Wow.. It's been a while... Brian J. Murrell wrote:
> On Wed, 2007-02-07 at 07:23 -0800, Tom Eastep wrote: >> Your problem is how to handle VPN interfaces in a multi-ISP environment -- > > Not quite even. It's how to make the DUPLICATEd routing tables receive > the same updates that the table it's duplicated from receive. i.e. when > the main table gets a new route for an instantiated openvpn connection, > the duplicated tables need to know too. > I'm just wondering how/why that route got added to the provider's tables in the first place. You must not have an entry in the "copy from" column of the providers file (and you restarted shorewall after a vpn connection was made), which functions to limit the routes that are added from the dup'd table, to only those interfaces that are listed, to the providers' routing tables. That is the only way that I know of which allows a route on tun0 to end up in a providers routing table. >> the route_rules file was designed exactly for that purpose > > Hrm. As I read it, it's for dedicating a certain traffic pattern to an > Internet interface. I guess this is one way to solve this problem, but > it's more rigid than just allowing the the routing engine to solve the > problem. > >> and there's even >> an example in the file itself dealing with OpenVPN (copied from "Example 2" >> in the route_rules section of the Multi-ISP document). > > Yes, again, though it's quite rigid. My example of how I can manually > solve the problem, but doing a: > > # ip route add 10.75.23.0/24 via 10.33.66.2 dev tun0 table CGCO > > is more flexible because it allows the current routing policy to make > the decisions and should even deal with a sudden change in default > routing transparently. As I understand route_rules, it would not. > Unless you're going to pass vpn traffic from tun0 to the internet, is that route even required? I have a tun interface for my vpn and no routes for tun0 are in my provider's routing tables. Once the routing rules are added to the route_rules file, those rules should stick though a disconnect, unless the vpn up/down scripts plays with them. > Why would I want this flexibility? Failover/redundancy. I could tell > my peers they could connect to either of my Internet addresses for > openvpn service and as long a the outbound routing decision is made in > the routing table, connections should work on either ISP interface > transparently. I think. :-) > > b. It will, but if you have a tun0 route in both provider's tables, nothing will work at all... Good luck, Jerry ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
