> [mailto:[EMAIL PROTECTED] Behalf Of Tom > Eastep
> Lux wrote: > > > > > "ip route list" shows: > > ... > > default > > nexthop via 22.222.222.217 dev eth0 weight 1 > > nexthop via 11.11.111.177 dev eth0 weight 1 > > > > If I issue "ip rule list" I get: > > 0: from all lookup local > > 10001: from all fwmark 0x1 lookup LK1 > > 10002: from all fwmark 0x2 lookup LK2 > > 20001: from 192.168.21.2 lookup LK1 > > 21001: from 11.11.111.186 lookup LK1 > > 22001: from 22.222.222.218 lookup LK1 > > 32766: from all lookup main > > 32767: from all lookup default > > > > And here is the first question (the least important one to me): > Shouldn't > > the line "22001: from 22.222.222.218 lookup LK1" be "22001: from > > 22.222.222.218 lookup LK2" ? > > It is a consequence of your oddball configuration (one interface with two > uplinks). Sorry for replying so late, but I wanted to make some tests. I don't know exactly what oddball means, but it doesn't have to be a compliment :) There are reasons for this setup, which I did not mention for simplicity. The routers are running a routing protocol, and HSRP, for example. > > BUT the packets assumes randomly the 11.11.111.186 OR > > 22.222.222.218 source address. So there is a 50% chance that > the replies get > > back through the wrong provider. > > > > Is there a solution for this problem? > > There was never any intention for Shorewall Multi-ISP support to > handle this > configuration. Ok but we could handle it correctly just now, and with small effort: as I supposed in my original posting, I found that the problem is solved if I am able to masq some traffic based on the presence of some mark value. So I wrote a very small patch for Shorewall 3.2.9 that does exactly that thing: add a mark column to the masq file, and add some logic to Shorewall to handle this. With the masq patch, my problem was solved by putting in the masq file something like: eth0 11.11.111.186 22.222.222.218 - - - 2 eth0 22.222.222.218 11.11.111.186 - - - 1 I also wrote patches to do analogous thing in the accounting, tos and rules file. Surely I find these not essential as the masq one is for me, but I found them useful: if someone marks some traffic, than it's likely he wants to let it pass through the firewall too. So he can keep his config files smaller. I'd like if someone accustomed with Shorewall code could review them. You can find them attached to the message. Tank you. Luigi
accounting.mark.patch
Description: Binary data
tos.mark.patch
Description: Binary data
rules.mark.patch
Description: Binary data
masq.mark.patch
Description: Binary data
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
