Hi All, I have some questions (and assumptions (perhaps wrong)) relating to Multi-ISP setup. after reading www.shorewall.net/multiisp.html (and FAQ 57 and FAQ 58) also the the lartc docs. A similar setup to the diagram in the howto, but with a DMZ as well as a LAN. (4 nic's). I have been using Shorewall for awhile now and I believe the firewalling side is fine.
the setup : debian sarge, shorewall 3.2.3 3 DSL (ppp0,ppp1,ppp2) providers from the same ISP. (which means they have the same gateway, but different static ISP's) 1 DMZ (eth2)- to host websites and email from 1 LAN (eth3) - for the office PC's the Plan : * to balance outgoing web traffic to ease the load My assumptions : * the purpose of multi-homing is to share outgoing bandwidth load, i.e to direct outgoing traffic up a link different perhaps to where the request came in, or to balance outgoing traffic. * 'tcrules' is used to decide (the routing rules) of which outgoing provider to send a packet to. * 'providers' decides how to connection mark the incoming requests. My questions : * the track option. Track is used to mark a connection so that it returns out the same interface the request came in on. What does this mean if the plan is to balance to outgoing traffic ? i.e. send the replies up a different link ? In the section 'what an entry in the providers file does' [snip] If you specify track, then connections which have had at least one packet arrive on the interface listed in the INTERFACE column have their connection mark set to the value in the MARK column. In the PREROUTING chain, packets with a connection mark have their packet mark set to the value of the associated connection mark; packets marked in this way bypass any prerouting rules that you create in /etc/shorewall/tcrules. This ensures that packets associated with connections from outside are always routed out of the correct interface. [snip] * is this saying that a provider with 'track' specfied, does not get told where to go by tcrules ? [snip] The bottom line is that if you want traffic to go out through a particular provider then you must mark that traffic with the provider's MARK value in /etc/shorewall/tcrules and you must do that marking in the PREROUTING chain. [snip] * This has me confused, the first snip appears to say the track option bypasses any pre-routing rules that are created by tcrules, the second snip appears to say if you want to direct traffic with tcrules you must do it in the pre-routing chain. * I believe there is a reason to send requests out the interface they came in, something to with ISP's and IP Spoofing protection ? So how does a multi-home firewall fix this to balance outgoing traffic ? * I am thinking I am missing something fundamental here and would love to be set straight. providers : telstra1 1 1 main ppp0 track,balance eth2,eth3 telstra2 2 2 main ppp1 track,balance eth2,eth3 telstra3 3 3 main ppp2 track,balance eth2,eth3 I get an error with the eth2,eth3 at the end, I am not quite sure what they do. the 3 uplinks have the static ip addresses but share the same gateway. Regards, Richard Hatherly Ritech Computing Services ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
