Hi, I live in Mongolia and our ISPs are pretty unreliable. I just got a second line in and have set up Shorewall in a loadbalancing/failover configuration. Its going pretty well except for one thing; http sessions. For example, I go to a website and log in. I go to enter a support ticket and click submit. I then get kicked back to the login screen and no ticket is submitted. I''ve tested this by setting tcrules to send http/https traffic through one specific ISP and when I do this the problem doesn''t occur and I can submit support tickets no problem. My providers looks like this: mobinet 1 1 main ppp0 detect loose,track,balance=3 eth0 sansar 2 2 main ppp1 detect loose,track,balance=1 eth0 they are both going through pppoe connections. The mobinet connection is 5M and the sansar 3M, mobinet also has lower latency, hence the balance=3 eth0 is the LAN interface. The interfaces looks like this: - lo - - out0 ppp0 detect tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 out1 ppp1 detect tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 lan eth0 detect dhcp I''ve configured ppp to assign ppp0 to mobinet and ppp1 to sansar. When I put this into tcrules, the HTTP/S problem goes away: 2:P 192.168.5.0/24 0.0.0.0/0 tcp 80 2:P 192.168.5.0/24 0.0.0.0/0 tcp 443 I had thought that the ''track'' option in providers was supposed to deal with this? What else might I need to consider? Thanks ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On Jul 28, 2013, at 9:25 PM, Steve Wray <stevedwray@gmail.com> wrote:> Hi, > > I live in Mongolia and our ISPs are pretty unreliable. I just got a second line in and have set up Shorewall in a loadbalancing/failover configuration. > > Its going pretty well except for one thing; http sessions. > > For example, I go to a website and log in. I go to enter a support ticket and click submit. I then get kicked back to the login screen and no ticket is submitted. > > I''ve tested this by setting tcrules to send http/https traffic through one specific ISP and when I do this the problem doesn''t occur and I can submit support tickets no problem. > > My providers looks like this: > > mobinet 1 1 main ppp0 detect loose,track,balance=3 eth0 > sansar 2 2 main ppp1 detect loose,track,balance=1 eth0 > > they are both going through pppoe connections. The mobinet connection is 5M and the sansar 3M, mobinet also has lower latency, hence the balance=3 > eth0 is the LAN interface. > > The interfaces looks like this: > > - lo - - > out0 ppp0 detect tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 > out1 ppp1 detect tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 > lan eth0 detect dhcp > > I''ve configured ppp to assign ppp0 to mobinet and ppp1 to sansar. > > When I put this into tcrules, the HTTP/S problem goes away: > > 2:P 192.168.5.0/24 0.0.0.0/0 tcp 80 > 2:P 192.168.5.0/24 0.0.0.0/0 tcp 443 > > I had thought that the ''track'' option in providers was supposed to deal with this? What else might I need to consider?The ''track'' option deals with *incoming* connections; it insures that replies to incoming requests go out over the correct provider. You want to use the ''SAME'' target in /etc/shorewall/tcrules. Here''s what I have: SAME:P INT_IF - tcp 443 You may want to start with: SAME:P INT_IF - tcp 80,443 -Tom Tom Eastep \ Nothing is foolproof to a Shoreline, \ sufficiently talented fool Washington, USA \ http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
If I wanted to use a squid proxy running on the router I''d have this? SAME $FW - tcp 80,443 On 29 July 2013 21:28, Tom Eastep <teastep@shorewall.net> wrote:> > On Jul 28, 2013, at 9:25 PM, Steve Wray <stevedwray@gmail.com> wrote: > > Hi, > > I live in Mongolia and our ISPs are pretty unreliable. I just got a second > line in and have set up Shorewall in a loadbalancing/failover configuration. > > Its going pretty well except for one thing; http sessions. > > For example, I go to a website and log in. I go to enter a support ticket > and click submit. I then get kicked back to the login screen and no ticket > is submitted. > > I''ve tested this by setting tcrules to send http/https traffic through one > specific ISP and when I do this the problem doesn''t occur and I can submit > support tickets no problem. > > My providers looks like this: > > mobinet 1 1 main ppp0 detect loose,track,balance=3 eth0 > sansar 2 2 main ppp1 detect loose,track,balance=1 eth0 > > they are both going through pppoe connections. The mobinet connection is > 5M and the sansar 3M, mobinet also has lower latency, hence the balance=3 > eth0 is the LAN interface. > > The interfaces looks like this: > > - lo - - > out0 ppp0 detect > tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 > out1 ppp1 detect > tcpflags,optional,nosmurfs,routefilter=0,logmartians=0 > lan eth0 detect dhcp > > I''ve configured ppp to assign ppp0 to mobinet and ppp1 to sansar. > > When I put this into tcrules, the HTTP/S problem goes away: > > 2:P 192.168.5.0/24 0.0.0.0/0 tcp 80 > 2:P 192.168.5.0/24 0.0.0.0/0 tcp 443 > > I had thought that the ''track'' option in providers was supposed to deal > with this? What else might I need to consider? > > > The ''track'' option deals with *incoming* connections; it insures that > replies to incoming requests go out over the correct provider. > > You want to use the ''SAME'' target in /etc/shorewall/tcrules. Here''s what I > have: > > SAME:P INT_IF - > tcp 443 > > You may want to start with: > > SAME:P INT_IF - > tcp 80,443 > > -Tom > > Tom Eastep \ Nothing is foolproof to a > Shoreline, \ sufficiently talented fool > Washington, USA \ > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
On 07/29/2013 08:59 AM, Steve Wray wrote:> If I wanted to use a squid proxy running on the router I''d have this? > > SAME $FW - tcp > 80,443 >You can try that -- given that applying tcrules doesn''t work reliably when the source is $FW, it may or may not do what you want. I personally use ACLs to assign different hosts to different source IP addresses: acl mac src 172.20.1.145/32 172.20.1.146/32 tcp_outgoing_address 67.170.121.6 mac acl rest src 172.20.0.0/22 tcp_outgoing_address 70.90.191.121 This will still work if one of the connections is down (provided that it is not hard down). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
My connections are pppoe, so the internal PPP endpoint IP changes and, from tests I''ve done, the exit point from the ISP NAT gateway also changes... so I guess this isn''t going to work so well? On 30 July 2013 00:17, Tom Eastep <teastep@shorewall.net> wrote:> On 07/29/2013 08:59 AM, Steve Wray wrote: > > If I wanted to use a squid proxy running on the router I''d have this? > > SAME $FW - tcp > 80,443 > > > You can try that -- given that applying tcrules doesn''t work reliably when > the source is $FW, it may or may not do what you want. > > I personally use ACLs to assign different hosts to different source IP > addresses: > > acl mac src 172.20.1.145/32 172.20.1.146/32 > tcp_outgoing_address 67.170.121.6 mac > > acl rest src 172.20.0.0/22 > tcp_outgoing_address 70.90.191.121 > > This will still work if one of the connections is down (provided that it > is not hard down). > > -Tom > > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his carhttp://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk