On 4/9/13 12:38 PM, "João Alberto Kuchnier"
<joao.kuchnier@gmail.com>
wrote:
>Hi folks!
>
>I used Shorewall Multi ISP manual
>(http://www.shorewall.net/MultiISP.html) to configure a dual link
>firewall in one of our clients. When the primary link fails, remote
>conections using the secondary remains working. However, from LAN, they
>can''t access the Internet. It seems like shorewall is not using the
>secondary as an alternative route. I''m using the following
configuration:
>
>/etc/shorewall/providers
>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY
>OPTIONS COPY
>Primary Link 1 1 main eth0 200.175.xxx.xxx
>track,balance=1 eth2,eth3
>secundary Link 2 2 main eth1 201.14.xxx.xxx
>track,balance=2 eth2,eth3
>
>/etc/shorewall/masq
>#INTERFACE SOURCE ADDRESS PROTO PORT(S)
>IPSEC MARK
>eth0 0.0.0.0/0 200.175.xxx.xxx
>eth1 0.0.0.0/0 201.14.xxx.xxx
>
>I don''t have any tcrules configuration. There is no gateway
>configuration on /etc/network/interfaces file.
>
>I did a route -n and noticed that there is a external route just for the
>primary link.
>
>Destination Gateway Genmask Flags Metric Ref Use Iface
>200.175.xxx.xxx 0.0.0.0 255.255.255.248 U 0 0 0 eth0
>201.14.xxx.xxx 0.0.0.0 255.255.255.248 U 0 0 0 eth1
>192.168.3.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth3
>192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
>192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
>0.0.0.0 200.175.xxx.xxx 0.0.0.0 UG 0 0 0 eth0
>
>Is this correct? Can anyone help me?
You need a link monitor like LSM to make failover happen.
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter