Hi all
I have a setup like the one discussed in
http://www.shorewall.net/MultiISP.html, but with only one physical nic
connected to the 2 ISP routers (refer to the figure below). I'm using
Shorewall 3.0.6 but I had similar results in a test with 3.2.8 too. CentOS 4
(similar to Red Hat), 2.6.9 pom-patched kernel, 1.2.9 pom-patched iptables.
I have two questions regarding this setup.
LAN
-------------------------------
|
|
eth1
+-------+
| Linux | Shorewall here
+-------+
eth0 192.168.21.2
11.11.111.186 / \ 22.222.222.218
/ \
11.11.111.177/ \22.222.222.217 MAC: 0014:0014:0014
MAC:0009:0009: +---+ +---+
0009 |LK1| |LK2| Internet provider's
+---+ +---+ routers
| |
| |
...................
.........................
........ INTERNET .........
.............................
.............................
eth0 has 3 IP addresses: 2 for the 2 providers, one private for other
purposes. "ip addr" reports:
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:4f:3c:fb:97 brd ff:ff:ff:ff:ff:ff
inet 192.168.21.2/24 brd 192.168.21.255 scope global eth0
inet 11.11.111.186/28 brd 11.11.111.191 scope global eth0:0
inet 22.222.222.218/29 brd 22.222.222.223 scope global eth0:1
In the providers file I have:
LK2 2 2 main eth0 22.222.222.217 balance
LK1 1 1 main eth0 11.11.111.177 balance
In the tcrules file I have:
1:P 0.0.0.0/0
1 $FW
2:P 0.0.0.0/0 0.0.0.0/0 tcp 25
2 $FW 0.0.0.0/0 tcp 25
"ip route list" shows:
...
default
nexthop via 22.222.222.217 dev eth0 weight 1
nexthop via 11.11.111.177 dev eth0 weight 1
If I issue "ip rule list" I get:
0: from all lookup local
10001: from all fwmark 0x1 lookup LK1
10002: from all fwmark 0x2 lookup LK2
20001: from 192.168.21.2 lookup LK1
21001: from 11.11.111.186 lookup LK1
22001: from 22.222.222.218 lookup LK1
32766: from all lookup main
32767: from all lookup default
And here is the first question (the least important one to me): Shouldn't
the line "22001: from 22.222.222.218 lookup LK1" be "22001: from
22.222.222.218 lookup LK2" ?
It seems that the last provider appearing in the providers file is more
important than the others, because it is used to route all the packets
coming from addresses of the firewall itself. But I find no reference to the
importance of the order in the providers file, and morevoer I think that
traffic from one provider's IP should be routed via that provider's link.
On to the second question. If I generate SMTP traffic (port 25) from the lan
to the internet, it gets routed via LK2 (I see this from MAC addresses),
masqueraded with the 22.222.222.218 IP address (yes, masq is in action). If
I generate non-SMTP traffic, it gets routed via LK1, masqueraded with the
11.11.111.186 address. Allright.
Instead, if I generate traffic from the firewall (both SMTP and other
traffic) it gets routed through the correct provider (LK2 for SMTP, LK1 for
everything else), BUT the packets assumes randomly the 11.11.111.186 OR
22.222.222.218 source address. So there is a 50% chance that the replies get
back through the wrong provider.
I think the fact is that I am unable to configure the 2 masq rules as
required in http://www.shorewall.net/MultiISP.html, since I have only one
outbound interface. Maybe I would need the ability to masq the traffic with
one address or the other, based on the mark vale? (it would be SO simple if
locally generated traffic got as the IP source address the address closer to
the gateway it gets relayed to.. but this is not a shorewall question I
think).
Is there a solution for this problem?
Thanks
Luigi
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
