Hi, we have a 3 isps balanced configuration. When all are up, everything is fine. But when we lose one, we basically lose all connectivity... Do we have to (not) do something for failover to work? Thx, JD ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/24/2013 09:03 AM, John Doe wrote:> Hi, > > we have a 3 isps balanced configuration. > When all are up, everything is fine. > But when we lose one, we basically lose all connectivity... > Do we have to (not) do something for failover to work? >You must install and configure LSM (Link Status Monitor). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/24/2013 09:14 AM, Tom Eastep wrote:> On 07/24/2013 09:03 AM, John Doe wrote: >> Hi, >> >> we have a 3 isps balanced configuration. >> When all are up, everything is fine. >> But when we lose one, we basically lose all connectivity... >> Do we have to (not) do something for failover to work? >> > You must install and configure LSM (Link Status Monitor).And configure all provider interfaces as ''optional''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
From: Tom Eastep <teastep@shorewall.net>> On 07/24/2013 09:14 AM, Tom Eastep wrote: >> On 07/24/2013 09:03 AM, John Doe wrote: >>> we have a 3 isps balanced configuration. >>> When all are up, everything is fine. >>> But when we lose one, we basically lose all connectivity... >>> Do we have to (not) do something for failover to work? >> You must install and configure LSM (Link Status Monitor). > And configure all provider interfaces as ''optional''.Thx for the info. Do I put optional in interfaces or providers? or both? BTW, using Shorewall 4.5.4-1 on CentOS 6.4 Also, should I have a default gateway (right now on the sdsl)...? I read someone saying you do not want to have one... Just in case, here are my confs: interfaces: sdsl eth1 dhcp,tcpflags,routefilter,nosmurfs,logmartians,optional free eth2 dhcp,tcpflags,routefilter,nosmurfs,logmartians,optional ovh eth3 dhcp,tcpflags,routefilter,nosmurfs,logmartians,optional loc eth0 tcpflags,nosmurfs,routeback vpn tun0 tcpflags,nosmurfs providers: sdsl 1 1 main eth1 192.168.0.254 track,balance eth0 free 2 2 main eth2 192.168.2.254 track,balance eth0 ovh 3 3 main eth3 192.168.4.254 track,balance eth0 masq: eth1 192.168.16.0/20 192.168.0.251 eth2 192.168.16.0/20 192.168.2.251 eth3 192.168.16.0/20 192.168.4.251 eth0 tun0 rtrules: (should I avoid rtrules if the intterface goes down)? 192.168.16.0/20 <IP>/23 sdsl 1000 shorewall.conf: STARTUP_ENABLED=Yes VERBOSITY=1 BLACKLIST_LOGLEVELLOG_MARTIANS=Yes LOG_VERBOSITY=2 LOGALLNEWLOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGLIMITMACLIST_LOG_LEVEL=info RELATED_LOG_LEVELSFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLESIPIPSETLOCKFILEMODULESDIRPATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PERL=/usr/bin/perl RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall TCACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' RSH_COMMAND=''ssh ${root}@${system} ${command}'' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=Yes AUTO_COMMENT=Yes AUTOMAKE=No BLACKLISTNEWONLY=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No DISABLE_IPV6=Yes DONT_LOADDYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARKIMPLICIT_CONTINUE=Yes IPSET_WARNINGS=Yes IP_FORWARDING=On KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTLMANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=No SAVE_IPSETS=No TC_ENABLED=No TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP TC_BITSPROVIDER_BITSPROVIDER_OFFSETMASK_BITSZONE_BITS=0 IPSECFILE=zones Thx, JD ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
From: John Doe <jdmls@yahoo.com>> From: Tom Eastep <teastep@shorewall.net> >> On 07/24/2013 09:14 AM, Tom Eastep wrote: >>> You must install and configure LSM (Link Status Monitor). >> And configure all provider interfaces as ''optional''.I did configure lsm; but not tried it yet. Just wondering about the /etc/lsm/shorewall.conf file. It seems that the checkips are set to the ISP gateaways. Is that so? When we have network issues, the gateway is fine; but the traffic behind is not. So can I put something like the IP of google in the 3 ISP sections and it will use the device= to test the correct path? Thx, JD ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
From: John Doe <jdmls@yahoo.com>> I did configure lsm; but not tried it yet. > Just wondering about the /etc/lsm/shorewall.conf file. > It seems that the checkips are set to the ISP gateaways. > Is that so? > When we have network issues, the gateway is fine; but the traffic behind is not. > So can I put something like the IP of google in the 3 ISP sections and it will > use the device= to test the correct path?After a few "weird" losses of connectivity (could not find the cause, 2 ISPs out of 3 no more pingable while routes were the same as before) and a reboot, it seems to work now... Thx, JD ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/25/2013 02:09 AM, John Doe wrote:> From: John Doe <jdmls@yahoo.com> > >> From: Tom Eastep <teastep@shorewall.net> >>> On 07/24/2013 09:14 AM, Tom Eastep wrote: >>>> You must install and configure LSM (Link Status Monitor). >>> And configure all provider interfaces as ''optional''. > I did configure lsm; but not tried it yet. > Just wondering about the /etc/lsm/shorewall.conf file. > It seems that the checkips are set to the ISP gateaways. > Is that so? > When we have network issues, the gateway is fine; but the traffic behind is not. > So can I put something like the IP of google in the 3 ISP sections and it will use the device= to test the correct path? >No. - Each provider must check a separate address. - For each provider interface, there must be a route to the associated checked address out of that interface in your main routing table. One of my providers supplies an on-premises router, so the default gateway for that provider sits right above my firewall. For that provider, the address I define to LSM is that of the next hop router for that provider. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk