thr3ads.net - Shorewall users - MultiISP Interface eth is no usable [Sep 2011]

If this information is useful, please help other people find it:
Share via:

Luis Candia

2011-Sep-01 16:27 UTC

MultiISP Interface eth is no usable

Please I need help with the next error.

I''m trying to implement a LAN with two ISP to get acces to Internet,
load
balacing and failover in case of any isp fails.

This is the result of:

#shorewall -vv start

Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Shorewall has detected the following capabilities:
   ACCOUNT Target: Not Available
   AUDIT Target: Not Available
   Address Type Match: Available
   CLASSIFY Target: Available
   CONNMARK Target: Available
   Capability Version: 4.4.21
   Comments: Available
   Connection Tracking Match: Available
   Connlimit Match: Available
   Connmark Match: Available
   Extended CONNMARK Target: Available
   Extended Connection Tracking Match: Not Available
   Extended Connmark Match: Available
   Extended Mark Target: Available
   Extended Mark Target 2: Not Available
   Extended Multi-port Match: Available
   Extended Reject: Available
   Flow Classifier: Not Available
   Goto Support: Available
   Hashlimit Match: Available
   Header Match: Not Available
   Helper Match: Available
   IP Range Match: Available
   IPMARK Target: Not Available
   IPP2P Match: Not Available
   Ipset Match: Not Available
   Kernel Version: 2.6.18
   LOG Target: Available
   LOGMARK Target: Not Available
   MARK Target: Available
   Mangle FORWARD Chain: Available
   Mark in any table: Not Available
   Multi-port Match: Available
   NAT: Available
   NFQUEUE Target: Available
   Old Hash Limit Match: Available
   Old IPP2P Match Syntax: Not Available
   Old Ipset Match: Not Available
   Old conntrack match syntax: Not Available
   Owner Match: Available
   Packet Mangling: Available
   Packet Type Match: Available
   Packet length Match: Available
   Persistent SNAT: Not Available
   Physdev Match: Available
   Physdev-is-bridged support: Available
   Policy Match: Available
   Raw Table: Available
   Realm Match: Available
   Recent Match: Available
   Repeat match: Not Available
   TCPMSS Match: Available
   TPROXY Target: Not Available
   Time Match: Not Available
   Version 5 ipsets: Not Available
   fwmark route mask: Not Available
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
   Interface "net eth0 detect optional" Validated
   Interface "net eth1 detect optional" Validated
   Interface "loc eth2 detect logmartians,nosmurfs,tcpflags" Validated
Determining Hosts in Zones...
   fw (firewall)
   net (ipv4)
      eth0:0.0.0.0/0
      eth1:0.0.0.0/0
   loc (ipv4)
      eth2:0.0.0.0/0
Locating Action Files...
Compiling /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
    Rule "PARAM - - tcp 113" Compiled
..End Macro /usr/share/shorewall/macro.Auth
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
    Rule "PARAM - - icmp fragmentation-needed" Compiled
    Rule "PARAM - - icmp time-exceeded" Compiled
..End Macro /usr/share/shorewall/macro.AllowICMPs
Compiling /usr/share/shorewall/action.Invalid for chain Invalid...
..Expanding Macro /usr/share/shorewall/macro.SMB...
    Rule "PARAM - - udp 135,445" Compiled
    Rule "PARAM - - udp 137:139" Compiled
    Rule "PARAM - - udp 1024: 137" Compiled
    Rule "PARAM - - tcp 135,139,445" Compiled
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
    Rule "PARAM - - udp 1900" Compiled
..End Macro /usr/share/shorewall/macro.DropUPnP
Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn...
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
    Rule "PARAM - - udp - 53" Compiled
..End Macro /usr/share/shorewall/macro.DropDNSrep
Compiling /usr/share/shorewall/action.Reject for chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
    Rule "PARAM - - tcp 113" Compiled
..End Macro /usr/share/shorewall/macro.Auth
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
    Rule "PARAM - - icmp fragmentation-needed" Compiled
    Rule "PARAM - - icmp time-exceeded" Compiled
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding Macro /usr/share/shorewall/macro.SMB...
    Rule "PARAM - - udp 135,445" Compiled
    Rule "PARAM - - udp 137:139" Compiled
    Rule "PARAM - - udp 1024: 137" Compiled
    Rule "PARAM - - tcp 135,139,445" Compiled
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
    Rule "PARAM - - udp 1900" Compiled
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
    Rule "PARAM - - udp - 53" Compiled
..End Macro /usr/share/shorewall/macro.DropDNSrep
Compiling /etc/shorewall/policy...
   Policy for loc to net is ACCEPT using chain loc2net
   Policy for loc to fw is ACCEPT using chain loc2fw
   Policy for fw to net is ACCEPT using chain fw2net
   Policy for net to fw is DROP using chain net2all
   Policy for net to loc is DROP using chain net2all
   Policy for fw to net is DROP using chain all2all
   Policy for fw to loc is DROP using chain all2all
   Policy for net to fw is DROP using chain all2all
   Policy for net to loc is DROP using chain all2all
   Policy for loc to fw is DROP using chain all2all
   Policy for loc to net is DROP using chain all2all
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/providers...
    Provider "ISP1 1 0x1 main eth1 190.160.50.1 track,balance eth2"
Compiled
    Provider "ISP2 2 0x2 main eth0 200.67.110.57 track,balance eth2"
Compiled
Compiling /etc/shorewall/route_rules...
    Routing rule "eth1 - ISP1 1000" Compiled
    Routing rule "eth0 - ISP2 1000" Compiled
Compiling /etc/shorewall/masq...
    Masq record "eth1 200.67.110.59 190.160.50.54" Compiled
    Masq record "eth0 190.160.50.54 200.87.113.59" Compiled
    Masq record "eth1 192.168.1.0/24 190.160.50.54" Compiled
    Masq record "eth0 192.168.1.0/24 200.87.113.59" Compiled
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
   Policy ACCEPT from fw to net using chain fw2net
   Policy DROP from fw to loc using chain fw2loc
   Policy DROP from net to fw using chain net2fw
   Policy DROP from net to net using chain net2net
   Policy DROP from net to loc using chain net2loc
   Policy ACCEPT from loc to fw using chain loc2fw
   Policy ACCEPT from loc to net using chain loc2net
Generating Rule Matrix...
   Handling blacklisting and complex zones...
   Entering main matrix-generation loop...
   Chain eth0_in deleted
   Chain eth0_fwd deleted
   Chain eth1_in deleted
   Chain eth1_fwd deleted
   Chain eth2_in deleted
   Chain eth2_fwd deleted
   Finishing matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
eth0 is Down!
eth1 is Down!
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Processing /etc/shorewall/tcclear ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
200.67.110.56/29 dev eth0  proto kernel  scope link  src 200.67.110.59
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.10
190.160.50.0/24 dev eth1  proto kernel  scope link  src 190.160.50.54
169.254.0.0/16 dev eth2  scope link

I''m using cwpin script to detect failover, just after I included the
script,
I get the next error
#
WARNING: Interface eth1 is nbo usable -- Provider ISP1 (1) no Added
WARNING: Interface eth 0 is not usable -- Provider ISP2 (2) no Added
WARNING. No Default route added (all ''balance'' providers are
down)

Thanks for your help


------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Tom Eastep

2011-Sep-01 17:10 UTC

head link

Re: MultiISP Interface eth is no usable

On Thu, 2011-09-01 at 12:27 -0400, Luis Candia wrote:> Please I need help with the next error.
> 
> 
> I''m trying to implement a LAN with two ISP to get acces to
Internet,
> load balacing and failover in case of any isp fails.
> 
> 
> This is the result of:
> 
> 
> #shorewall -vv start
> 
> 
> Compiling...
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
That is the end of ''start'' and your firewall is started.
> eth0 is Down!
> eth1 is Down!
Who is generating those messages? It isn''t Shorewall
> Restarting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Processing /etc/shorewall/tcclear ...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Proxy ARP...
> Adding Providers...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running /sbin/iptables-restore...
> IPv4 Forwarding Enabled
> Processing /etc/shorewall/start ...
> Processing /etc/shorewall/started ...
> done.
> 200.67.110.56/29 dev eth0  proto kernel  scope link  src
> 200.67.110.59 
> 192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.10 
> 190.160.50.0/24 dev eth1  proto kernel  scope link  src 190.160.50.54 
> 169.254.0.0/16 dev eth2  scope link 
> 
> 
> I''m using cwpin script to detect failover, just after I included
the
> script, I get the next error
> #
> WARNING: Interface eth1 is nbo usable -- Provider ISP1 (1) no Added
> WARNING: Interface eth 0 is not usable -- Provider ISP2 (2) no Added
> WARNING. No Default route added (all ''balance'' providers
are down)
cwpin seems to be marking them as down and your ''isusable''
extension
script is seeing that during the restart. This doesn''t look like a
Shorewall issue.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you''ll get a free "Love Thy Logs" t-shirt
when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev

Shorewall users - Sep 2011 - MultiISP Interface eth is no usable

MultiISP Interface eth is no usable

Re: MultiISP Interface eth is no usable