Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4 running on Debian (installed via apt-get). I am trying to add a second ISP interface, which happens to be a OpenVPN outbound tun1 connection. It also has a second OpenVPN server but this is working ok so please ignore tun0, i am having problems getting tun1 working. The idea is i want the majority of traffic to go out the default PPPoE interface, and specific host(s) on the local subnet (in this case host 192.168.69.60) to go out via the VPN interface. My config is below: interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,tcpflags,nosmurfs,routefilter,logmartians loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians vpn tun0 - routeback rem tun1 - routeback,optional ############################################################################### providers: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 0x100 - ppp0 - track,balance UKVPN 2 0x200 - tun1 - track,balance tcrules: #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) 0x100:P 0.0.0.0/0 0x100 $FW 0x200 192.168.69.60 masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK tun1 eth0 ppp0 eth0 The problem is as soon as i enable the above multi-ISP config, from the firewall i can no longer connect to any hosts outside on the internet. I can continue to ping from the firewall to local workstations however. I cannot see any packets getting dropped in the log. A test for inside workstations showed they can continue to use the internet and can ping the firewall without issue. Internet for workstations was working until I tried to ping out from specific host 192.168.69.60, it couldn’t ping, and then the entire firewall stopped routing (i.e. workstations that could ping out now couldnt). I then had to reboot the box in order for the settings to get cleared. I noticed at this point there were errors in /var/log/messages "martian source 192.168.69.21 from 94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server. I have also attached the shorewall dump, i know i am doing something wrong and would appreciate some help on what to try next. Many thanks in advance, Chris ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
> > Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4 running on Debian (installed via apt-get). > > I am trying to add a second ISP interface, which happens to be a OpenVPN outbound tun1 connection. It also has a second OpenVPN server but this is working ok so please ignore tun0, i am having problems getting tun1 working. > > The idea is i want the majority of traffic to go out the default PPPoE interface, and specific host(s) on the local subnet (in this case host 192.168.69.60) to go out via the VPN interface. My config is below: > > interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,tcpflags,nosmurfs,routefilter,logmartians > loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians > vpn tun0 - routeback > rem tun1 - routeback,optional > ############################################################################### > > providers: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ISP1 1 0x100 - ppp0 - track,balance > UKVPN 2 0x200 - tun1 - track,balance > > tcrules: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST > # PORT(S) > 0x100:P 0.0.0.0/0 > 0x100 $FW > 0x200 192.168.69.60 > > masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK > tun1 eth0 > ppp0 eth0 > > > The problem is as soon as i enable the above multi-ISP config, from the firewall i can no longer connect to any hosts outside on the internet. I can continue to ping from the firewall to local workstations however. I cannot see any packets getting dropped in the log. > > A test for inside workstations showed they can continue to use the internet and can ping the firewall without issue. > > Internet for workstations was working until I tried to ping out from specific host 192.168.69.60, it couldn''t ping, and then the entire firewall stopped routing (i.e. workstations that could ping out now couldnt). I then had to reboot the box in order for the settings to get cleared. I noticed at this point there were errors in /var/log/messages "martian source 192.168.69.21 from 94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server. > > I have also attached the shorewall dump, i know i am doing something wrong and would appreciate some help on what to try next. > > Many thanks in advance, > > ChrisWhy treat the vpn as an ISP? Just build the vpn and use routes to send the traffic over openvpn? Mike ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
On May 14, 2011, at 2:23 PM, Chris Morley wrote:> Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4 running on Debian (installed via apt-get). > > I am trying to add a second ISP interface, which happens to be a OpenVPN outbound tun1 connection. It also has a second OpenVPN server but this is working ok so please ignore tun0, i am having problems getting tun1 working. > > The idea is i want the majority of traffic to go out the default PPPoE interface, and specific host(s) on the local subnet (in this case host 192.168.69.60) to go out via the VPN interface. My config is below: > > interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,tcpflags,nosmurfs,routefilter,logmartians > loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians > vpn tun0 - routeback > rem tun1 - routeback,optional > ############################################################################### > > providers: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ISP1 1 0x100 - ppp0 - track,balance > UKVPN 2 0x200 - tun1 - track,balanceThere is no tun1 shown in the dump you sent. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
Hi Mike, I have done that with my original openvpn config, in the upscript it adds forwarding rules dependent on MAC address and source IP. I didn't know if these raw iptables rules would work with the iptables rules shorewall generates. It sounds like an option and if you have further suggestions would be much appreciated. I do also like to learn and also interested if the original plan of using multi isp is possible or not. Thanks and regards, Chris ----- Reply message ----- From: "Mike Lander" <landers@lanlinecomputers.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Subject: [Shorewall-users] Multi-ISP over tun not working Date: Sun, May 15, 2011 01:39> > Hi i have a standard PPPoE ISP interface which works fine under Shorewall 4.4 running on Debian (installed via apt-get). > > I am trying to add a second ISP interface, which happens to be a OpenVPN outbound tun1 connection. It also has a second OpenVPN server but this is working ok so please ignore tun0, i am having problems getting tun1 working. > > The idea is i want the majority of traffic to go out the default PPPoE interface, and specific host(s) on the local subnet (in this case host 192.168.69.60) to go out via the VPN interface. My config is below: > > interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,tcpflags,nosmurfs,routefilter,logmartians > loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians > vpn tun0 - routeback > rem tun1 - routeback,optional > ############################################################################### > > providers: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY > ISP1 1 0x100 - ppp0 - track,balance > UKVPN 2 0x200 - tun1 - track,balance > > tcrules: > > #MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST > # PORT(S) > 0x100:P 0.0.0.0/0 > 0x100 $FW > 0x200 192.168.69.60 > > masq: > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK > tun1 eth0 > ppp0 eth0 > > > The problem is as soon as i enable the above multi-ISP config, from the firewall i can no longer connect to any hosts outside on the internet. I can continue to ping from the firewall to local workstations however. I cannot see any packets getting dropped in the log. > > A test for inside workstations showed they can continue to use the internet and can ping the firewall without issue. > > Internet for workstations was working until I tried to ping out from specific host 192.168.69.60, it couldn't ping, and then the entire firewall stopped routing (i.e. workstations that could ping out now couldnt). I then had to reboot the box in order for the settings to get cleared. I noticed at this point there were errors in /var/log/messages "martian source 192.168.69.21 from 94.76.249.84, on dev ppp0" which happens to be the IP of the VPN server. > > I have also attached the shorewall dump, i know i am doing something wrong and would appreciate some help on what to try next. > > Many thanks in advance, > > ChrisWhy treat the vpn as an ISP? Just build the vpn and use routes to send the traffic over openvpn? Mike ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
On May 14, 2011, at 2:56 PM, g18c@hotmail.com wrote:> Hi Mike, I have done that with my original openvpn config, in the upscript it adds forwarding rules dependent on MAC address and source IP. I didn''t know if these raw iptables rules would work with the iptables rules shorewall generates. It sounds like an option and if you have further suggestions would be much appreciated.Depends on what your rules are doing.> > I do also like to learn and also interested if the original plan of using multi isp is possible or not.Well, if you only want one host to use the alternate provider, I would not specify either ''track'' or ''balance'' for it. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
Hi chaps and thanks for the replies. Actually it will be more than one host and what gets routed through tun1 is dependent on mac-address (or at least in my original script) and also source IP address, and i will need to masquerade on this ''tun1'' connection. My current openvpn up script is below: # add iptables rules iptables -A FORWARD -o tun1 -j ACCEPT iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE ip rule add fwmark 1 table 1 ip route add default dev tun1 table 1 iptables -t mangle -A PREROUTING -s 192.168.69.247 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:4C:24:84:1C -j MARK --set-mark 1 I would like to integrate this all into Shorewall script system as close as possible. Tom I have sent you the dump with tun1, not sure why it wasn''t in the original. Many thanks, Chris From: teastep@shorewall.net Date: Sat, 14 May 2011 15:05:49 -0700 To: shorewall-users@lists.sourceforge.net CC: landers@lanlinecomputers.com Subject: Re: [Shorewall-users] Multi-ISP over tun not working On May 14, 2011, at 2:56 PM, g18c@hotmail.com wrote: Hi Mike, I have done that with my original openvpn config, in the upscript it adds forwarding rules dependent on MAC address and source IP. I didn''t know if these raw iptables rules would work with the iptables rules shorewall generates. It sounds like an option and if you have further suggestions would be much appreciated. Depends on what your rules are doing. I do also like to learn and also interested if the original plan of using multi isp is possible or not. Well, if you only want one host to use the alternate provider, I would not specify either ''track'' or ''balance'' for it. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay
Hi guys, i think the last dump was taken when tun1 was down, please find attached dump with tun1 present. Thanks in advance and I appreciate any pointers. Chris From: g18c@hotmail.com To: shorewall-users@lists.sourceforge.net Date: Sun, 15 May 2011 02:36:22 +0000 Subject: Re: [Shorewall-users] Multi-ISP over tun not working Hi chaps and thanks for the replies. Actually it will be more than one host and what gets routed through tun1 is dependent on mac-address (or at least in my original script) and also source IP address, and i will need to masquerade on this ''tun1'' connection. My current openvpn up script is below: # add iptables rules iptables -A FORWARD -o tun1 -j ACCEPT iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADE ip rule add fwmark 1 table 1 ip route add default dev tun1 table 1 iptables -t mangle -A PREROUTING -s 192.168.69.247 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:4C:24:84:1C -j MARK --set-mark 1 I would like to integrate this all into Shorewall script system as close as possible. Tom I have sent you the dump with tun1, not sure why it wasn''t in the original. Many thanks, Chris From: teastep@shorewall.net Date: Sat, 14 May 2011 15:05:49 -0700 To: shorewall-users@lists.sourceforge.net CC: landers@lanlinecomputers.com Subject: Re: [Shorewall-users] Multi-ISP over tun not working On May 14, 2011, at 2:56 PM, g18c@hotmail.com wrote: Hi Mike, I have done that with my original openvpn config, in the upscript it adds forwarding rules dependent on MAC address and source IP. I didn''t know if these raw iptables rules would work with the iptables rules shorewall generates. It sounds like an option and if you have further suggestions would be much appreciated. Depends on what your rules are doing. I do also like to learn and also interested if the original plan of using multi isp is possible or not. Well, if you only want one host to use the alternate provider, I would not specify either ''track'' or ''balance'' for it. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
On 05/18/2011 01:22 PM, Chris Morley wrote:> Hi guys, i think the last dump was taken when tun1 was down, please find > attached dump with tun1 present.In this configuration, you *must* turn of route filtering: a) Remove the ''route_filter'' option from ppp0 and tun1 in /etc/shorewall/interfaces. b) Set ROUTE_FILTER=No in shorewall.conf c) Be sure that any mention of net.conf.*.rt_filter=0 in /etc/sysctl.conf> # add iptables rules > iptables -A FORWARD -o tun1 -j ACCEPTHandle that via /etc/shorewall/policy> iptables -t nat -A POSTROUTING -o tun1 -j MASQUERADEIn /etc/shorewall/masq: tun1 0.0.0.0/0> ip rule add fwmark 1 table 1 > ip route add default dev tun1 table 1Done for you by the providers file.> iptables -t mangle -A PREROUTING -s 192.168.69.247 -j MARK --set-mark 1 > iptables -t mangle -A PREROUTING -m mac --mac-source 00:40:4C:24:84:1C > -j MARK --set-mark 1In /etc/shorewall/tcrules: 1:P 192.168.69.47,~00:40:4c:24:84:1c And be sure that tun1 has the ''optional'' option in /etc/shorewall/interfaces. Then, you can either replace the above commands with this: /var/lib/shorewall/firewall restart or you can install and configure shorewall-lite. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
On 05/18/2011 01:22 PM, Chris Morley wrote: I sent my last post too soon. You also want to remove the ''balance'' option from tun1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay
Hi Tom, Thanks for the replies, i have implemented what you have said and have made some progress but not quite there yet. A few things are that when this dual ISP config is bought up (with tun1 optional interface up) the firewall can no longer ping out unless i specifiy the interface. root@router:/etc/shorewall# ping -I ppp0 208.67.220.220 PING 208.67.220.220 (208.67.220.220) from 2.51.55.23 ppp0: 56(84) bytes of data. 64 bytes from 208.67.220.220: icmp_req=1 ttl=54 time=118 ms ^C --- 208.67.220.220 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3011ms rtt min/avg/max/mdev = 105.122/114.716/118.224/5.542 ms root@router:/etc/shorewall# ping 208.67.220.220 PING 208.67.220.220 (208.67.220.220) 56(84) bytes of data. ^C --- 208.67.220.220 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 3999ms Secondly, if i set the IP of a workstation on the lan to 192.168.69.60 (we specified in tcrules to route packets from this IP address out of the second provider), the tcrules is definitely doing something as the pings timeout on the workstation, and then tun1 dies on the firewall. If i set it to any normal IP address then the workstation can connect to the internet normally. I have checked and may well still be missing something or making a mistake still. I have attached another shorewall dump for your review at your convenience. Thanks for the help. Chris Date: Wed, 18 May 2011 13:44:40 -0700 From: teastep@shorewall.net To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Multi-ISP over tun not working On 05/18/2011 01:22 PM, Chris Morley wrote: I sent my last post too soon. You also want to remove the ''balance'' option from tun1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/24/11 1:20 PM, Chris Morley wrote:> Hi Tom, > > Thanks for the replies, i have implemented what you have saidNo you haven''t. You still have ''balance'' on the tun1 provider. Table default: default nexthop dev ppp0 weight 1 nexthop dev tun1 weight 1 <====================== -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> No you haven''t. You still have ''balance'' on the tun1 provider.> Table default:> default > nexthop dev ppp0 weight 1 > nexthop dev tun1 weight 1 <======================Hi Tom, thats strange, please find my providers file below: #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 0x100 - ppp0 - track,balance UKVPN 2 0x200 - tun1 - track Regards, Chris ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:32 PM, Chris Morley wrote:>> No you haven''t. You still have ''balance'' on the tun1 provider. > >> Table default: > >> default >> nexthop dev ppp0 weight 1 >> nexthop dev tun1 weight 1 <======================> > Hi Tom, thats strange, please find my providers file below: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 0x100 - ppp0 - > track,balance > UKVPN 2 0x200 - tun1 - > trackWhich Shorewall version? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 4:46 PM, Tom Eastep wrote:> On 5/26/11 4:32 PM, Chris Morley wrote: >>> No you haven''t. You still have ''balance'' on the tun1 provider. >> >>> Table default: >> >>> default >>> nexthop dev ppp0 weight 1 >>> nexthop dev tun1 weight 1 <======================>> >> Hi Tom, thats strange, please find my providers file below: >> >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY >> OPTIONS COPY >> ISP1 1 0x100 - ppp0 - >> track,balance >> UKVPN 2 0x200 - tun1 - >> track > > Which Shorewall version?Doh -- it was in the dump 4.4.11.6 (Squeeze). Try ''shorewall stop; shorewall start''; Does the default table still look as above? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
>>> Table default: >> >>> default >>> nexthop dev ppp0 weight 1 >>> nexthop dev tun1 weight 1 <======================>> > Try ''shorewall stop; shorewall start''; Does the default table still look > as above?Hi Tom, yes it is still the same even with the balance option removed. If easier to look at config files let me know and i can send them.Regards,Chris------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
On 5/26/11 5:15 PM, Chris Morley wrote:>>>> Table default: >>> >>>> default >>>> nexthop dev ppp0 weight 1 >>>> nexthop dev tun1 weight 1 <======================>>> >> Try ''shorewall stop; shorewall start''; Does the default table still look >> as above? > > Hi Tom, yes it is still the same even with the balance option removed. If easier to look at config files let me know and i can send them.Yes: Please: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -zcf shorewall.tgz /etc/shorewall c) Send me the shorewall.tgz file Note that if this is a Shorewall bug, it won''t be fixed in Debian until the next major Debian release. So you will have to start using Roberto''s .deb repository to get your updates. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1
> c) Send me the shorewall.tgz fileHi Tom, have emailed the directory archive to your email. Thanks, Chris ------------------------------------------------------------------------------ vRanger cuts backup time in half-while increasing security. With the market-leading solution for virtual backup and recovery, you get blazing-fast, flexible, and affordable data protection. Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1