Hello, it seems I am hit by http://shorewall.net/MultiISP.html#Local : "Experience has shown that in some cases, problems occur with applications running on the firewall itself. This is especially true when you have specified routefilter on your external interfaces in /etc/shorewall/interfaces (see above). When this happens, it is suggested that you have the application use specific local IP addresses rather than 0." My setup is (Fedora 12, shorewall-4.4.6-2.fc12): interfaces: loc eth0 detect net eth1 detect dhcp net eth2 detect dhcp,logmartians=0 providers: ISP! 1 1 main eth1 isp1_gw track,balance eth0 ISP2 2 2 main eth2 isp2_gw track,balance eth0 route_rules: eth1 - ISP1 1000 eth2 - ISP2 1000 tcrules: 1:P 0.0.0.0/0 1 $FW 2:P 192.168.0.0/24 0.0.0.0/0 tcp 10050,10051,10052,10053,10054 The problem is that some DNS requests, ssh connections from firewall to outside hang/timeout. shorewall dump shows that some requests are issued via ISP2. DNS requests problem was cured by adding "query-source ISP1_IP;" to /etc/named.conf. But I don''t want to deal with every app. How to make all connections from firewall go via ISP1? Local masqueraded PCs don''t have this problem. Regards, Nerijus ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Nerijus Baliunas wrote:> route_rules: > eth1 - ISP1 1000 > eth2 - ISP2 1000 >What are those for? By default, Shorewall uses the corresponding routing table for traffic arriving on a provider interface.> The problem is that some DNS requests, ssh connections from firewall to outside > hang/timeout. shorewall dump shows that some requests are issued via ISP2. > DNS requests problem was cured by adding "query-source ISP1_IP;" > to /etc/named.conf. But I don''t want to deal with every app. How to make > all connections from firewall go via ISP1?I personally would get rid of ''balance'' and make eth2 a fallback provider. Be sure that you have turned off all reverse path filtering (route filtering) is you take that approach. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
I have shorewall running in an office which has a leased line and a DSL connection. At the moment, the LL terminates on a shorewall box, and the DSL on something else, and hence we have two ways out of (and into) the office. I''d like to do away with the ''something else'', and use shorewall only, and to this end I RTFM WRT MultiISP ( http://www.shorewall.net/MultiISP.html ) and it seems fine - I''d like to use LSM as it seems a better solution than swping, for some value of better. But (you knew there had to be a but, didn''t you) I have one question which isn''t covered there, or perhaps it is, in a way I didn''t see. We pay for traffic on the LL, so I''d like to restrict its use to when the DSL is down, and of course for outgoing packets on incoming connections which have been set up via the LL. The latter is, I think, the rub -it''s not simply a failover situation, as in the normal case, both interfaces will be up, but for outgoing connections, I want to always use the DSL, if it''s available. How would I go about doing this? Thanks for any suggestions, and I hope I''ve made myself clear enough. __ Kindest regards, Niall O Broin ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Niall O Broin wrote:> But (you knew there had to be a but, didn''t you) I have one question > which isn''t covered there, or perhaps it is, in a way I didn''t see. > We pay for traffic on the LL, so I''d like to restrict its use to when > the DSL is down, and of course for outgoing packets on incoming > connections which have been set up via the LL. The latter is, I > think, the rub -it''s not simply a failover situation, as in the > normal case, both interfaces will be up, but for outgoing > connections, I want to always use the DSL, if it''s available. How > would I go about doing this? Thanks for any suggestions, and I hope > I''ve made myself clear enough.PLEASE -- do not hijack someone else''s thread by replying to it and supplying your own subject. It is extremely irritating to those of us who use a threaded mail reader because your thread is now embedded in the original thread. The complete example (http://www.shorewall.net/MultiISP.html#Complete) does what you want. In that example, the Avvanta provider is only used from systems that have static IP addresses from that ISP and for responding to connections from the Internet. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
On 9 Mar 2010, at 16:22, Tom Eastep wrote:> Niall O Broin wrote: > >> But (you knew there had to be a but, didn''t you) I have one question >> which isn''t covered there, or perhaps it is, in a way I didn''t see. >> We pay for traffic on the LL, so I''d like to restrict its use to when >> the DSL is down, and of course for outgoing packets on incoming >> connections which have been set up via the LL. The latter is, I >> think, the rub -it''s not simply a failover situation, as in the >> normal case, both interfaces will be up, but for outgoing >> connections, I want to always use the DSL, if it''s available. How >> would I go about doing this? Thanks for any suggestions, and I hope >> I''ve made myself clear enough. > > PLEASE -- do not hijack someone else''s thread by replying to it and > supplying your own subject. It is extremely irritating to those of us > who use a threaded mail reader because your thread is now embedded in > the original thread.Sorry - I don''t know why I do that - I use a threaded reader myself and I know how annoying that can be. Can we go with "The devil made me do it" ?> The complete example (http://www.shorewall.net/MultiISP.html#Complete) > does what you want. In that example, the Avvanta provider is only used > from systems that have static IP addresses from that ISP and for > responding to connections from the Internet.Does it though? Surely in that case, those systems will have no internet connection if the Avvanta link goes down? In my case, all the internal systems will have RFC1918 addresses, and they will all use NAT to reach the outside world, preferrably via the DSL (unmetered) but in the event of its failure, seamlessly switching to the LL (metered). I say seamlessly, though I presume that existing connections (e.g. ssh, which we would use a lot) would die in the event of a switchover. Anyway, I guess at this point the thing for me to do is setup a configuration based on http://www.shorewall.net/MultiISP.html#Complete and see where I go from there. Thanks for your prompt help, as always. __ Kindest regards, Niall O Broin ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Niall O Broin wrote:> On 9 Mar 2010, at 16:22, Tom Eastep wrote: > >> Niall O Broin wrote: >> >>> But (you knew there had to be a but, didn''t you) I have one >>> question which isn''t covered there, or perhaps it is, in a way I >>> didn''t see. We pay for traffic on the LL, so I''d like to restrict >>> its use to when the DSL is down, and of course for outgoing >>> packets on incoming connections which have been set up via the >>> LL. The latter is, I think, the rub -it''s not simply a failover >>> situation, as in the normal case, both interfaces will be up, but >>> for outgoing connections, I want to always use the DSL, if it''s >>> available. How would I go about doing this? Thanks for any >>> suggestions, and I hope I''ve made myself clear enough. >> PLEASE -- do not hijack someone else''s thread by replying to it and >> supplying your own subject. It is extremely irritating to those of >> us who use a threaded mail reader because your thread is now >> embedded in the original thread. > > Sorry - I don''t know why I do that - I use a threaded reader myself > and I know how annoying that can be. Can we go with "The devil made > me do it" ? > > >> The complete example >> (http://www.shorewall.net/MultiISP.html#Complete) does what you >> want. In that example, the Avvanta provider is only used from >> systems that have static IP addresses from that ISP and for >> responding to connections from the Internet. > > Does it though? Surely in that case, those systems will have no > internet connection if the Avvanta link goes down?No -- they have internet access natted via Comcast but there are some services, such as outgoing email, that I reject via the Comcast provider (if I don''t then Comcast does). Remember that Avvanta is an optional interface; if it is down, then none of its routing rules are added and outgoing traffic from the hosts with Avvanta addresses is routed out of Comcast.> In my case, all the internal systems will have RFC1918 addresses, and > they will all use NAT to reach the outside world, preferrably via > the DSL (unmetered) but in the event of its failure, seamlessly > switching to the LL (metered).Which is exactly what happens in my case.> I say seamlessly, though I presume that existing connections (e.g. > ssh, which we would use a lot) would die in the event of a > switchover.Indeed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev