subject:"\[Shorewall\-users\] Q\: Shorewall failover auto\-switch script"

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-21 Thread andreil1



> On 20 Jul 2017, at 18:15, Tom Eastep  wrote:
> 
> On 07/20/2017 03:59 AM, andreil1 wrote:
>> 
>> 
>>> On 20 Jul 2017, at 13:33, Simon Hobson  wrote:
>>> 
>>> andreil1  wrote:
>>> 
 shorewall disable LTC1  <— Doesn’t work
 
 ERROR: LTC1 is not an optional provider interface: Firewall state not 
 changed
 /usr/share/shorewall/lib.common: line 93: 28414 Terminated  
 $SHOREWALL_SHELL $script $options $@
 
 Should I mark both providers (main LTC1 and failover backup BTC2) as 
 optional ?
>>> 
>>> 
>>> Possibly, but looking at http://shorewall.org/MultiISP.html it says that 
>>> option has been deprecated and moved to the interfaces file.
>> 
>> Added to interfaces, now I can disable LTC1.
>> However, no traffic go through BTC2 in any case.
>> 
>> What could be the problem ?
>> 
> 
> You need the 'fallback' option on BTC2. I also suggest that you set the
> 'persistent' option on both interfaces.
> 

Thanks for help, Tom.
Only this config work, removing “balance=1” for whatever reason stopping 
traffic on 5.1.4.3.
I can’t find any explanation...

LTC11   0x1 -   eth0xx.xx.xx.xx   
track,persistent,balance=1-
BTC22   0x2 -   eth1yy.yy.yy.yy 
track,persistent,fallback   -


> Finally, I wonder why you don't just use FOOLSM. It is well tested and
> does exactly what you want.
> 
> -Tom
> -- 
> Tom Eastep\   Q: What do you get when you cross a mobster with
> Shoreline, \ an international standard?
> Washington, USA \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>  \___
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! 
> http://sdm.link/slashdot___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread Tom Eastep

On 07/20/2017 03:59 AM, andreil1 wrote:
> 
> 
>> On 20 Jul 2017, at 13:33, Simon Hobson  wrote:
>>
>> andreil1  wrote:
>>
>>> shorewall disable LTC1  <— Doesn’t work
>>>
>>> ERROR: LTC1 is not an optional provider interface: Firewall state not 
>>> changed
>>> /usr/share/shorewall/lib.common: line 93: 28414 Terminated  
>>> $SHOREWALL_SHELL $script $options $@
>>>
>>> Should I mark both providers (main LTC1 and failover backup BTC2) as 
>>> optional ?
>>
>>
>> Possibly, but looking at http://shorewall.org/MultiISP.html it says that 
>> option has been deprecated and moved to the interfaces file.
> 
> Added to interfaces, now I can disable LTC1.
> However, no traffic go through BTC2 in any case.
> 
> What could be the problem ?
> 

You need the 'fallback' option on BTC2. I also suggest that you set the
'persistent' option on both interfaces.

Finally, I wonder why you don't just use FOOLSM. It is well tested and
does exactly what you want.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread andreil1



> On 20 Jul 2017, at 13:33, Simon Hobson  wrote:
> 
> andreil1  wrote:
> 
>> shorewall disable LTC1  <— Doesn’t work
>> 
>> ERROR: LTC1 is not an optional provider interface: Firewall state not changed
>> /usr/share/shorewall/lib.common: line 93: 28414 Terminated  
>> $SHOREWALL_SHELL $script $options $@
>> 
>> Should I mark both providers (main LTC1 and failover backup BTC2) as 
>> optional ?
> 
> 
> Possibly, but looking at http://shorewall.org/MultiISP.html it says that 
> option has been deprecated and moved to the interfaces file.

Added to interfaces, now I can disable LTC1.
However, no traffic go through BTC2 in any case.

What could be the problem ?

> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread Simon Hobson

andreil1  wrote:

> shorewall disable LTC1  <— Doesn’t work
> 
> ERROR: LTC1 is not an optional provider interface: Firewall state not changed
> /usr/share/shorewall/lib.common: line 93: 28414 Terminated  
> $SHOREWALL_SHELL $script $options $@
> 
> Should I mark both providers (main LTC1 and failover backup BTC2) as optional 
> ?


Possibly, but looking at http://shorewall.org/MultiISP.html it says that option 
has been deprecated and moved to the interfaces file.


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread andreil1


> On 20 Jul 2017, at 12:04, Simon Hobson  wrote:
> 
> andreil1  wrote:
> 
>> I have this setup of shorewall with 2 ISPs, and need to auto-switch 
>> connection if main (LTC1) provider fails, and the revert back if it becomes 
>> alive.
>> 
>> ***   shorewall.conf   ***
>> USE_DEFAULT_RT=Yes
>> 
>> ***   providers   ***
>> LTC1   1  0x1-  eth0   gw1.xx.xx.xx track,balance=1  -
>> BTC2   2  0x2-  eth1   gw2.yy.yy.yy track   -
>> 
>> ***   interfaces   ***
>> net  eth0tcpflags,nosmurfs,rpfilter,sourceroute=0
>> net  eth1tcpflags,nosmurfs,rpfilter,sourceroute=0
>> loc  eth2tcpflags,nosmurfs,rpfilter
>> dmz  eth3routeback
>> 
>> *
>> 
>> Script which run via cron each 30 seconds.
>> Which commands need to be run within this script ?
>> 
>> Thanks in advance for any suggestion(s) !
>> 
>> 
>> HOSTS="gw1.xx.xx.xx"
>> COUNT=2
>> 
>> for myHost in $HOSTS
>> do
>> count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' 
>> | awk '{ print $1 }')
>> if [ $count -eq 0 ]; then
>>   # 100% failed 
>>   # ?? what commands should be run to switch providers?
>>   shorewall disable LTC1   # is this enough ?  any command to explicitly 
>> enable BTC1 ? shorewall restart required ?
> 
> Yes that's enough. BTC1 will already be enabled (unless you've disabled it). 
> However you'll probably want to keep some memory of the current state so you 
> don't keep disabling it repeatedly - it won't cause any harm, but you'll get 
> an error each time saying it's already disabled.


shorewall disable LTC1  <— Doesn’t work

ERROR: LTC1 is not an optional provider interface: Firewall state not changed
/usr/share/shorewall/lib.common: line 93: 28414 Terminated  
$SHOREWALL_SHELL $script $options $@

Should I mark both providers (main LTC1 and failover backup BTC2) as optional ?


> 
>> else
>>   # how to determine which provider is active ?
> 
> Ping the gateway again. I *THINK* you can still ping the gateway if the 
> provider is disabled, but for a host past there, I think some explicit 
> routing rule needs to be added so you can still send your test traffic.
> AIUI, all Shorewall does when you mark a provider as disabled is to remove 
> the routing table entries that send traffic via it.
> As above, you probably want to keep some status so you don't keep re-enabling 
> it when it's already enabled.
> 
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread Simon Hobson

andreil1  wrote:

> I have this setup of shorewall with 2 ISPs, and need to auto-switch 
> connection if main (LTC1) provider fails, and the revert back if it becomes 
> alive.
> 
> ***   shorewall.conf   ***
> USE_DEFAULT_RT=Yes
> 
> ***   providers   ***
> LTC1   1  0x1 -  eth0   gw1.xx.xx.xx track,balance=1  -
> BTC2   2  0x2 -  eth1   gw2.yy.yy.yy track   -
> 
> ***   interfaces   ***
> net   eth0tcpflags,nosmurfs,rpfilter,sourceroute=0
> net   eth1tcpflags,nosmurfs,rpfilter,sourceroute=0
> loc   eth2tcpflags,nosmurfs,rpfilter
> dmz   eth3routeback
> 
> *
> 
> Script which run via cron each 30 seconds.
> Which commands need to be run within this script ?
> 
> Thanks in advance for any suggestion(s) !
> 
> 
> HOSTS="gw1.xx.xx.xx"
> COUNT=2
> 
> for myHost in $HOSTS
> do
>  count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' 
> | awk '{ print $1 }')
>  if [ $count -eq 0 ]; then
># 100% failed 
># ?? what commands should be run to switch providers?
>shorewall disable LTC1   # is this enough ?  any command to explicitly 
> enable BTC1 ? shorewall restart required ?

Yes that's enough. BTC1 will already be enabled (unless you've disabled it). 
However you'll probably want to keep some memory of the current state so you 
don't keep disabling it repeatedly - it won't cause any harm, but you'll get an 
error each time saying it's already disabled.

>  else
># how to determine which provider is active ?

Ping the gateway again. I *THINK* you can still ping the gateway if the 
provider is disabled, but for a host past there, I think some explicit routing 
rule needs to be added so you can still send your test traffic.
AIUI, all Shorewall does when you mark a provider as disabled is to remove the 
routing table entries that send traffic via it.
As above, you probably want to keep some status so you don't keep re-enabling 
it when it's already enabled.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Q: Shorewall failover auto-switch script

2017-07-20 Thread andreil1

Hi,

I have this setup of shorewall with 2 ISPs, and need to auto-switch connection 
if main (LTC1) provider fails, and the revert back if it becomes alive.

***   shorewall.conf   ***
USE_DEFAULT_RT=Yes

***   providers   ***
LTC1   1  0x1   -  eth0   gw1.xx.xx.xx track,balance=1  -
BTC2   2  0x2   -  eth1   gw2.yy.yy.yy track   -

***   interfaces   ***
net eth0tcpflags,nosmurfs,rpfilter,sourceroute=0
net eth1tcpflags,nosmurfs,rpfilter,sourceroute=0
loc eth2tcpflags,nosmurfs,rpfilter
dmz eth3routeback

*

Script which run via cron each 30 seconds.
Which commands need to be run within this script ?

Thanks in advance for any suggestion(s) !


HOSTS="gw1.xx.xx.xx"
COUNT=2

for myHost in $HOSTS
do
  count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | 
awk '{ print $1 }')
  if [ $count -eq 0 ]; then
# 100% failed 
# ?? what commands should be run to switch providers?
shorewall disable LTC1   # is this enough ?  any command to explicitly 
enable BTC1 ? shorewall restart required ?
  else
# how to determine which provider is active ?
# if backup (BTC2), switch back to main provider (LTC1)
  fi
done


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

Re: [Shorewall-users] Q: Shorewall failover auto-switch script

[Shorewall-users] Q: Shorewall failover auto-switch script

7 matches

Site Navigation

Mail list logo

Footer information