Hi Michael,
I have two Shorewall/Quagga routers in production in different cities for
over 6 months with no problems.
Our outbound Traffic is Masq''d and we utilise DNAT and conntrack
Internet traffic could be in via provider A or B and out via
provider A or B. (Asymmetric routing)
Provider B is a layer two peering point so the Quagga routing table
contains ~50 different next hops.
Provider A & B via the one interface as eth0:1 and eth0:2 with a
gigabit switch aggregating the physical connections
#
# Shorewall version 4 - Masq file
#
############################################################################
###
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
eth0:0.0.0.0/0!198.32.212.0/24 192.168.0.0/21,10.240.0.0/24!10.240.0.3
180.233.131.3
eth0:198.32.212.0/24 192.168.0.0/21,10.240.0.0/24!10.240.0.3
198.32.212.73
#
# Notes: 198.32.212.0/24 is the Peering Network & our IP is 198.32.212.73
# 180.233.131.3 is part of our C-Class
# Private IP Addresses are used for our internal and DMZ networks
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
This may not be the only way but it works for us.
regards,
Trent O''Callaghan
-----Original Message-----
From: Michael Mansour [mailto:micoots@yahoo.com]
Sent: Thursday, 5 August 2010 12:17 PM
To: Shorewall Users
Subject: [Shorewall-users] Correct way to use quagga and shorewall
Hi,
I''ve setup quagga on a shorewall firewall server.
The only purpose for this is to use BGP to connect to a "peering
platform"
supplied by our data centre supplier.
There are some very large ISP''s (and other various providers including
google) on this peering platform and connecting to it will speed up access
to/from our services and hosted servers.
The physical connecting of the shorewall server is:
eth0: main S-IPC internet link
eth1: local LAN
eth2: peering platform
When I enabled quagga (zebra & bgpd) the other night, saw the thousands of
routes get imported via BGP onto the shorewall server, then various tests
were performed and most failed. For example, the routing for a remote user
(on an ISP on the peering platform) trying to get to one of the web sites we
host, stopped at the hop above the shorewall firewall for eth2.
As expected, all the BGP imported routes show on eth2.
The default gateway of the shorewall server is eth0 (S-IPC).
Prior to installing quagga on the shorewall server, I installed it on a test
server and all worked fine.
I believe I have the firewall rules correct, and various shorewall reading
(like the Multi-ISP setup etc) hasn''t led me any closer to what went
wrong.
I did keep logs and test results which I''ve gone through and analysed,
but
still can''t figure out why it didn''t work as expected.
So my question is, do Quagga and shorewall play nice together on the same
box?
Are their any gotchas involved?
Thanks.
Michael.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
The Palm PDK Hot Apps Program offers developers who use the
Plug-In Development Kit to bring their C/C++ apps to Palm for a share
of $1 Million in cash or HP Products. Visit us here for more details:
http://p.sf.net/sfu/dev2dev-palm