a set of Lenny packages for each set og packages I > create for Sid. I figure that they might be useful to other folks, so I > make them available on my website.Nice! You would be the best person to ask about a problem I had with the Debian repositories. 4.0.* is in Stable, 4.2.* is in Testing, 4.4.* is in Unstable. However, in Unstable, I couldn''t install 4.4 from Debian. It depended on "shorewall" which is not available. This is because "shorewall" is an alias to "shorewall-shell", and as we know, the shellscript version of Shorewall no longer exists, as of 4.4. It''s the Perl version, or nothing. I think aptitude was getting a little confused, as it could not resolve the conflict without removing Shorewall entirely. I''m glad to see 4.4.1, the latest Shorewall version, is already in the Debian packages repository, though. Any hint on getting it working? Should I edit my sources.list file and/or delete some old Shorewall packages? Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Laurent CARON wrote:> Here is how it works on my DSL link. > > I''ve got an interconnection IP which is used by the router itself, and a > netblock (/27) routed through the interconnection IP.That''s really cool. You have a real routing subnet. I have a block of IP addresses, that isn''t a real subnet. They''re just IP addresses. I could configure them as a subnet, but then I''d lose two of them, as I''d need a dummy "network address" and "broadcast address" in this case. The Linux box receives one of these IP addresses, negotiated via PPP, when it sets up the PPPoE connection. It appears as the ppp0 interface. I also have some "bonus" IP addresses, that are neighbors of the main IP address for PPP. I have aliases, ppp0:0, ppp0:1, and so on, to grab each of these IP addresses. Linux can see packets coming into each of these IP addresses, and Shorewall is good about writing firewall rules to ensure they each get forwarded to the correct machine on the private side of my LAN. The regular Ethernet interface, to the DSL modem, appears as the eth1 interface. It is up without an IP address, for use by ppp0. I have an alias, eth1:0, which has an IP address, which is very good for being able to access the administrative page of the DSL modem while still remaining fully online. If I had a real routing subnet, as I had several years ago, then my routing configuration would be greatly simplified! Josh> All my ip addresses are also passed through the same link (which is the > way it works).I have two outgoing links. One of them is DSL, over PPPoE, as described above. The other is cable. Cable is simpler, as it has a traditional Ethernet connection (not PPPoE), and gets its IP address via the usual DHCP.> Can you say which model of DSL modem you do have ?It''s a Siemens SpeedStream 4100. Josh ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Josh, with yr permission, i would like to ''hijack'' this thread... :) questions below... ----- Original Message ----> From: JoSH Lehan <shorewall@krellan.com> > To: shorewall-users@lists.sourceforge.net > Sent: Sunday, September 20, 2009 5:13:01 PM > Subject: [Shorewall-users] Dual WAN reliability help needed > > Hello! I''ve been running Shorewall for a few years now, and it''s > performed well. > > I have a non-trivial setup, though, and it is rough around the edges > when trying to deal with it. In particular, I have a dual WAN. One is > cable modem (DHCP), and another is DSL modem (PPPoE). > > What''s more, the cable modem is a single IP address that often changes, > while the DSL modem is a static IP address *range*. There is a "main" > address that the PPP connection sets up, but it also accepts several > other nearby addresses. I have this running right now with aliases for > the ppp0 device.Currently we have a adsl line ( dynamic ip ). We will be getting a new wimax line ( dynamic ip). I intend to ''bond'' both of these lines for users(soho environment) to have more bandwidth. And also to provide redundancy as the adsl line is a little erratic in my area and we do have outages of a few hours sometime.> I''ve studied this document: > > http://shorewall.net/MultiISP.html > > There are 3 main problems I have: > > 1) If the router is rebooted while either the cable or the DSL is down, > Shorewall won''t come up It requires *both* interfaces to be fully > active before Shorewall will start. If either is down, my firewall is > DOA, requiring manual intervention.will my new setup ( dynamic ip only for both connections ) also be affected by this problem?> I was hoping to set up a dual WAN setup for redundancy and safety, and > unfortunately instead, this makes it *more* brittle. > > 2) Shorewall is a one-shot deal: it exists just to configure the > kernel''s firewall settings. There''s no active monitor that can stay > around and take care of things if either the cable or the DSL goes down.cant the swping or lsm scripts help? If anyone has a similar setup( two internet lines , both dynamic ip) working, i would like to learn how u did it. Thanx, marco. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
> ----- Original Message ---- > From: JoSH Lehan <shorewall@krellan.com> > To: shorewall-users@lists.sourceforge.net > Sent: Sunday, September 20, 2009 5:13:01 PM > Subject: [Shorewall-users] Dual WAN reliability help needed > > Currently we have a adsl line ( dynamic ip ). We will be getting a new > wimax line ( dynamic ip). > I intend to ''bond'' both of these lines for users(soho environment) to have > more bandwidth. And also to provide redundancy as the adsl line is a little > erratic in my area and we do have outages of a few hours sometime. >I have a similar setup here with two adsl lines. The traffic is balanced between both the lines and fails-over to the other incase one drops. 1) If the router is rebooted while either the cable or the DSL is down,> Shorewall won''t come up It requires *both* interfaces to be fully > active before Shorewall will start. >I''m guessing you forgot to place the "optional" option in the interfaces file. 2) Shorewall is a one-shot deal: it exists just to configure the> kernel''s firewall settings. There''s no active monitor that can stay > around and take care of things if either the cable or the DSL goes down. > >If the shorewall server does the pppoe then you can just place a "shorewall -f restart" in ip-up and ip-down scripts. That is what I have done here. But I suppose for the cable you''ll have to go with swping or lsm. -- Raghu ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf