Shorewall users - Aug 2010 - MultiISP setup - disconnect of ppp0 triggers failover

Hello,

I have recently discovered shorewall and consider myself not a newbie but not a
pro in networking technology either.
I''ve set up my own firewall using shorewall on Debian and it works
fine.

- eth0 connects to my local network
- eth1 connects to my cable modem
- eth2 connects to my dsl modem (ppp0)
- eth3 connects to my wireless network
- eth4 is currently not in use

I configured shorewall according to the official MultiISP "how to" and
basically it works fine. Except when ppp0 gets disconnected and reconnected by
the provider the routing tables are updated (so I guess) and the system uses
ppp0 as default route, even though eth1/cable still works fine.

Perhaps I missunderstood something and am missing something in my configuration
(I guess I DO need a script monitoring for failover and disable the overriding
of the routes somehow...)

I''d be happy about any hints and tipps how to achieve a simple failover
setup where eth1 is my primary connection and ppp0 only kicks in when cable
really does not work.

I''ve attached my shorewall dump, I hope this is correct.

Thanks
Sebastian



------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

On 8/31/10 1:34 AM, Sebastian Tänzer wrote:
> I''ve attached my shorewall dump, I hope this is correct.
Is this dump taken after ppp0 has been connected/reconnected? I''m
guessing ''yes'' and that the ppp0 interface is provider
''ISP1''?

If so, I would try the following:

- create the file ''shorewall'' in both /etc/ppp/ip-up.d and
  /etc/ppp/ip-down.d

- In each file, put:

	#!/bin/sh
	
	/sbin/shorewall status > /dev/null && /sbin/shorewall restart -f

  That will restart Shorewall if it is already running and ppp0 goes up
  or down.

- Disable adding the default route in your ppp config. You''ll have
  to dig around in your documentation for your ppp software (pptp,
  pppoe, pppocp [1], ...). It may be as simple as adding
  ''nodefaultroute'' to /etc/ppp/options but since I''ve
not used ppp
  since the days of dial-up Internet access, I''m far from certain.

- Set the ''balance'' option on ISP2 and
''fallback'' on ISP1. Be sure that
  you have ''main'' in the DUPLICATE column and
''eth0,eth3'' in the COPY
  column in both entries. Place ''-'' in the GATEWAY column of
ISP1.

- Run LSM but only have it monitor eth1; the entries in /etc/ppp/ will
  restart shorewall if ppp0 goes up or down.

-Tom

[1] - PPP over Carrier Pigeon
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

Thanks Tom,

this helped a lot. ISP1 is my cable provider, ISP2 the dsl pppd connection.
But I figured that out.

The only thing I don''t get is your LSM config here:

connection {
    name=Comcast
    checkip=${ETH0_GATEWAY:-71.231.152.1}
    device=$COM_IF
    ttl=1
}

I replaced these values with my own, i.e.

connection {
    name=ISP1
    checkip=${ETH1_GATEWAY}
    device=$ETH1_IF
    ttl=1
}

I''ve set up ETH1_IF in params, but where gets the script ETH1_GATEWAY
from?
I checked the findgw script and it works fine. Still, the value checkip is
always empty.

Best
Sebastian

Am 31.08.2010 um 16:17 schrieb Tom Eastep:
> On 8/31/10 1:34 AM, Sebastian Tänzer wrote:
> 
>> I''ve attached my shorewall dump, I hope this is correct.
> 
> Is this dump taken after ppp0 has been connected/reconnected? I''m
> guessing ''yes'' and that the ppp0 interface is provider
''ISP1''?
> 
> If so, I would try the following:
> 
> - create the file ''shorewall'' in both /etc/ppp/ip-up.d
and
>  /etc/ppp/ip-down.d
> 
> - In each file, put:
> 
> 	#!/bin/sh
> 	
> 	/sbin/shorewall status > /dev/null && /sbin/shorewall restart
-f
> 
>  That will restart Shorewall if it is already running and ppp0 goes up
>  or down.
> 
> - Disable adding the default route in your ppp config. You''ll have
>  to dig around in your documentation for your ppp software (pptp,
>  pppoe, pppocp [1], ...). It may be as simple as adding
>  ''nodefaultroute'' to /etc/ppp/options but since
I''ve not used ppp
>  since the days of dial-up Internet access, I''m far from certain.
> 
> - Set the ''balance'' option on ISP2 and
''fallback'' on ISP1. Be sure that
>  you have ''main'' in the DUPLICATE column and
''eth0,eth3'' in the COPY
>  column in both entries. Place ''-'' in the GATEWAY column
of ISP1.
> 
> - Run LSM but only have it monitor eth1; the entries in /etc/ppp/ will
>  restart shorewall if ppp0 goes up or down.
> 
> -Tom
> 
> [1] - PPP over Carrier Pigeon
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
>
------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
> 
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
>
http://p.sf.net/sfu/intel-thread-sfd_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

On 8/31/10 12:31 PM, Sebastian Tänzer wrote:
> Thanks Tom,
> 
> this helped a lot. ISP1 is my cable provider, ISP2 the dsl pppd connection.
> But I figured that out.
> 
> The only thing I don''t get is your LSM config here:
> 
> connection {
>     name=Comcast
>     checkip=${ETH0_GATEWAY:-71.231.152.1}
>     device=$COM_IF
>     ttl=1
> }
> 
> I replaced these values with my own, i.e.
> 
> connection {
>     name=ISP1
>     checkip=${ETH1_GATEWAY}
>     device=$ETH1_IF
>     ttl=1
> }
> 
> I''ve set up ETH1_IF in params, but where gets the script
ETH1_GATEWAY from?
> I checked the findgw script and it works fine. Still, the value checkip is
always empty.
In recent Shorewall releases, the variable is SW_ETH1_GATEWAY rather
than ETH1_GATEWAY.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd

Thanks again, setup works as you proposed it.
There should be some updates to the docs as it
took the most time to figure out why the scripts aren''t
working in the latest version.

Best regards from Germany
Sebastian

Am 31.08.2010 um 23:06 schrieb Tom Eastep:
> On 8/31/10 12:31 PM, Sebastian Tänzer wrote:
>> Thanks Tom,
>> 
>> this helped a lot. ISP1 is my cable provider, ISP2 the dsl pppd
connection.
>> But I figured that out.
>> 
>> The only thing I don''t get is your LSM config here:
>> 
>> connection {
>>    name=Comcast
>>    checkip=${ETH0_GATEWAY:-71.231.152.1}
>>    device=$COM_IF
>>    ttl=1
>> }
>> 
>> I replaced these values with my own, i.e.
>> 
>> connection {
>>    name=ISP1
>>    checkip=${ETH1_GATEWAY}
>>    device=$ETH1_IF
>>    ttl=1
>> }
>> 
>> I''ve set up ETH1_IF in params, but where gets the script
ETH1_GATEWAY from?
>> I checked the findgw script and it works fine. Still, the value checkip
is always empty.
> 
> In recent Shorewall releases, the variable is SW_ETH1_GATEWAY rather
> than ETH1_GATEWAY.
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
>
------------------------------------------------------------------------------
> This SF.net Dev2Dev email is sponsored by:
> 
> Show off your parallel programming skills.
> Enter the Intel(R) Threading Challenge 2010.
>
http://p.sf.net/sfu/intel-thread-sfd_______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd