Lux wrote: > > "ip route list" shows: > ... > default > nexthop via 22.222.222.217 dev eth0 weight 1 > nexthop via 11.11.111.177 dev eth0 weight 1 > > If I issue "ip rule list" I get: > 0: from all lookup local > 10001: from all fwmark 0x1 lookup LK1 > 10002: from all fwmark 0x2 lookup LK2 > 20001: from 192.168.21.2 lookup LK1 > 21001: from 11.11.111.186 lookup LK1 > 22001: from 22.222.222.218 lookup LK1 > 32766: from all lookup main > 32767: from all lookup default > > And here is the first question (the least important one to me): Shouldn't > the line "22001: from 22.222.222.218 lookup LK1" be "22001: from > 22.222.222.218 lookup LK2" ?
It is a consequence of your oddball configuration (one interface with two uplinks). Shorewall determines the IP addresses on each provider interface and generates a route rule for each address. So in your configuration, whichever provider comes last will get all of these rules. There is no solution to this problem under Shorewall 3.0. Under Shorewall 3.2, you can specify the 'loose' option for both providers and write your own correct route rules in /etc/shorewall/route_rules. > > > BUT the packets assumes randomly the 11.11.111.186 OR > 22.222.222.218 source address. So there is a 50% chance that the replies get > back through the wrong provider. > > Is there a solution for this problem? There was never any intention for Shorewall Multi-ISP support to handle this configuration. If the uplinks are handled by different ISPs, then you are bridging those ISPs' internal networks which is usually considered to be "a bad thing(tm)". You can only solve this second problem by configuring firewall-local apps to use one local IP or the other (See the section entitled "Applications Running on the Firewall" in the Shorewall Multi-ISP documentation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
