Richard wrote: > ... > debian sarge, shorewall 3.2.3 > 3 DSL (ppp0,ppp1,ppp2) providers from the same ISP. (which means they have > the same gateway, but different static ISP's)
Do they actually have the same peer address? > ... > * the purpose of multi-homing is to share outgoing bandwidth load, i.e to > direct outgoing traffic up a link different perhaps to where the request > came in, or to balance outgoing traffic. Correct. > * 'tcrules' is used to decide (the routing rules) of which outgoing provider > to send a packet to. > * 'providers' decides how to connection mark the incoming requests. Providers also sets up your load-balanced outbound routing. > * the track option. Track is used to mark a connection so that it returns > out the same interface the request came in on. What does this mean if the > plan is to balance to outgoing traffic ? i.e. send the replies up a > different link ? You should use track (and balance, and i recommend optional as well). The outgoing balancing will not be affected by this option. > ... > [snip] If you specify track, then connections which have had at least one > packet arrive on the interface listed in the INTERFACE column have their > connection mark set to the value in the MARK column. In the PREROUTING > chain, packets with a connection mark have their packet mark set to the > value of the associated connection mark; packets marked in this way bypass > any prerouting rules that you create in /etc/shorewall/tcrules. This ensures > that packets associated with connections from outside are always routed out > of the correct interface. [snip] > > * is this saying that a provider with 'track' specfied, does not get told > where to go by tcrules ? Yes, but only for incoming connections on that interface. > [snip] The bottom line is that if you want traffic to go out through a > particular provider then you must mark that traffic with the provider's MARK > value in /etc/shorewall/tcrules and you must do that marking in the > PREROUTING chain. [snip] > > * This has me confused, the first snip appears to say the track option > bypasses any pre-routing rules that are created by tcrules, the second snip > appears to say if you want to direct traffic with tcrules you must do it in > the pre-routing chain. The second snip is about outgoing connections. > * I believe there is a reason to send requests out the interface they came > in, something to with ISP's and IP Spoofing protection ? It might work in your setup (since you're using the same DSL provider for all three interfaces), but you should route them back out the same interface. This gives you the flexibility of changing to a different provider later if you need to. > So how does a multi-home firewall fix this to balance outgoing traffic ? Multihoming doesn't balance incoming connections. > * I am thinking I am missing something fundamental here and would love to be > set straight. Your main issue is thinking about all outgoing packets as being the same. Outgoing reply packets on incoming connections need the track option to be routed correctly. Outgoing packets on connections initiated from your end are routed according to the rules created by the combination of providers and tcrules. > I get an error with the eth2,eth3 at the end, I am not quite sure what they > do. I think using just eth3 might work for you. Paul
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
