Hello, I''m using Shorewall perl 4.4.1.2 with two pppoe connections, with fail-over and load balancing. When I upgraded to Shorewall-perl, I saw a bunch of warnings pop up after I start/restart Shorewall. One was about the masq file , wherein instead of using interface names, IP-addresses were to be used. So I made the changes to the masq file like so. #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK ppp0 $PPP1_IP $PPP0_IP ppp1 $PPP0_IP $PPP1_IP ppp0 192.168.32.1 ppp1 192.168.32.1 But, after that whenever I restart shorewall, I get a warning that both the providers are down and no default route is added. But both the lines are in fact up and when I revert the changes to the masq file everything goes back to normal. I don''t understand how that change in the masq file affected this. Shorewall -vvv restart output : Shorewall-generated routing tables and routing rules removed Adding Providers... WARNING: Gateway is not reachable -- Provider BSNL8m (1) not Added WARNING: Gateway is not reachable -- Provider BSNL256 (2) not Added WARNING: No Default route added (all ''balance'' providers are down) Setting up Traffic Control... Also, One question I had about "loose" in the providers file. What I understand is with out "loose" all traffic goes through hard coded paths, while with "loose" there is more ambiguity and more uncertainty to which outgoing line a packet will take and thus more "balanced" traffic. Is this the case? Is my understanding correct here? "loose" Omits certain route rules, so that is an advantage in terms of more balanced traffic? Thanks, -- Raghu Siddarth ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Wed, 2009-09-30 at 10:38 +0530, Rags wrote:> Hello, > > I''m using Shorewall perl 4.4.1.2 with two pppoe connections, with > fail-over and load balancing. > > When I upgraded to Shorewall-perl, I saw a bunch of warnings pop up > after I start/restart Shorewall. One was about the masq file , wherein > instead of using interface names, IP-addresses were to be used. So I > made the changes to the masq file like so. > > #INTERFACE SOURCE ADDRESS PROTO > PORT(S) IPSEC MARK > ppp0 $PPP1_IP $PPP0_IP > ppp1 $PPP0_IP $PPP1_IP > ppp0 192.168.32.1 > ppp1 192.168.32.1 >So it''s a variable...> But, after that whenever I restart shorewall, I get a warning that > both the providers are down and no default route is added. But both > the lines are in fact up and when I revert the changes to the masq > file everything goes back to normal.Sorry, but revert to what config?> I don''t understand how that change in the masq file affected this. >How have you setup PPP0_IP, PPP1_IP in the params file? Jerry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Wed, Sep 30, 2009 at 11:02 PM, Jerry Vonau <jvonau@shaw.ca> wrote:> On Wed, 2009-09-30 at 10:38 +0530, Rags wrote: > > Hello, > > > > I''m using Shorewall perl 4.4.1.2 with two pppoe connections, with > > fail-over and load balancing. > > > > When I upgraded to Shorewall-perl, I saw a bunch of warnings pop up > > after I start/restart Shorewall. One was about the masq file , wherein > > instead of using interface names, IP-addresses were to be used. So I > > made the changes to the masq file like so. > > > > #INTERFACE SOURCE ADDRESS PROTO > > PORT(S) IPSEC MARK > > ppp0 $PPP1_IP $PPP0_IP > > ppp1 $PPP0_IP $PPP1_IP > > ppp0 192.168.32.1 > > ppp1 192.168.32.1 > > > So it''s a variable... >Sorry, I should have posted the original file. This is what it was earlier with shorewall -shell. #INTERFACE SOURCE ADDRESS PROTO ppp0 $PPP1_IP $PPP0_IP ppp1 $PPP0_IP $PPP1_IP ppp0 eth0 ppp1 eth0 This works, but with the aforementioned warning. What I had changed was the LAN interface(eth0) to the ip address.> But, after that whenever I restart shorewall, I get a warning that > > both the providers are down and no default route is added. But both > > the lines are in fact up and when I revert the changes to the masq > > file everything goes back to normal. > Sorry, but revert to what config? >With eth0 in the source field.> > > I don''t understand how that change in the masq file affected this. > > > How have you setup PPP0_IP, PPP1_IP in the params file? >Like so : PPP0_IP=$(find_first_interface_address_if_any ppp0) PPP1_IP=$(find_first_interface_address_if_any ppp1) Thanks, -- Raghu ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Rags wrote:> On Wed, Sep 30, 2009 at 11:02 PM, Jerry Vonau <jvonau@shaw.ca > <mailto:jvonau@shaw.ca>> wrote: > > On Wed, 2009-09-30 at 10:38 +0530, Rags wrote: > > Hello, > > > > I''m using Shorewall perl 4.4.1.2 with two pppoe connections, with > > fail-over and load balancing. > > > > When I upgraded to Shorewall-perl, I saw a bunch of warnings pop up > > after I start/restart Shorewall. One was about the masq file , wherein > > instead of using interface names, IP-addresses were to be used. So I > > made the changes to the masq file like so. > > > > #INTERFACE SOURCE ADDRESS PROTO > > PORT(S) IPSEC MARK > > ppp0 $PPP1_IP $PPP0_IP > > ppp1 $PPP0_IP $PPP1_IP > > ppp0 192.168.32.1 > > ppp1 192.168.32.1 > > > So it''s a variable... > > > Sorry, I should have posted the original file. This is what it was > earlier with shorewall -shell. > > #INTERFACE SOURCE ADDRESS PROTO > ppp0 $PPP1_IP $PPP0_IP > ppp1 $PPP0_IP $PPP1_IP > ppp0 eth0 > ppp1 eth0 > > This works, but with the aforementioned warning. What I had changed was > the LAN interface(eth0) to the ip address.You want the NETWORK address (probably 192.168.32.0/24), not the HOST address (192.168.32.1). There is a complete example of this at http://www.shorewall.net/LennyToSqueeze.html#masq -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Thu, 2009-10-01 at 09:19 +0530, Rags wrote:> On Wed, Sep 30, 2009 at 11:02 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > On Wed, 2009-09-30 at 10:38 +0530, Rags wrote: > > Hello, > > > > I''m using Shorewall perl 4.4.1.2 with two pppoe connections, > with > > fail-over and load balancing. > > > > When I upgraded to Shorewall-perl, I saw a bunch of warnings > pop up > > after I start/restart Shorewall. One was about the masq > file , wherein > > instead of using interface names, IP-addresses were to be > used. So I > > made the changes to the masq file like so. > > > > #INTERFACE SOURCE ADDRESS > PROTO > > PORT(S) IPSEC MARK > > ppp0 $PPP1_IP $PPP0_IP > > ppp1 $PPP0_IP $PPP1_IP > > ppp0 192.168.32.1 > > ppp1 192.168.32.1 > > > > So it''s a variable... > > Sorry, I should have posted the original file. This is what it was > earlier with shorewall -shell. > > > #INTERFACE SOURCE ADDRESS PROTO > ppp0 $PPP1_IP $PPP0_IP > ppp1 $PPP0_IP $PPP1_IP > ppp0 eth0 > ppp1 eth0 > > This works, but with the aforementioned warning. What I had changed > was the LAN interface(eth0) to the ip address.192.168.32.0 is your local lan right? Did you really intend to masq just 192.168.32.1 or is that meant for the entire local lan connected to eth0? If it''s the entire lan you want, think you may want to use 192.168.32.0/<mask of lan> instead. Replace <mask of lan> with what your network on eth0 needs to use. Perhaps you would have better luck using ''detect'' in place of $PPPX_IP something like: ppp0 0.0.0.0/0 detect ppp1 0.0.0.0/0 detect Your local lan and the firewall''s external ip addresses are covered with less rules this way.> > But, after that whenever I restart shorewall, I get a > warning that > > both the providers are down and no default route is added. > But both > > the lines are in fact up and when I revert the changes to > the masq > > file everything goes back to normal. > > Sorry, but revert to what config? > > With eth0 in the source field. >See above, lan or single box?> > > I don''t understand how that change in the masq file affected > this. > > > > How have you setup PPP0_IP, PPP1_IP in the params file? > > Like so : > > PPP0_IP=$(find_first_interface_address_if_any ppp0) > PPP1_IP=$(find_first_interface_address_if_any ppp1) > > Thanks, >find_first_interface_address_if_any ppp0 will return 0.0.0.0 if the interface is non-existent. Hope this helps, Jerry ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
On Thu, Oct 1, 2009 at 8:41 PM, Jerry Vonau <jvonau@shaw.ca> wrote:> On Thu, 2009-10-01 at 09:19 +0530, Rags wrote: > > On Wed, Sep 30, 2009 at 11:02 PM, Jerry Vonau <jvonau@shaw.ca> wrote: > > On Wed, 2009-09-30 at 10:38 +0530, Rags wrote: > > > Hello, > > > > > > I''m using Shorewall perl 4.4.1.2 with two pppoe connections, > > with > > > fail-over and load balancing. > > > > > > When I upgraded to Shorewall-perl, I saw a bunch of warnings > > pop up > > > after I start/restart Shorewall. One was about the masq > > file , wherein > > > instead of using interface names, IP-addresses were to be > > used. So I > > > made the changes to the masq file like so. > > > > > > #INTERFACE SOURCE ADDRESS > > PROTO > > > PORT(S) IPSEC MARK > > > ppp0 $PPP1_IP $PPP0_IP > > > ppp1 $PPP0_IP $PPP1_IP > > > ppp0 192.168.32.1 > > > ppp1 192.168.32.1 > > > > > > > So it''s a variable... > > > > Sorry, I should have posted the original file. This is what it was > > earlier with shorewall -shell. > > > > > > #INTERFACE SOURCE ADDRESS PROTO > > ppp0 $PPP1_IP $PPP0_IP > > ppp1 $PPP0_IP $PPP1_IP > > ppp0 eth0 > > ppp1 eth0 > > > > This works, but with the aforementioned warning. What I had changed > > was the LAN interface(eth0) to the ip address. > > 192.168.32.0 is your local lan right? Did you really intend to masq just > 192.168.32.1 or is that meant for the entire local lan connected to > eth0? If it''s the entire lan you want, think you may want to use > 192.168.32.0/<mask of lan> instead. Replace <mask of lan> with what your > network on eth0 needs to use. > > Perhaps you would have better luck using ''detect'' in place of $PPPX_IP > something like: > ppp0 0.0.0.0/0 detectppp1 0.0.0.0/0 detect> > Your local lan and the firewall''s external ip addresses are covered with > less rules this way.'' >That did the trick! So i had to use the detect option instead of the macros. I''ve added the proper lan network address as well. The weird thing is I never touched those lines, they worked perfectly fine before. So removing the interface name messed with the macros I suppose. Thank you for your help.> Like so : > > > > PPP0_IP=$(find_first_interface_address_if_any ppp0) > > PPP1_IP=$(find_first_interface_address_if_any ppp1) > > > > Thanks, > > > > find_first_interface_address_if_any ppp0 will return 0.0.0.0 if the > interface is non-existent. >So does this mean that the "find_first_interface_address_if_any" can''t be used now? Thanks, -- Raghu ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf
Rags wrote:> On Thu, Oct 1, 2009 at 8:41 PM, Jerry Vonau <jvonau@shaw.ca > <mailto:jvonau@shaw.ca>> wrote: > > 192.168.32.0 is your local lan right? Did you really intend to masq just > 192.168.32.1 or is that meant for the entire local lan connected to > eth0? If it''s the entire lan you want, think you may want to use > 192.168.32.0/ <http://192.168.32.0/><mask of lan> instead. Replace > <mask of lan> with what your > network on eth0 needs to use. > > Perhaps you would have better luck using ''detect'' in place of $PPPX_IP > something like: > ppp0 0.0.0.0/0 <http://0.0.0.0/0> > detect > > ppp1 0.0.0.0/0 <http://0.0.0.0/0> > detect > > Your local lan and the firewall''s external ip addresses are covered with > less rules this way.'' > > > That did the trick! So i had to use the detect option instead of the > macros. I''ve added the proper lan network address as well. > > The weird thing is I never touched those lines, they worked perfectly > fine before. So removing the interface name messed with the macros I > suppose.No chance!> > Thank you for your help. > > > Like so : > > > > PPP0_IP=$(find_first_interface_address_if_any ppp0) > > PPP1_IP=$(find_first_interface_address_if_any ppp1) > > > > Thanks, > > > > find_first_interface_address_if_any ppp0 will return 0.0.0.0 if the > interface is non-existent. > > > So does this mean that the "find_first_interface_address_if_any" can''t > be used now?find_first_interface_address_if_any() hasn''t changed since it was originally written. The symptoms that you originally reported have *nothing* to do with the /etc/shorewall/masq file. Your problem was that both of your providers were being reported as down; that occurs well before the rules in the masq file are instantiated and the logic is independent of the masq file. Your problem likely had something to do with lsm and/or the status files that the ''isusable'' script looks for. One possibility is that you copied the lib.private example in the MultiISP document verbatim; that script previously had an incorrect directory name (/etc/shorewall vs ${VARDIR}). Regarding your question about ''loose'' -- ''loose'' omits the routing rules necessary for certain applications[1] running on the firewall to work correctly. My configuration (the one in the "Complete Example") uses ''loose'' because without ''loose'', there is one routing rule generated per external IP address. I prefer to hand-code a single rule in /etc/shorewall/route_rules. -Tom [1] - Those applications that bind to a specific IP address like openvpn. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf