Well I''m still having a tough time getting this to work and I
can''t
figure out why, I am most likely missing something or misconfiguring
something.
I have two providers, one is local to the box with a static IP (DSL) on
it''s own interface (eth0), the other is on eth1 hanging off a wireless
router with a static address (eth1). eth2 serves my LAN at 192.168.1.0/24
Goal is to use the DSL as the main source and the cable as a backup and
route particular traffic over it.
Here is my /etc/network/interfaces:
# eth0
# CenturyLink DSL
auto eth0
iface eth0 inet static
address 76.5.159.171
netmask 255.255.255.224
gateway 76.5.159.161
# virtual interface to DSL modem
auto eth0:0
iface eth0:0 inet static
address 192.168.2.2
netmask 255.255.255.0
# eth1
# comcast
# static config towards wireless router
auto eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
gateway 192.168.10.2
# eth2
# interface facing local LAN 10/100/1000
auto eth2
iface eth2 inet static
address 192.168.1.1
netmask 255.255.255.0
/etc/shorewall/providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
CenturyLink 1 - main eth0 76.5.159.161
track,balance eth2
Comcast 2 - main eth1 detect
track,loose,fallback eth2
If I leave eth1 down, shorewall is happy but will complain about it and
start normally. However, when I bring eth1 up, I get two default route
entries in the routing tables, which I find odd and I''m not sure how to
correct that:
(without eth1 online)
bubastis:/etc/shorewall# ip route list
76.5.159.160/27 dev eth0 proto kernel scope link src 76.5.159.171
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1
default via 76.5.159.161 dev eth0
(with eth1 online)
bubastis:/etc/shorewall# ip route list
76.5.159.160/27 dev eth0 proto kernel scope link src 76.5.159.171
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2
192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1
192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.1
default via 192.168.10.2 dev eth1
default via 76.5.159.161 dev eth0
If I attempt to start shorewall with eth1 enabled, I get this error:
Adding Providers...
RTNETLINK answers: File exists
ERROR: Command "ip -4 route replace default scope global table 254
nexthop via 76.5.159.161 dev eth0 weight 1" Failed
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
/usr/share/shorewall/lib.common: line 63: 6627 Terminated
$SHOREWALL_SHELL $script $options $@
So I''m stuck and largely confused :(
Also worth mentioning, on a seperately related issue, that since
upgrading to 4.4.11 I am seeing this upon restart:
touch: cannot touch `/var/lock/subsys/shorewall'': No such file or
directory
Not a big deal as I could probably just make the directory myself, but
thought it was worth mentioning....
Thanks,
Stephen
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://ad.doubleclick.net/clk;226879339;13503038;l?
http://clk.atdmt.com/CRS/go/247765532/direct/01/
On 7/26/10 6:37 PM, Stephen Brown wrote:> Well I''m still having a tough time getting this to work and I can''t > figure out why, I am most likely missing something or misconfiguring > something. > > I have two providers, one is local to the box with a static IP (DSL) on > it''s own interface (eth0), the other is on eth1 hanging off a wireless > router with a static address (eth1). eth2 serves my LAN at 192.168.1.0/24 > > Goal is to use the DSL as the main source and the cable as a backup and > route particular traffic over it. > > Here is my /etc/network/interfaces: > # eth0 > # CenturyLink DSL > auto eth0 > iface eth0 inet static > address 76.5.159.171 > netmask 255.255.255.224 > gateway 76.5.159.161 > > # virtual interface to DSL modem > auto eth0:0 > iface eth0:0 inet static > address 192.168.2.2 > netmask 255.255.255.0 > > # eth1 > # comcast > # static config towards wireless router > auto eth1 > iface eth1 inet static > address 192.168.10.1 > netmask 255.255.255.0 > gateway 192.168.10.2 > > # eth2 > # interface facing local LAN 10/100/1000 > auto eth2 > iface eth2 inet static > address 192.168.1.1 > netmask 255.255.255.0 > > /etc/shorewall/providers: > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > CenturyLink 1 - main eth0 76.5.159.161 > track,balance eth2 > Comcast 2 - main eth1 detect > track,loose,fallback eth2 > > If I leave eth1 down, shorewall is happy but will complain about it and > start normally. However, when I bring eth1 up, I get two default route > entries in the routing tables, which I find odd and I''m not sure how to > correct that: > (without eth1 online) > bubastis:/etc/shorewall# ip route list > 76.5.159.160/27 dev eth0 proto kernel scope link src 76.5.159.171 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 > default via 76.5.159.161 dev eth0 > > (with eth1 online) > bubastis:/etc/shorewall# ip route list > 76.5.159.160/27 dev eth0 proto kernel scope link src 76.5.159.171 > 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.2 > 192.168.1.0/24 dev eth2 proto kernel scope link src 192.168.1.1 > 192.168.10.0/24 dev eth1 proto kernel scope link src 192.168.10.1 > default via 192.168.10.2 dev eth1 > default via 76.5.159.161 dev eth0 > > If I attempt to start shorewall with eth1 enabled, I get this error: > Adding Providers... > RTNETLINK answers: File exists > ERROR: Command "ip -4 route replace default scope global table 254 > nexthop via 76.5.159.161 dev eth0 weight 1" Failed > Running /sbin/iptables-restore... > IPv4 Forwarding Enabled > /usr/share/shorewall/lib.common: line 63: 6627 Terminated > $SHOREWALL_SHELL $script $options $@ > > So I''m stuck and largely confused :(Remove the default route on eth1 from /etc/network/interfaces.> > Also worth mentioning, on a seperately related issue, that since > upgrading to 4.4.11 I am seeing this upon restart: > touch: cannot touch `/var/lock/subsys/shorewall'': No such file or directory > > Not a big deal as I could probably just make the directory myself, but > thought it was worth mentioning....Next time that you upgrade Shorewall, DO NOT ALLOW THE UPGRADE TO REPLACE shorewall.conf. To recover now, edit the file and set SUBSYSLOCK="" -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
On 7/26/10 9:49 PM, Tom Eastep wrote:>> >> So I''m stuck and largely confused :( > > Remove the default route on eth1 from /etc/network/interfaces.And specify it explicitly in /etc/shorewall/providers. After you modify /etc/network/interfaces, take the interface down and then bring it back up. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
Thanks Tom... this appears to work as intended now, but I need clarification on one additional item. I simulated a DSL outage by shutting the modem off and restarting shorewall, however I can not route via the cable connection? My initial thought is that Shorewall does not (and has no way of knowing) that eth0 is now dead without testing it, but I''m not sure honestly, would LSM (or another type of method) be beneficial to deal with this? Stephen On Tue, Jul 27, 2010 at 09:09, Tom Eastep <teastep@shorewall.net> wrote:> On 7/26/10 9:49 PM, Tom Eastep wrote: > > >> > >> So I''m stuck and largely confused :( > > > > Remove the default route on eth1 from /etc/network/interfaces. > > And specify it explicitly in /etc/shorewall/providers. > > After you modify /etc/network/interfaces, take the interface down and > then bring it back up. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://ad.doubleclick.net/clk;226879339;13503038;l? > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
On 7/27/10 6:21 AM, Stephen Brown Jr wrote:> Thanks Tom... this appears to work as intended now, but I need > clarification on one additional item. > > I simulated a DSL outage by shutting the modem off and restarting > shorewall, however I can not route via the cable connection? My initial > thought is that Shorewall does not (and has no way of knowing) that eth0 > is now dead without testing it, but I''m not sure honestly, would LSM (or > another type of method) be beneficial to deal with this?Yes. And you need to define both interfaces as ''optional'' in shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well I''m *almost* there with this... it''s certainly been an adventure and I have learned a TON over the last week. My final (working) config for /etc/shorewall/providers ended up like this: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY CenturyLink 1 1 main eth0 76.5.159.161 track,balance eth2 Comcast 2 2 main eth1 192.168.10.2 track,fallback eth2 (sorry for the wrap, but hopefully you get the idea) If I manually bring eth0 down (CenturyLink) and restart shorewall, I get this message: bubastis:/home/sbrown# shorewall -f restart Restarting Shorewall.... Initializing... Setting up Route Filtering... Setting up Martian Logging... Adding Providers... WARNING: Interface eth0 is not usable -- Provider CenturyLink (1) not Added WARNING: No Default route added (all ''balance'' providers are down) Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled done. I''m assuming the warning is just that, and can be safely ignored, but I don''t understand a default route not being added? I am however able to keep traffic flowing bidirectional with eth0 being down so I can''t really figure that one out, unless it''s hitting the gateway as defined in providers (192.168.10.2 in my case) Just trying to understand how this is working.... My next step is to get lsm working satisfactorily to automate this, anything else I could potentially be missing? I am also using packet marking for my VoIP traffic and it''s working great :) Thanks, Stephen On 7/27/10 11:12 AM, Tom Eastep wrote:> On 7/27/10 6:21 AM, Stephen Brown Jr wrote: >> Thanks Tom... this appears to work as intended now, but I need >> clarification on one additional item. >> >> I simulated a DSL outage by shutting the modem off and restarting >> shorewall, however I can not route via the cable connection? My initial >> thought is that Shorewall does not (and has no way of knowing) that eth0 >> is now dead without testing it, but I''m not sure honestly, would LSM (or >> another type of method) be beneficial to deal with this? > > Yes. And you need to define both interfaces as ''optional'' in shorewall.conf. > > -Tom > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://ad.doubleclick.net/clk;226879339;13503038;l? > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkxXEfAACgkQ3sJXNEncx7gPQgCcDUnPOjQPLHflfnhqStPSvZW4 2R4An0WdgKsownHItdRfONwOZUkCtPtX =D/v+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
Tephe Brown wrote:> Well I''m *almost* there with this... it''s certainly been an adventure > and I have learned a TON over the last week. > > My final (working) config for /etc/shorewall/providers ended up like this: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > CenturyLink 1 1 main eth0 76.5.159.161 > track,balance eth2 > Comcast 2 2 main eth1 192.168.10.2 > track,fallback eth2 > > (sorry for the wrap, but hopefully you get the idea) > > If I manually bring eth0 down (CenturyLink) and restart shorewall, I get > this message: > > bubastis:/home/sbrown# shorewall -f restart > Restarting Shorewall.... > Initializing... > Setting up Route Filtering... > Setting up Martian Logging... > Adding Providers... > WARNING: Interface eth0 is not usable -- Provider CenturyLink (1) not > Added > WARNING: No Default route added (all ''balance'' providers are down) > Setting up Traffic Control... > Preparing iptables-restore input... > Running /sbin/iptables-restore... > IPv4 Forwarding Enabled > done.I think you need to set "optional" in your second provider.> > I''m assuming the warning is just that, and can be safely ignored, but I > don''t understand a default route not being added? I am however able to > keep traffic flowing bidirectional with eth0 being down so I can''t > really figure that one out, unless it''s hitting the gateway as defined > in providers (192.168.10.2 in my case) Just trying to understand how > this is working.... > > My next step is to get lsm working satisfactorily to automate this, > anything else I could potentially be missing? I am also using packet > marking for my VoIP traffic and it''s working great :) > > Thanks, > Stephen > > > > On 7/27/10 11:12 AM, Tom Eastep wrote: > > On 7/27/10 6:21 AM, Stephen Brown Jr wrote: > >> Thanks Tom... this appears to work as intended now, but I need > >> clarification on one additional item. > >> > >> I simulated a DSL outage by shutting the modem off and restarting > >> shorewall, however I can not route via the cable connection? My initial > >> thought is that Shorewall does not (and has no way of knowing) that > eth0 > >> is now dead without testing it, but I''m not sure honestly, would > LSM (or > >> another type of method) be beneficial to deal with this? > > Yes. And you need to define both interfaces as ''optional'' in > shorewall.conf. > > > -Tom > > > > > > ------------------------------------------------------------------------------ > > The Palm PDK Hot Apps Program offers developers who use the > > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > > of $1 Million in cash or HP Products. Visit us here for more details: > > http://ad.doubleclick.net/clk;226879339;13503038;l? > > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > > > > > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Jorge Armando Medina Computación Gráfica de México Web: http://www.e-compugraf.com Tel: 55 51 40 72, Ext: 124 Email: jmedina@e-compugraf.com GPG Key: 1024D/28E40632 2007-07-26 GPG Fingerprint: 59E2 0C7C F128 B550 B3A6 D3AF C574 8422 28E4 0632 ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 8/2/10 12:00 PM, Jorge Armando Medina wrote:> > I think you need to set "optional" in your second provider.The ''optional'' option in the providers file is deprecated in favor if the same option in the interfaces file (which Steven is obviously setting). The Warnings are fine. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
> > The ''optional'' option in the providers file is deprecated in favor if > the same option in the interfaces file (which Steven is obviously setting). > > The Warnings are fine. > > -TomYes indeed :) net eth0 detect tcpflags,optional net eth1 detect tcpflags,optional Thanks, Stephen ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 8/2/10 11:44 AM, Stephen Brown wrote:> I''m assuming the warning is just that, and can be safely ignored, but I > don''t understand a default route not being added? I am however able to > keep traffic flowing bidirectional with eth0 being down so I can''t > really figure that one out, unless it''s hitting the gateway as defined > in providers (192.168.10.2 in my case) Just trying to understand how > this is working....As I mentioned yesterday, these warnings are fine. They refer to the fact that there is now no default route defined in the main routing table. The reason that it still works is because you have specified ''fallback'' for the other provider; that causes Shorewall to create a default route through that provider in the default routing table which is the ''routing table of last resort''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm