From: Mike L. <la...@la...> - 2007-08-30 19:47:38
|
----- Original Message ----- From: "Mike Lander" <la...@la...> To: "Shorewall" <sho...@li...> Sent: Thursday, August 30, 2007 12:38 PM Subject: [Shorewall-users] Multi-Isp Masqerade ? : Mike Lander wrote: : > I am building a shorewall box that the last post has the SSH error and : > wanted : > some feedback from the list if possible. At first I thought the two ISP's : > I : > building this : > for had two T-1's with FQ ip's as it. I have the box built for this ready : > to : > go. : > Now I find out that one of the T-1's is non-routed with 5 useable ips : > /29--Good : > the other T-1 is natted in using one of the local lan Ip's. Both full : > T-1's-----Not so Good : > The Idea is to load balance and route specific stuff like mail etc: : > The second ISP will NOT give me a FQ ip. Shorewall fits the bill : > perfect for this need. : > Currently the network is using routeback and static routes : > to route specific traffic to the natted ISP gateway. The only solution I : > could : > think of was, I asked the ISP if they could change the currently : > natted gateway (lan ip on internal) to a different Class 3 IP such as : > 10.15.75.1 : > then I could configure my second ISP to the same network : > 10.15.75.2 and track and balance the routes. : > Now would there be a better way to do this and leave the : > Natted ISP with the same IP as the lan (loc) if ?? : : I'd really need to see the routing tables and route rules from a : shorewall dump to have a better understanding of your layout. Having : said that, when you use the providers file, there will be a host route : to that isp's gateway created in that isp's routing table, which should : override any network route using that address space. In short it should : work without changing any addressing, I have that running now: : : Table LOC: : : 10.3.0.1 dev eth0 scope link src 10.3.0.75 <<==host route to gateway= : 10.3.0.0/24 dev eth0 proto kernel scope link src 10.3.0.75 : default via 10.3.0.1 dev eth0 : : : Table SHAW: : : 24.78.192.1 dev eth1 scope link src 24.78.192.197 : 10.3.0.0/24 dev eth0 proto kernel scope link src 10.3.0.75 : 24.78.192.0/23 dev eth1 proto kernel scope link src 24.78.192.197 : 169.254.0.0/16 dev eth1 scope link : default via 24.78.192.1 dev eth1 : : Table main: : : 10.3.0.0/24 dev eth0 proto kernel scope link src 10.3.0.75 : 24.78.192.0/23 dev eth1 proto kernel scope link src 24.78.192.197 : 169.254.0.0/16 dev eth1 scope link : default : nexthop via 24.78.192.1 dev eth1 weight 1 : nexthop via 10.3.0.1 dev eth0 weight 1 : : So any thing that uses the "loc" addressing would hit this route rule: : : 20256: from 10.3.0.75 lookup LOC : : and then use the LOC routing table where there is the host route to the : gateway. Having 1 (like me, I trust my loc zone) or 2 interfaces (much : safer, I had that setup too, till the nic died, too lazy to change it.) : for that address space should not matter, as long as that host route is : present, the traffic *should* find the gateway. There might be other : things that I had to do to pull this off, but I just can't recall what, : if any, at the moment. : < Just saw Tom's post, I don't type or copy&paste that fast...> : : Just because I have this working doesn't diminish Tom's warning about : routing/ARP hell, (Think my fire is out now, it been a couple of years : ;) ) you have been warned... : : Think I had to use a /32 mask on the nic that was connected to the : gateway in the 2 interface setup, so there would be no network route : present for it, just the above host route to the gateway. : : : Hope it helps, : : Jerry : : : I Have this setup as Jerry suggested above : and I am not sure How to masqerade the : loc isp. Also it is not clear to : me which interface (nic) Jerry is : reffering to apply a /32 mask on. : also posted routing below : Here is the config I have now? : : : /etc/shorewall providers : loc 1 256 main eth1 10.194.79.254 track,balance eth1 : atg 2 512 main eth0 66.224.62.97 track,balance eth1 : : /etc/shorewall/masq : eth0 10.194.79.181 66.224.62.120 : eth1 66.224.62.120 10.194.79.181 : eth0 eth1 66.224.62.120 : eth1 eth1 10.194.79.181 : : : ns5:~ # shorewall show routing : Can't determine the IP address of eth2 : Shorewall 4.0.2 Routing at ns5 - Fri Aug 31 12:32:42 PDT 2007 : : : Routing Rules : : 0: from all lookup local : 10256: from all fwmark 0x100 lookup loc : 10512: from all fwmark 0x200 lookup atg : 32766: from all lookup main : 32767: from all lookup default : : Table atg: : : 66.224.62.97 dev eth0 scope link src 66.224.62.120 : 10.194.79.0/24 dev eth1 proto kernel scope link src 10.194.79.181 : default via 66.224.62.97 dev eth0 : : Table default: : : : Table loc: : : 10.194.79.254 dev eth1 scope link src 10.194.79.181 : 10.194.79.0/24 dev eth1 proto kernel scope link src 10.194.79.181 : default via 10.194.79.254 dev eth1 : : Table local: : : broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 : broadcast 66.224.62.96 dev eth0 proto kernel scope link src 66.224.62.120 : broadcast 10.194.79.0 dev eth1 proto kernel scope link src 10.194.79.181 : local 10.194.79.181 dev eth1 proto kernel scope host src 10.194.79.181 : local 66.224.62.120 dev eth0 proto kernel scope host src 66.224.62.120 : broadcast 66.224.62.127 dev eth0 proto kernel scope link src : 66.224.62.120 : broadcast 10.194.79.255 dev eth1 proto kernel scope link src : 10.194.79.181 : broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 : local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 : local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 : : Table main: : : 66.224.62.96/27 dev eth0 proto kernel scope link src 66.224.62.120 : 10.194.79.0/24 dev eth1 proto kernel scope link src 10.194.79.181 : 169.254.0.0/16 dev eth0 scope link : 127.0.0.0/8 dev lo scope link : default : nexthop via 10.194.79.254 dev eth1 weight 1 : nexthop via 66.224.62.97 dev eth0 weight 1 : ns5:~ # : : Sorry noticed a typo in my masq I have : /etc/shorewall/masq : eth0 10.194.79.181 66.224.62.120 : eth1 66.224.62.120 10.194.79.181 : eth0 eth1 66.224.62.120 : eth1 eth0 10.194.79.181 Mike |