Re: [Shorewall-users] Q: Shorewall failover auto-switch script
> On 20 Jul 2017, at 18:15, Tom Eastepwrote: > > On 07/20/2017 03:59 AM, andreil1 wrote: >> >> >>> On 20 Jul 2017, at 13:33, Simon Hobson wrote: >>> >>> andreil1 wrote: >>> shorewall disable LTC1 <— Doesn’t work ERROR: LTC1 is not an optional provider interface: Firewall state not changed /usr/share/shorewall/lib.common: line 93: 28414 Terminated $SHOREWALL_SHELL $script $options $@ Should I mark both providers (main LTC1 and failover backup BTC2) as optional ? >>> >>> >>> Possibly, but looking at http://shorewall.org/MultiISP.html it says that >>> option has been deprecated and moved to the interfaces file. >> >> Added to interfaces, now I can disable LTC1. >> However, no traffic go through BTC2 in any case. >> >> What could be the problem ? >> > > You need the 'fallback' option on BTC2. I also suggest that you set the > 'persistent' option on both interfaces. > Thanks for help, Tom. Only this config work, removing “balance=1” for whatever reason stopping traffic on 5.1.4.3. I can’t find any explanation... LTC11 0x1 - eth0xx.xx.xx.xx track,persistent,balance=1- BTC22 0x2 - eth1yy.yy.yy.yy track,persistent,fallback - > Finally, I wonder why you don't just use FOOLSM. It is well tested and > does exactly what you want. > > -Tom > -- > Tom Eastep\ Q: What do you get when you cross a mobster with > Shoreline, \ an international standard? > Washington, USA \ A: Someone who makes you an offer you can't > http://shorewall.org \ understand > \___ > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Q: Shorewall failover auto-switch script
On 07/20/2017 03:59 AM, andreil1 wrote: > > >> On 20 Jul 2017, at 13:33, Simon Hobsonwrote: >> >> andreil1 wrote: >> >>> shorewall disable LTC1 <— Doesn’t work >>> >>> ERROR: LTC1 is not an optional provider interface: Firewall state not >>> changed >>> /usr/share/shorewall/lib.common: line 93: 28414 Terminated >>> $SHOREWALL_SHELL $script $options $@ >>> >>> Should I mark both providers (main LTC1 and failover backup BTC2) as >>> optional ? >> >> >> Possibly, but looking at http://shorewall.org/MultiISP.html it says that >> option has been deprecated and moved to the interfaces file. > > Added to interfaces, now I can disable LTC1. > However, no traffic go through BTC2 in any case. > > What could be the problem ? > You need the 'fallback' option on BTC2. I also suggest that you set the 'persistent' option on both interfaces. Finally, I wonder why you don't just use FOOLSM. It is well tested and does exactly what you want. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Q: Shorewall failover auto-switch script
> On 20 Jul 2017, at 13:33, Simon Hobsonwrote: > > andreil1 wrote: > >> shorewall disable LTC1 <— Doesn’t work >> >> ERROR: LTC1 is not an optional provider interface: Firewall state not changed >> /usr/share/shorewall/lib.common: line 93: 28414 Terminated >> $SHOREWALL_SHELL $script $options $@ >> >> Should I mark both providers (main LTC1 and failover backup BTC2) as >> optional ? > > > Possibly, but looking at http://shorewall.org/MultiISP.html it says that > option has been deprecated and moved to the interfaces file. Added to interfaces, now I can disable LTC1. However, no traffic go through BTC2 in any case. What could be the problem ? > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Q: Shorewall failover auto-switch script
andreil1wrote: > shorewall disable LTC1 <— Doesn’t work > > ERROR: LTC1 is not an optional provider interface: Firewall state not changed > /usr/share/shorewall/lib.common: line 93: 28414 Terminated > $SHOREWALL_SHELL $script $options $@ > > Should I mark both providers (main LTC1 and failover backup BTC2) as optional > ? Possibly, but looking at http://shorewall.org/MultiISP.html it says that option has been deprecated and moved to the interfaces file. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Q: Shorewall failover auto-switch script
> On 20 Jul 2017, at 12:04, Simon Hobsonwrote: > > andreil1 wrote: > >> I have this setup of shorewall with 2 ISPs, and need to auto-switch >> connection if main (LTC1) provider fails, and the revert back if it becomes >> alive. >> >> *** shorewall.conf *** >> USE_DEFAULT_RT=Yes >> >> *** providers *** >> LTC1 1 0x1- eth0 gw1.xx.xx.xx track,balance=1 - >> BTC2 2 0x2- eth1 gw2.yy.yy.yy track - >> >> *** interfaces *** >> net eth0tcpflags,nosmurfs,rpfilter,sourceroute=0 >> net eth1tcpflags,nosmurfs,rpfilter,sourceroute=0 >> loc eth2tcpflags,nosmurfs,rpfilter >> dmz eth3routeback >> >> * >> >> Script which run via cron each 30 seconds. >> Which commands need to be run within this script ? >> >> Thanks in advance for any suggestion(s) ! >> >> >> HOSTS="gw1.xx.xx.xx" >> COUNT=2 >> >> for myHost in $HOSTS >> do >> count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' >> | awk '{ print $1 }') >> if [ $count -eq 0 ]; then >> # 100% failed >> # ?? what commands should be run to switch providers? >> shorewall disable LTC1 # is this enough ? any command to explicitly >> enable BTC1 ? shorewall restart required ? > > Yes that's enough. BTC1 will already be enabled (unless you've disabled it). > However you'll probably want to keep some memory of the current state so you > don't keep disabling it repeatedly - it won't cause any harm, but you'll get > an error each time saying it's already disabled. shorewall disable LTC1 <— Doesn’t work ERROR: LTC1 is not an optional provider interface: Firewall state not changed /usr/share/shorewall/lib.common: line 93: 28414 Terminated $SHOREWALL_SHELL $script $options $@ Should I mark both providers (main LTC1 and failover backup BTC2) as optional ? > >> else >> # how to determine which provider is active ? > > Ping the gateway again. I *THINK* you can still ping the gateway if the > provider is disabled, but for a host past there, I think some explicit > routing rule needs to be added so you can still send your test traffic. > AIUI, all Shorewall does when you mark a provider as disabled is to remove > the routing table entries that send traffic via it. > As above, you probably want to keep some status so you don't keep re-enabling > it when it's already enabled. > > > -- > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Q: Shorewall failover auto-switch script
andreil1wrote: > I have this setup of shorewall with 2 ISPs, and need to auto-switch > connection if main (LTC1) provider fails, and the revert back if it becomes > alive. > > *** shorewall.conf *** > USE_DEFAULT_RT=Yes > > *** providers *** > LTC1 1 0x1 - eth0 gw1.xx.xx.xx track,balance=1 - > BTC2 2 0x2 - eth1 gw2.yy.yy.yy track - > > *** interfaces *** > net eth0tcpflags,nosmurfs,rpfilter,sourceroute=0 > net eth1tcpflags,nosmurfs,rpfilter,sourceroute=0 > loc eth2tcpflags,nosmurfs,rpfilter > dmz eth3routeback > > * > > Script which run via cron each 30 seconds. > Which commands need to be run within this script ? > > Thanks in advance for any suggestion(s) ! > > > HOSTS="gw1.xx.xx.xx" > COUNT=2 > > for myHost in $HOSTS > do > count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' > | awk '{ print $1 }') > if [ $count -eq 0 ]; then ># 100% failed ># ?? what commands should be run to switch providers? >shorewall disable LTC1 # is this enough ? any command to explicitly > enable BTC1 ? shorewall restart required ? Yes that's enough. BTC1 will already be enabled (unless you've disabled it). However you'll probably want to keep some memory of the current state so you don't keep disabling it repeatedly - it won't cause any harm, but you'll get an error each time saying it's already disabled. > else ># how to determine which provider is active ? Ping the gateway again. I *THINK* you can still ping the gateway if the provider is disabled, but for a host past there, I think some explicit routing rule needs to be added so you can still send your test traffic. AIUI, all Shorewall does when you mark a provider as disabled is to remove the routing table entries that send traffic via it. As above, you probably want to keep some status so you don't keep re-enabling it when it's already enabled. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] Q: Shorewall failover auto-switch script
Hi, I have this setup of shorewall with 2 ISPs, and need to auto-switch connection if main (LTC1) provider fails, and the revert back if it becomes alive. *** shorewall.conf *** USE_DEFAULT_RT=Yes *** providers *** LTC1 1 0x1 - eth0 gw1.xx.xx.xx track,balance=1 - BTC2 2 0x2 - eth1 gw2.yy.yy.yy track - *** interfaces *** net eth0tcpflags,nosmurfs,rpfilter,sourceroute=0 net eth1tcpflags,nosmurfs,rpfilter,sourceroute=0 loc eth2tcpflags,nosmurfs,rpfilter dmz eth3routeback * Script which run via cron each 30 seconds. Which commands need to be run within this script ? Thanks in advance for any suggestion(s) ! HOSTS="gw1.xx.xx.xx" COUNT=2 for myHost in $HOSTS do count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }') if [ $count -eq 0 ]; then # 100% failed # ?? what commands should be run to switch providers? shorewall disable LTC1 # is this enough ? any command to explicitly enable BTC1 ? shorewall restart required ? else # how to determine which provider is active ? # if backup (BTC2), switch back to main provider (LTC1) fi done -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users