Shorewall users - Nov 2012 - Multi ISP default route to one provider

I have a very simple setup - two ISP (sprint and Comcast).  I need both to track
but I want to default the outbound connection (from the internal lan) to the
Comcast provider.  I have tried working through the examples but something is
eluding me.

Zones:
fw      firewall
net_t   ipv4      # sprint
net_c   ipv4     # comcast
loc   ipv4          # eth0 - 192.168.0.0/16

Providers:
CABLE  1       1      main            eth3            66.211.31.193  
balance,track eth0
SPRINT 2       2       main            eth1            63.168.72.9    
fallback,track eth0

Thanks,

Vernon

-----------------------
Vernon (Andy) Fort
Provident Solutions, LLC
Office - (615) 406-5540
http://www.provident-solutions.com



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 07:05 AM, Vernon Fort wrote:
> I have a very simple setup – two ISP (sprint and Comcast).  I need both
> to track but I want to default the outbound connection (from the
> internal lan) to the Comcast provider.  I have tried working through the
> examples but something is eluding me.
>
> Zones:
>
> fw      firewall
>
> net_t   ipv4      # sprint
>
> net_c   ipv4     # comcast
>
> loc   ipv4          # eth0 – 192.168.0.0/16
>
> Providers:
>
> CABLE  1       1      main            eth3            66.211.31.193
> balance,track eth0
>
> SPRINT 2       2       main            eth1            63.168.72.9
> fallback,track eth0
>
Please forward the output of ''shorewall dump'' as a compressed
attachment.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

This is the current setup (and  working) - I''m just trying to configure
the local network (192.168.0.0/16) to use the faster Comcast connection by
default.

Thanks

Vernon

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, November 20, 2012 12:18 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Multi ISP default route to one provider

On 11/20/2012 07:05 AM, Vernon Fort wrote:
> I have a very simple setup - two ISP (sprint and Comcast).  I need 
> both to track but I want to default the outbound connection (from the 
> internal lan) to the Comcast provider.  I have tried working through 
> the examples but something is eluding me.
>
> Zones:
>
> fw      firewall
>
> net_t   ipv4      # sprint
>
> net_c   ipv4     # comcast
>
> loc   ipv4          # eth0 - 192.168.0.0/16
>
> Providers:
>
> CABLE  1       1      main            eth3            66.211.31.193
> balance,track eth0
>
> SPRINT 2       2       main            eth1            63.168.72.9
> fallback,track eth0
>
Please forward the output of ''shorewall dump'' as a compressed
attachment.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single web
console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud
infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 10:35 AM, Vernon Fort wrote:
> This is the current setup (and  working) - I''m just trying to
configure the local network (192.168.0.0/16) to use the faster Comcast
connection by default.
>
> Thanks
>
> Vernon
>
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Tuesday, November 20, 2012 12:18 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] Multi ISP default route to one provider
>
> On 11/20/2012 07:05 AM, Vernon Fort wrote:
>> I have a very simple setup - two ISP (sprint and Comcast).  I need
>> both to track but I want to default the outbound connection (from the
>> internal lan) to the Comcast provider.  I have tried working through
>> the examples but something is eluding me.
>>
>> Zones:
>>
>> fw      firewall
>>
>> net_t   ipv4      # sprint
>>
>> net_c   ipv4     # comcast
>>
>> loc   ipv4          # eth0 - 192.168.0.0/16
>>
>> Providers:
>>
>> CABLE  1       1      main            eth3            66.211.31.193
>> balance,track eth0
>>
>> SPRINT 2       2       main            eth1            63.168.72.9
>> fallback,track eth0
>>
The configuration in the dump does not have ''fallback'' on the
SPRINT
provider.


-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

Yes - this is the setup that I''m trying to change.  When I set SPRINT
provider to track,fallback - all my DNATs stop working and I get continual
stream of  martians in dmesg.  There use to be a older configuration setup that
stated to change Shorewall.conf/Trackprovider to Yes and set the notrack option
in the providers file but that doesn''t work either.

Vernon

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, November 20, 2012 1:24 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Multi ISP default route to one provider

On 11/20/2012 10:35 AM, Vernon Fort wrote:
> This is the current setup (and  working) - I''m just trying to
configure the local network (192.168.0.0/16) to use the faster Comcast
connection by default.
>
> Thanks
>
> Vernon
>
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Tuesday, November 20, 2012 12:18 PM
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] Multi ISP default route to one provider
>
> On 11/20/2012 07:05 AM, Vernon Fort wrote:
>> I have a very simple setup - two ISP (sprint and Comcast).  I need 
>> both to track but I want to default the outbound connection (from the 
>> internal lan) to the Comcast provider.  I have tried working through 
>> the examples but something is eluding me.
>>
>> Zones:
>>
>> fw      firewall
>>
>> net_t   ipv4      # sprint
>>
>> net_c   ipv4     # comcast
>>
>> loc   ipv4          # eth0 - 192.168.0.0/16
>>
>> Providers:
>>
>> CABLE  1       1      main            eth3            66.211.31.193
>> balance,track eth0
>>
>> SPRINT 2       2       main            eth1            63.168.72.9
>> fallback,track eth0
>>
The configuration in the dump does not have ''fallback'' on the
SPRINT provider.


-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

On 11/20/2012 12:11 PM, Vernon Fort wrote:
> Yes - this is the setup that I''m trying to change.  When I set
SPRINT
> provider to track,fallback - all my DNATs stop working and I get
> continual stream of  martians in dmesg.  There use to be a older
> configuration setup that stated to change
> Shorewall.conf/Trackprovider to Yes and set the notrack option in the
> providers file but that doesn''t work either.
>
You *must* disable route filtering on a fallback interface. In 
/etc/shorewall/interfaces, specify
''routefilter=0,logmartians=0'' or
disable them in sysctl.conf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

Tom,
  Thanks - that was the trick and its working as expected. 

Interfaces:
  net_t   eth1    detect          tcpflags,routefilter=0,nosmurfs
  net_c   eth3    detect          tcpflags,routefilter,nosmurfs
  loc     eth0    detect          tcpflags,nosmurfs,routeback

  Eth0 => local (192.168.0.0/16 and 172.16.0.0/16)
  Eth1 => sprint internet
  Eth3 => cable intenet

Providers:
  CABLE   1       1       main            eth3            66.211.31.193  
track,balance   eth0
  SPRINT  2       2       main            eth1            63.168.72.9    
track,fallback  eth0

Masq:
  eth1                    66.211.31.197   63.168.72.10
  eth3                    63.168.72.10    66.211.31.197
  eth1                    192.168.0.0/16  63.168.72.10
  eth1                    172.16.1.0/16   63.168.72.10
  eth3                    192.168.0.0/16  66.211.31.197
  eth3                    172.16.1.0/16   66.211.31.197

rtrules:
  eth0                    -                       CABLE           1000

Vernon

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Tuesday, November 20, 2012 2:40 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Multi ISP default route to one provider

On 11/20/2012 12:11 PM, Vernon Fort wrote:
> Yes - this is the setup that I''m trying to change.  When I set
SPRINT
> provider to track,fallback - all my DNATs stop working and I get
> continual stream of  martians in dmesg.  There use to be a older
> configuration setup that stated to change
> Shorewall.conf/Trackprovider to Yes and set the notrack option in the
> providers file but that doesn''t work either.
>
You *must* disable route filtering on a fallback interface. In 
/etc/shorewall/interfaces, specify
''routefilter=0,logmartians=0'' or
disable them in sysctl.conf.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov