Shorewall users - Apr 2013 - multi isp configuration problem

Hi all.
I configured Shorewall (ver. 4.4.26.1) working with two balanced isp and
everything seems to be ok.
I need also that when one of the isp connection falls down, all outgoing
connections should use the other isp.
I configured the swping script that monitors the two connections and
restarts Shorewall when one link goes down.
The problem is that, when one link goes down, the swping script restart
Shorewall correctly (shorewall -f restart), but the routing table of the
firewaal seems to be unchanged and all connections continue to go through
the wrong provider.
My /etc/shorewall/interfaces file:
net     eth0            detect          optional
net     eth1            detect          optional
loc     eth2            detect

My /etc/shorewall/providers file:
VO      1       -       -               eth0            192.168.20.254
  balance=3
TI      2       -       -               eth1            10.0.3.2
  balance=1

My relevant /etc/shorewall/shorewall.conf options:
RESTORE_DEFAULT_ROUTE=No
ROUTE_FILTER=No
TRACK_PROVIDERS=Yes
USE_DEFAULT_RT=Yes

May be something is wrong but I cannot see what.
Any suggestions will be appreciated.
Many thanks.


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

Hi,
nobody can help me?

Thanks.


2013/4/30 Marco Querci <mquerci75@gmail.com>
> Hi all.
> I configured Shorewall (ver. 4.4.26.1) working with two balanced isp and
> everything seems to be ok.
> I need also that when one of the isp connection falls down, all outgoing
> connections should use the other isp.
> I configured the swping script that monitors the two connections and
> restarts Shorewall when one link goes down.
> The problem is that, when one link goes down, the swping script restart
> Shorewall correctly (shorewall -f restart), but the routing table of the
> firewaal seems to be unchanged and all connections continue to go through
> the wrong provider.
> My /etc/shorewall/interfaces file:
> net     eth0            detect          optional
> net     eth1            detect          optional
> loc     eth2            detect
>
> My /etc/shorewall/providers file:
> VO      1       -       -               eth0            192.168.20.254
>   balance=3
> TI      2       -       -               eth1            10.0.3.2
>   balance=1
>
> My relevant /etc/shorewall/shorewall.conf options:
> RESTORE_DEFAULT_ROUTE=No
> ROUTE_FILTER=No
> TRACK_PROVIDERS=Yes
> USE_DEFAULT_RT=Yes
>
> May be something is wrong but I cannot see what.
> Any suggestions will be appreciated.
> Many thanks.
>

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

On 05/05/2013 12:20 AM, Marco Querci wrote:
> Hi,
> nobody can help me?
> 
> 
>     Hi all.
>     I configured Shorewall (ver. 4.4.26.1) working with two balanced isp
>     and everything seems to be ok.
>     I need also that when one of the isp connection falls down, all
>     outgoing connections should use the other isp.
>     I configured the swping script that monitors the two connections and
>     restarts Shorewall when one link goes down.
>     The problem is that, when one link goes down, the swping script
>     restart Shorewall correctly (shorewall -f restart), but the routing
>     table of the firewaal seems to be unchanged and all connections
>     continue to go through the wrong provider.
>     My /etc/shorewall/interfaces file:
>     net     eth0            detect          optional
>     net     eth1            detect          optional
>     loc     eth2            detect
> 
>     My /etc/shorewall/providers file:
>     VO      1       -       -               eth0          
>      192.168.20.254       balance=3
>     TI      2       -       -               eth1            10.0.3.2    
>             balance=1
> 
>     My relevant /etc/shorewall/shorewall.conf options:
>     RESTORE_DEFAULT_ROUTE=No
>     ROUTE_FILTER=No
>     TRACK_PROVIDERS=Yes
>     USE_DEFAULT_RT=Yes
> 
>     May be something is wrong but I cannot see what.
>     Any suggestions will be appreciated.
>     Many thanks.
> 
My only suggestion is to drop SWPING in favor of LSM. SWPING has not
been maintained since LSM was introduced. I''ll remove all mention of
SWPING from the documentation.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It''s a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2

Many thanks for your reply.
I don''t think it''s a swping problem vs lsm.
I had many tests also without swping: when one isp gone down I manually
typed shorewall restart -f but nothing happened to the routing tables.

For completeness I attach the shorewall dump.

Thanks.



2013/5/5 Tom Eastep <teastep@shorewall.net>
> On 05/05/2013 12:20 AM, Marco Querci wrote:
> > Hi,
> > nobody can help me?
> >
> >
> >     Hi all.
> >     I configured Shorewall (ver. 4.4.26.1) working with two balanced
isp
> >     and everything seems to be ok.
> >     I need also that when one of the isp connection falls down, all
> >     outgoing connections should use the other isp.
> >     I configured the swping script that monitors the two connections
and
> >     restarts Shorewall when one link goes down.
> >     The problem is that, when one link goes down, the swping script
> >     restart Shorewall correctly (shorewall -f restart), but the
routing
> >     table of the firewaal seems to be unchanged and all connections
> >     continue to go through the wrong provider.
> >     My /etc/shorewall/interfaces file:
> >     net     eth0            detect          optional
> >     net     eth1            detect          optional
> >     loc     eth2            detect
> >
> >     My /etc/shorewall/providers file:
> >     VO      1       -       -               eth0
> >      192.168.20.254       balance=3
> >     TI      2       -       -               eth1            10.0.3.2
> >             balance=1
> >
> >     My relevant /etc/shorewall/shorewall.conf options:
> >     RESTORE_DEFAULT_ROUTE=No
> >     ROUTE_FILTER=No
> >     TRACK_PROVIDERS=Yes
> >     USE_DEFAULT_RT=Yes
> >
> >     May be something is wrong but I cannot see what.
> >     Any suggestions will be appreciated.
> >     Many thanks.
> >
>
> My only suggestion is to drop SWPING in favor of LSM. SWPING has not
> been maintained since LSM was introduced. I''ll remove all mention
of
> SWPING from the documentation.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It''s a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

On 5/6/13 3:20 AM, "Marco Querci" <mquerci75@gmail.com> wrote:
> Many thanks for your reply.
> I don''t think it''s a swping problem vs lsm.
> I had many tests also without swping: when one isp gone down I manually
typed
> shorewall restart -f but nothing happened to the routing tables.
> 
> For completeness I attach the shorewall dump.
Both of the net interfaces are up and have a configured IP address. So the
generated script believes that both are usable and will configure their
routing unless:
1. The corresponding /var/lib/shorewall/ethX.status file contains a non-zero
value (SWPING and LSM both store ''1'' in the file when the
interface is
down); AND
2. /etc/shorewall/isusable contains the ''is usable'' script
that reads those
files and tells the firewall script whether the interface is usable or not.
-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.





------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1

Great!
It''s the isusable file that does the trick!

Many thanks.


2013/5/6 Tom Eastep <teastep@shorewall.net>
> On 5/6/13 3:20 AM, "Marco Querci" <mquerci75@gmail.com>
wrote:
>
> Many thanks for your reply.
> I don''t think it''s a swping problem vs lsm.
> I had many tests also without swping: when one isp gone down I manually
> typed shorewall restart -f but nothing happened to the routing tables.
>
> For completeness I attach the shorewall dump.
>
>
> Both of the net interfaces are up and have a configured IP address. So the
> generated script believes that both are usable and will configure their
> routing unless:
>
>    1. The corresponding /var/lib/shorewall/ethX.status file contains a
>    non-zero value (SWPING and LSM both store ''1'' in the
file when the
>    interface is down); AND
>    2. /etc/shorewall/isusable contains the ''is usable''
script that reads
>    those files and tells the firewall script whether the interface is
usable
>    or not.
>
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
>
>
>
>
------------------------------------------------------------------------------
> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
> Get 100% visibility into your production application - at no cost.
> Code-level diagnostics for performance bottlenecks with <2% overhead
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap1
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1