Re: [Shorewall-users] complex setup with two ISPs

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep wrote:
> Marcos Dione wrote:
>> On Wed, May 27, 2009 at 05:31:14PM -0700, Tom Eastep wrote:
>>> Marcos Dione wrote:
>>>>     NOTE: this mail started as a help call, but I've been wrinting it
>>>> through several days, and several tests that lead more to an
>>>> investigation that to an actual question. I think it's somewhat usefull,
>>>> specially if thewre are comments on why the different cases didn't work
>>>> as spected. take in account that I didn't try to fix its redaction.
>>>>
>>>>     I have two ISPs, one reliable but restrictive and one unreliable but
>>>> open. I also have a internal network to which I should offer best effort
>>>> service. let me explain.
>>>>
>>>>     the reliable network, let's call it UNC, only offers access to
>>>> http/s and ssh. the unreliable one. Arnet, lets me access any port, but
>>>> the BW is much smaller and often the link goes down.
>>>>
>>>>     so what I want is to route all traffic, including the firewall
>>>> generated, through Arnet (even if it's unreliable), except http/s and
>>>> ssh, which goes though UNC, including traffic to the UNC network itself.
>>>>
>>>>     my current configuration is:
>>>>
>>>> # shorewall.conf
>>> Marcos,
>>>
>>> I'm sorry to hear that you are having problems with Shorewall Multi-ISP
>>> support and that I may have contributed to the problem. But it is
>>> virtually impossible for me to help people who sent snippets of their
>>> configuration files that then ask "Why doesn't it work?".
>>     I knew this is the situation. I mentioned your suggestions to
>> express that I was lost and that didn't knew exactly what I was doing.
>>
>>> That is why the Support Guidelines
>>> (http://www.shorewall.net/support.htm#Guidelines) ask that when you have
>>> any kind of connection problem that you send the output of 'shorewall
>>> dump' collected as described rather than sending configuration files.
>>     I didn't attach them, but I put then in the URL I sent. I didn't
>> want to flood the list with several dumps.
>>
> 
> Marcos,
> 
> Can you tell me which directories in the tarball correspond to which
> failure scenarios above? That would certainly help.
> 
> The naming seems confusing because the configuration in the directory
> called no_balance has a balanced default route:
> 
> default
>         nexthop via 200.16.29.111  dev eth0 weight 1
>         nexthop via 10.0.0.2  dev eth2 weight 1
> 

Possibly part of the problem here is the way that Shorewall handles the
default route in the main table.

1. When there are entries in /etc/shorewall/providers, 'shorewall start'
   saves the default route that it finds in the main table.

2. When there are 'balance' providers, the default route in the main
   table is replaced by both 'shorewall start' and 'shorewall restart'.

3. When there are no 'balance' providers, Shorewall does not change the
   default route in the main table during 'shorewall restart'.

4. In all cases, 'shorewall stop' restores the default route saved at
   the last 'shorewall start'.

So if you have a configuration that specifies 'balance' on one or more
providers and you then remove 'balance' entirely, 'shorewall restart'
will *not* remove the balanced route in the main table. To do that, you
need 'shorewall stop; shorewall start'.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________