Dear all, i need your advice to help me accomplish the following goal: source: 192.168.70.0/24 dst: 4.2.2.0/24 (for example) to be routed through ISP#1 source 192.168.70.0/24 dst: 0.0.0.0/24 to be routed to ISP#2 if one or the other failed, to fail over it''s relevant routes to the working one. Issues i''m facing: - No logging under /var/log/messages #Even though i have "info" set in policy for all traffic in/out - all traffic defaults to just one ISP. Find attached "shorewall dump" output. my tcrule: 2 192.168.70.0/24 4.2.2.0/24 1 192.168.70.0/24 0.0.0.0/0 masq: #Isp eth0 192.168.70.254 192.168.70.70 eth1 10.2.0.1 10.2.0.3 #Local eth0 eth2 192.168.75.70 eth1 eth2 10.2.0.3 Thanks in advance ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/18/2012 07:05 AM, Roland dnaloR wrote:> Dear all, > > i need your advice to help me accomplish the following goal: > > source: 192.168.70.0/24 dst: 4.2.2.0/24 (for example) to be routed > through ISP#1 > source 192.168.70.0/24 dst: 0.0.0.0/24 to be routed to ISP#2 > > if one or the other failed, to fail over it''s relevant routes to the > working one. > > > Issues i''m facing: > > - No logging under /var/log/messages #Even though i have "info" set in > policy for all traffic in/outTwo things: - The setting of LOGFILE *does not* determine where messages are logged. See Shorewall FAQs 6 and 91. - Traffic that matches an entry in /etc/shorewall/rules will not be logged unless you request it in the rule.> - all traffic defaults to just one ISP.> my tcrule: > 2 192.168.70.0/24 4.2.2.0/24 > 1 192.168.70.0/24 0.0.0.0/0>From shorewall-tcrules(5):*Important* Unlike rules in the shorewall-rules(5) file, evaluation of rules in this file will continue after a match. So the final mark for each packet will be the one assigned by the LAST tcrule that matches. So with your rules, all packets are being marked with value 1. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks for the reply. Given your advice, i fixed the logs part and edited my tcrules: 1 192.168.70.0/24 0.0.0.0/0 2 192.168.70.0/24 4.2.2.2 With that, 4.2.2.2 always routes through the second ISP correctly. though some things match the first rule and others don''t and still go through the second unless is specifically add them by IP to go through the first.. Any On 7/18/12 10:05 PM, Tom Eastep wrote:> On 07/18/2012 07:05 AM, Roland dnaloR wrote: >> Dear all, >> >> i need your advice to help me accomplish the following goal: >> >> source: 192.168.70.0/24 dst: 4.2.2.0/24 (for example) to be routed >> through ISP#1 >> source 192.168.70.0/24 dst: 0.0.0.0/24 to be routed to ISP#2 >> >> if one or the other failed, to fail over it''s relevant routes to the >> working one. >> >> >> Issues i''m facing: >> >> - No logging under /var/log/messages #Even though i have "info" set in >> policy for all traffic in/out > Two things: > > - The setting of LOGFILE *does not* determine where messages are logged. > See Shorewall FAQs 6 and 91. > > - Traffic that matches an entry in /etc/shorewall/rules will not be > logged unless you request it in the rule. > > >> - all traffic defaults to just one ISP. >> my tcrule: >> 2 192.168.70.0/24 4.2.2.0/24 >> 1 192.168.70.0/24 0.0.0.0/0 > >From shorewall-tcrules(5): > > *Important* > > Unlike rules in the shorewall-rules(5) file, evaluation of > rules in this file will continue after a match. So the final > mark for each packet will be the one assigned by the LAST > tcrule that matches. > > So with your rules, all packets are being marked with value 1. > > -Tom------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 7/20/12 5:08 AM, Roland dnaloR wrote:> Thanks for the reply. > > Given your advice, i fixed the logs part and edited my tcrules: > > 1 192.168.70.0/24 0.0.0.0/0 > 2 192.168.70.0/24 4.2.2.2 > > > With that, 4.2.2.2 always routes through the second ISP correctly. > though some things match the first rule and others don''t and still go > through the second unless is specifically add them by IP to go through > the first.. >Then why don''t you change the first rule to 1 0.0.0.0/0 0.0.0.0/0 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/