Hi All, I have a triple ISP, double DMZ, single LAN firewall that isn't routing traffic over the secondary and tertiary ISP's. All traffic is heading out over the primary link :( Here's a basic diagram of our firewall, the modems on the triplet of Internet connections simply hold up the PPPoA/E links and NAT the NET1/2/3 addresses to the respective outside IP:
+---------{*INTERNET*}--------+
| | |
(modem1) (modem2) (modem3)
172.16.3.1 172.16.4.1 172.16.5.1
| | |
NET1 NET2 NET2
| | |
172.16.3.2 172.16.4.1 172.16.5.2
(eth3) (eth4) (eth5)
| | |
+-+--------------+--------------+-+
10.10.100.0/24 | | 10.10.101.0/24
DMZ1 - (eth1) --+ FIREWALL +-- (eth2) - DMZ2
| |
+----------------+----------------+
|
(eth0)
10.10.10.0/24
LAN
Attached is a recent shorewall dump. Below is the relevant files (let me know
if I missed any):
The physical interfaces are abstracted out in the "params" file:
LAN_IF=eth0
DMZ1_IF=eth1
DMZ2_IF=eth2
NET_IF1=eth3
NET_IF2=eth4
NET_IF3=eth5
interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
lan $LAN_IF detect routeback
dmz1 $DMZ1_IF detect -
dmz2 $DMZ2_IF detect -
net $NET_IF1 detect $NET_OPTIONS
net $NET_IF2 detect $NET_OPTIONS
net $NET_IF3 detect $NET_OPTIONS
... where
NET_OPTIONS=arp_filter,nosmurfs,tcpflags,routefilter
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
squid 1 202 - $LAN_IF $PROXYSVR loose -
$ISP1 2 1 main $NET_IF1 $NET_IF1_GW $PROVOPTS $COPY
$ISP2 3 2 main $NET_IF2 $NET_IF2_GW $PROVOPTS $COPY
$ISP3 4 3 main $NET_IF3 $NET_IF3_GW $PROVOPTS $COPY
...where:
COPY=$LAN_IF,$DMZ1_IF,$DMZ2_IF (ie. eth0,eth1,eth2)
PROVOPTS=track,loose
The NET_IFx_GW variables are the ADSL modems' IP's (again, defined in params)
as follows:
NET_IF1_GW=172.16.3.1
NET_IF2_GW=172.16.4.1
NET_IF3_GW=172.16.5.1
tcdevices:
#INTERFACE IN-BANDWITH OUT-BANDWIDTH
$NET_IF1 $NET_IF1_IN $NET_IF1_OUT
$NET_IF2 $NET_IF2_IN $NET_IF2_OUT
$NET_IF3 $NET_IF3_IN $NET_IF3_OUT
tcclasses:
#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
#
# Primary Interface (ADSL2+ 24M/1.5M)
$NET_IF1 10 full full 1 tcp-ack,tos-minimize-delay
$NET_IF1 20 9*full/10 9*full/10 2
$NET_IF1 30 6*full/10 6*full/10 3 default
#
# Secondary Interface (ADSL1 1.5M/256K)
$NET_IF2 40 full full 4 tcp-ack,tos-minimize-delay
$NET_IF2 50 6*full/10 6*full/10 5 default
#
# Tertiary Interface (ADSL1 512K/128K)
$NET_IF3 60 full full 6 default
tcrules:
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS
# PORT PORT
10 $LAN_NETWORK $ANY_IP tcp ssh - - - 0:512
20 $LAN_NETWORK $ANY_IP tcp ssh - - - 513:
20 $LAN_NETWORK $ANY_IP tcp $WWW
20 $LAN_NETWORK $ANY_IP tcp $FTP
30 $LAN_NETWORK $ANY_IP tcp nntp
40 $LAN_NETWORK $ANY_IP tcp $STREAM
50 $LAN_NETWORK $ANY_IP tcp $ALLMAIL
50 $LAN_NETWORK $ANY_IP tcp $IM
50 $LAN_NETWORK $ANY_IP udp $IM
50 $LAN_NETWORK $ANY_IP tcp $P2P
50 $LAN_NETWORK $ANY_IP udp $P2P
50 $LAN_NETWORK $ANY_IP tcp $GAMES
50 $LAN_NETWORK $ANY_IP udp $GAMES
50 $LAN_NETWORK $ANY_IP all
I thought I followed all the docs but I feel like I've missed something really
basic. Any insights?
Thanks in advance,
James
--
Test-tube babies shouldn't throw stones.
shorewall-dump.txt.bz2
Description: BZip2 compressed data
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
