Hi, I''m just trying to test my "multi-isp" setup and running
into some
teething problems (shorewall 4.4.22)
Firstly, I wanted to do a quick test using a wired + wireless
alternatives, but for convenience both devices are connecting to the
same network (192.168.105.0/24). What I observe is that despite trying
to force routing using tcrules or whatever, it doesn''t take effect, I
believe because of the local routing table:
Table local:
local 192.168.105.80 dev wlan1 proto kernel scope host src
192.168.105.80
...
broadcast 192.168.105.0 dev wlan1 proto kernel scope link src
192.168.105.80
broadcast 192.168.105.0 dev eth0 proto kernel scope link src
192.168.105.70
Routing Rules
0: from all lookup local
10000: from all fwmark 0x10000/0xff0000 lookup peth0
10005: from all fwmark 0x60000/0xff0000 lookup pwlan1
...
Assuming I had some real reason to have two net devices connected to the
same network and wanted to force the route - how might I configure my
routing to do this?
Second gremlin is that my PPP connections via a 3G card appear not to be
coming up. Shorewall restart shows:
shorewall | WARNING: Interface ppp0 is not usable -- Provider
pppp0 (11) not Added
shorewall | WARNING: Interface ppp1 is not usable -- Provider
pppp1 (12) not Added
$ ifconfig ppp1
ppp1 Link encap:Point-to-Point Protocol
inet addr:10.94.173.57 P-t-P:10.64.64.65 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:7 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:136 (136.0 B) TX bytes:112 (112.0 B)
$ cat providers
############################################################################################
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
OPTIONS COPY
...
pppp0 11 0xB0000 main ppp0 -
track br0
pppp1 12 0xC0000 main ppp1 -
track br0
Any ideas where to look to understand why shorewall thinks ppp1 is not
usable?
Thanks
Ed W
------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system,
user administration capabilities and model configuration. Take
the hassle out of deploying and managing Subversion and the
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On 19/08/2011 13:39, Ed W wrote:> Hi, I''m just trying to test my "multi-isp" setup and running into some > teething problems (shorewall 4.4.22) > > Firstly, I wanted to do a quick test using a wired + wireless > alternatives, but for convenience both devices are connecting to the > same network (192.168.105.0/24). What I observe is that despite trying > to force routing using tcrules or whatever, it doesn''t take effect, I > believe because of the local routing table:Possibly rephrasing the question in a simpler way: I''m working in a scenario where each interface will have very different costs. The end result is to create a very rigid routing system where there is no default routing and TC marks control precisely which interface any traffic goes out Roughly we have a mobile captive portal and up to say (3) internet connections, of which 1 will active at any time. Users need to agree to the costs of the currently selected connection before they can pass traffic. Thanks for some thoughts on how to setup/lockdown routing here? Ed W ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Fri, 2011-08-19 at 13:39 +0100, Ed W wrote:> Hi, I''m just trying to test my "multi-isp" setup and running into some > teething problems (shorewall 4.4.22) > > Firstly, I wanted to do a quick test using a wired + wireless > alternatives, but for convenience both devices are connecting to the > same network (192.168.105.0/24).I recommend that you don''t do that -- it will take much more time to work around all of the pitfalls in that configuration than it will to simply bring up the real configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On 19/08/2011 14:08, Tom Eastep wrote:> On Fri, 2011-08-19 at 13:39 +0100, Ed W wrote: >> Hi, I''m just trying to test my "multi-isp" setup and running into some >> teething problems (shorewall 4.4.22) >> >> Firstly, I wanted to do a quick test using a wired + wireless >> alternatives, but for convenience both devices are connecting to the >> same network (192.168.105.0/24). > > I recommend that you don''t do that -- it will take much more time to > work around all of the pitfalls in that configuration than it will to > simply bring up the real configuration.The problem is that I won''t have control over the "real" configuration. It''s an appliance that I am building and as far as possible I''m trying to build robust configurations that survive users doing unusual things It''s entirely probable to meet a situation where I have say a satellite system sitting on 192.168.1.1/24 and a wifi connection to some internet cafe on 192.168.1.1/24. I want the user to agree (via web interface) that the wifi connection is the cheapest option and then force route everything via wlan1. I really need to get absolute control over my routing for this setup. Several of the network connections will have substantial costs and surprises aren''t desirable (think $10-100/MB) I''m trying to prototype this using shorewall, but my thinking is, given: known set of interfaces at boot (eth0-3, wlan1-2, PPP0-5), I can setup my masquerading and firewalling once, then control routing using ipset entries to control TC rules. A daemon monitoring what interfaces are alive can then be used to dynamically adjust the routing table. Does this seem workable? Any shortcuts to get there? How much can I leverage shorewall to help. Can I make use of the routing rules added by the kernel? THanks for any ideas Ed W ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
Tom, any chance of some pointers on the second question (below) Thanks Ed W On 19/08/2011 13:39, Ed W wrote:> Second gremlin is that my PPP connections via a 3G card appear not to be > coming up. Shorewall restart shows: > > shorewall | WARNING: Interface ppp0 is not usable -- Provider > pppp0 (11) not Added > shorewall | WARNING: Interface ppp1 is not usable -- Provider > pppp1 (12) not Added > > $ ifconfig ppp1 > ppp1 Link encap:Point-to-Point Protocol > inet addr:10.94.173.57 P-t-P:10.64.64.65 Mask:255.255.255.255 > UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 > RX packets:7 errors:0 dropped:0 overruns:0 frame:0 > TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:3 > RX bytes:136 (136.0 B) TX bytes:112 (112.0 B) > > $ cat providers > ############################################################################################ > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ... > pppp0 11 0xB0000 main ppp0 - > track br0 > pppp1 12 0xC0000 main ppp1 - > track br0 > > > > Any ideas where to look to understand why shorewall thinks ppp1 is not > usable? > > Thanks > > Ed W > > ------------------------------------------------------------------------------ > Get a FREE DOWNLOAD! and learn more about uberSVN rich system, > user administration capabilities and model configuration. Take > the hassle out of deploying and managing Subversion and the > tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Fri, 2011-08-19 at 16:56 +0100, Ed W wrote:> Tom, any chance of some pointers on the second question (below)Look in /var/lib/shorewall/firewall. There is a function named interface_is_usable() that is executed to determine if an interface is usable or not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On 19/08/2011 17:45, Tom Eastep wrote:> On Fri, 2011-08-19 at 16:56 +0100, Ed W wrote: >> Tom, any chance of some pointers on the second question (below) > Look in /var/lib/shorewall/firewall. There is a function named > interface_is_usable() that is executed to determine if an interface is > usable or not.Hmm, if I change the function like so: interface_is_usable() # $1 = interface { [ "$1" = lo ] && return 0 interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1 && echo "interface is usable: $1" interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1 } Then run shorewall start I get: $ shorewall start [ -f /var/lib/shorewall/firewall ] Starting Shorewall.... interface is usable: ppp1 Initializing... Processing /etc/shorewall/init ... Command: start Processing /etc/shorewall/tcclear ... Setting up Route Filtering... Setting up Martian Logging... Setting up Proxy ARP... Adding Providers... interface is usable: eth0 interface is usable: wlan1 WARNING: Interface ppp0 is not usable -- Provider pppp0 (11) not Added WARNING: Interface ppp1 is not usable -- Provider pppp1 (12) not Added Setting up Traffic Control... Preparing iptables-restore input... Running /sbin/iptables-restore... IPv4 Forwarding Enabled Processing /etc/shorewall/start ... Processing /etc/shorewall/started ... done. If I check /var/lib/shorewall/firewall I see that the "not Added" comes from an "if" here: if [ -n "$SW_PPP1_IS_USABLE" ]; then ... else error_message "WARNING: Interface ppp1 is not usable -- Provider pppp1 (12) not Added" fi I can''t see any other reference to "$SW_PPP1_IS_USABLE"? The if for eth0/wlan1 both use interface_is_usable, only the ppp1 statements are different? This is shorewall 4.4.22.1 Thanks for any thoughts? Ed W ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On 19/08/2011 18:25, Ed W wrote:> > If I check /var/lib/shorewall/firewall I see that the "not Added" comes > from an "if" here: > > if [ -n "$SW_PPP1_IS_USABLE" ]; thenAha, I see the function: detect_configuration() has this: SW_PPP_IS_USABLE= for interface in $(find_all_interfaces1); do case "$interface" in ppp*) if [ -z "$SW_PPP_IS_USABLE" ]; then if interface_is_usable $interface; then SW_PPP_IS_USABLE=Yes fi fi The problem seems to be that it iterates over all ppp* devices, but sets the variable _PPP_, later it tests for _PPPx_ Ed W ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Fri, 2011-08-19 at 18:32 +0100, Ed W wrote:> On 19/08/2011 18:25, Ed W wrote: > > > > If I check /var/lib/shorewall/firewall I see that the "not Added" comes > > from an "if" here: > > > > if [ -n "$SW_PPP1_IS_USABLE" ]; then > > Aha, I see the function: > > detect_configuration() > > has this: > > SW_PPP_IS_USABLE= > > for interface in $(find_all_interfaces1); do > case "$interface" > in > > ppp*) > if [ -z "$SW_PPP_IS_USABLE" ]; then > if interface_is_usable $interface; then > > SW_PPP_IS_USABLE=Yes > fi > fi > > > The problem seems to be that it iterates over all ppp* devices, but sets > the variable _PPP_, later it tests for _PPPx_Which Shorewall Version? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Aug 19, 2011, at 1:12 PM, Tom Eastep wrote:> > Which Shorewall Version?Never mind -- you said 4.4.22. Please tar up your configuration and send it to me. Thanks, -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Fri, 2011-08-19 at 18:32 +0100, Ed W wrote:> On 19/08/2011 18:25, Ed W wrote: > > > > If I check /var/lib/shorewall/firewall I see that the "not Added" comes > > from an "if" here: > > > > if [ -n "$SW_PPP1_IS_USABLE" ]; then > > Aha, I see the function: > > detect_configuration() > > has this: > > SW_PPP_IS_USABLE= > > for interface in $(find_all_interfaces1); do > case "$interface" > in > > ppp*) > if [ -z "$SW_PPP_IS_USABLE" ]; then > if interface_is_usable $interface; then > > SW_PPP_IS_USABLE=Yes > fi > fi > > > The problem seems to be that it iterates over all ppp* devices, but sets > the variable _PPP_, later it tests for _PPPx_Ed, You can work around this by configuring your net interfaces as: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 detect tcpflags,nosmurfs,optional net ppp1 detect tcpflags,nosmurfs,optional net ppp+ detect tcpflags,nosmurfs And by adding this to your policy file (before any net->all policy): #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST net net NONE -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2
On Sat, 2011-08-20 at 06:24 -0700, Tom Eastep wrote:> You can work around this by configuring your net interfaces as: > > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 detect tcpflags,nosmurfs,optional > net ppp1 detect tcpflags,nosmurfs,optional > net ppp+ detect tcpflags,nosmurfs > > And by adding this to your policy file (before any net->all policy): > > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > net net NONEAnd here is a patch that will allow the configuration to work without the above hackish change. patch /usr/share/shorewall/Shorewall/Zones.pm < OPTIONAL.patch Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Get a FREE DOWNLOAD! and learn more about uberSVN rich system, user administration capabilities and model configuration. Take the hassle out of deploying and managing Subversion and the tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2