On Wednesday, October 3, 2018, 11:55:30 PM GMT+2, Tom Eastep <teas...@shorewall.net> wrote:
> > Looks to me like an issue with whatever program you are runninq to > service NFQUEUE... Please note that I have the "bypass" option set for NFQUEUE. In any case, I removed NFQUEUE from my Shorewall configuration to see if it had any effect, but it didn't. I still witnessed the same behavior. So it occurred to me that it could be a basic routing issue. Now, I don't know how everything got fixed, but it did. Here's exactly what I did after reenabling NFQUEUE in my shorewall config: I set up my OS to add default gw entries for each interface linked to my providers (3). So, for enp7s0 I set "default gw 192.168.92.1", for enp6s0 "default gw 192.168.100.1", for enp8s5 "default gw 192.168.101.1". After restarting shorewall, lo and behold, everything was working again. What puzzles me is that the only 2 differences with my old failing setup (the one which I already sent a dump file for) are: 1) previously I only had one default gw for enp8s5 "192.168.101.1" 2) I had an older shorewall version (5.1.11.1) So I still haven't figured out why it "worked before" with an older shorewall, but not afterwards. I posted another shorewall dump below to see if it can be compared with the one posted yesterday: This dump was taken when traffic was not working properly: https://drive.google.com/open?id=1swkElhpnoUenHP_oBAzhvv4edGxmYtm3 This other dump was taken today with everything working fine: https://drive.google.com/open?id=13hGLyHAISIawJIWc5YYhNVzXn_Hj4Qy6 It's not really important at this point, but it would be nice to know what went wrong just so I don't fall into the same trap in the future. I still have a few questions though before I start fiddling again with my system. If I were to move to my 3-ppp setup, I guess I would need to specify the ppp option "defaultroute" for each ppp interface, right? Also, when starting or restarting shorewall for the first time, I get this message: WARNING: Interface enp7s0 is not usable -- Provider ISP1 (1) not Started (same thing for the other 2 providers) This also happened when I used the pppoe links instead of ethernet. However, all 3 providers are up and running, ie., I can successfully ping to a remote host through their interfaces. I need to manually run "shorewall enable INTERFACE" and restart shorewall. No issues from this point onwards. So why is Shorewall complaining about the interfaces? How does it decide if it's "usable"? Finally, my last question is broader and doesn't really depend on shorewall. I have the following: # sysctl net.core.default_qdisc net.core.default_qdisc = fq_codel # sysctl net.ipv4.tcp_congestion_control net.ipv4.tcp_congestion_control = cdg # ip addr show | grep qdisc1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 10002: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 10003: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc tbf state UP group default qlen 10004: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc tbf state UP group default qlen 10005: enp8s5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc tbf state UP group default qlen 10006: enp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 Why do I see pfifo_fast and tbf instead of fq_codel? Thanks, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
