Hi Paul, thanks for your answers.
> 3 DSL (ppp0,ppp1,ppp2) providers from the same ISP. (which means they have > the same gateway, but different static ISP's) Do they actually have the same peer address? The connection is pppoe, the gateway is assigned by the ISP and the 3 ADSL connections next hop is to the same Router at the ISP. The gateway is the same for all 3 connections which is the P-t-P address in ifconfig. I don't see the gateway at all for the individual static IP addresses that I have been supplied. (something to do with the peer to peer (tunnel?)) > ... > * the purpose of multi-homing is to share outgoing bandwidth load, i.e to > direct outgoing traffic up a link different perhaps to where the request > came in, or to balance outgoing traffic. Correct. I realise that we don't have control of incoming balancing (so for this we will use round robin DNS to the different static IP's which all DNAT to the same webserver) , but what I am not sure how to do is when a request for a website comes in on ppp0 for instance, the answer leaves on a random interface across the 3 connections. By using tcrules i can force all traffic out a particular connection, be it ppp0 or ppp1 or ppp2. This has me confused if doing this is right or wrong because we speak of routing a request back out the interface it came in on. > * 'tcrules' is used to decide (the routing rules) of which outgoing > provider > to send a packet to. > * 'providers' decides how to connection mark the incoming requests. Providers also sets up your load-balanced outbound routing. Is this what i am asking to do above ? I am finding outgoing going out one provider only, though if I tell tcrules to send port 25 out a particular provider a lot of the email goes out the one i tell it to but some is going out the main line. I think this is happening because of routes being cached ? I have just found that the kernel has CONFIG_IP_ROUTE_MULTIPATH_CACHED=y which is noted in the multiisp.html page to change to 'n'. I will go back tonight and rebuild the kernel and see if outgoing balance starts working. > * the track option. Track is used to mark a connection so that it returns > out the same interface the request came in on. What does this mean if the > plan is to balance to outgoing traffic ? i.e. send the replies up a > different link ? You should use track (and balance, and i recommend optional as well). The outgoing balancing will not be affected by this option. > * I believe there is a reason to send requests out the interface they came > in, something to with ISP's and IP Spoofing protection ? It might work in your setup (since you're using the same DSL provider for all three interfaces), but you should route them back out the same interface. This gives you the flexibility of changing to a different provider later if you need to. Here we are saying to route the incoming requests back out the same interface, which then is not reducing outgoing load by sending a request for a website out a different provider. > So how does a multi-home firewall fix this to balance outgoing traffic ? Multihoming doesn't balance incoming connections. I understand this as we don't have control of the routing before it reaches us (unless we BGP set up). But don't we want to send an incoming request out a different link ? > * I am thinking I am missing something fundamental here and would love to > be > set straight. Your main issue is thinking about all outgoing packets as being the same. Outgoing reply packets on incoming connections need the track option to be routed correctly. Outgoing packets on connections initiated from your end are routed according to the rules created by the combination of providers and tcrules. So the track option will allow the return packets to go out a different provider ? Thanks to all the shorewall-ians out there (and Tom) making iptabes easy :) Richard ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
