Hi! I seem to have found an extra feature in my setup! Two ISP connections on the same network interface. I have a DNAT rule that DNAT''s port 443 from and external ip address on ISP1 to an internal M$ exchange server for OWA. I have a line in the tcrules like this 1 $FW 0.0.0.0/0 tcp 443 Mark of 1 is my /29 network range ISP1 I have configured squid to use ISP2 link which is a /30 addressed link All worked well until the customer decided that today was the day to do internet banking! Squid says https? Better go direct! So out it goes on the wrong link - ISP1 Most unfair. I did a quick phix by adding a manual route to the banks secure web server. Is there a way around this feature? A new line like this in tcrules? 2 $FW 0.0.0.0/0 tcp 443 or maybe 2:P would be the correct solution. We have had lots of routing issues with our only fixed line provider here is S Africa so it is a bit more difficult to resolve things! Both the ISP''s we use for this customer are connected to the local peering point via the fixed line provider, The joys of State owned companies! Cheers Ang -- Angela Williams angierfw at gmail dot com Linux/Networking Hacker Blog http://angierfw.wordpress.com Smile! Jesus Loves You! ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
On 14/03/2012 16:11, Angela Williams wrote:> A new line like this in tcrules? > > 2 $FW 0.0.0.0/0 tcp 443 >I guess you would also need a 0 in the test column? (and flip the source/dest?) Basically create a situation that marks based on where the connection comes from, rather than the port? So if the connection comes *in* via ISP1 for https, then mark it up to have replies go out the same way. If it''s a new connection *out* then default the mark to 2 (or whatever) Good luck Ed W ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
On 03/14/2012 11:30 AM, Ed W wrote:> Basically create a situation that marks based on where the connection > comes from, rather than the port? So if the connection comes *in* via > ISP1 for https, then mark it up to have replies go out the same way. If > it''s a new connection *out* then default the mark to 2 (or whatever)The ''track'' provider option does this automatically. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/