Hi All,I have 2 problems with MultiISP configuration: (Shorewall 4.0.8-4 on CentOS and Kernel 2.6.24 recompiled with netfilter options)
Some days ago I have upgraded configuration from a 3.x version (single ISP) to actual (in sense that I have reinstalled OS from scratch not simply updated). I have added a second ISP in providers file and updated other original files (zones, etc.) to new syntax and configuration.
Actual configuration is: eth0 lan eth1 ISP1 (new provider) eth2 ISP2 (existing provider)eth3 DMZ (with public ip on existing provider and some servers defined in proxyarp)
Problems are: 1) Restart lock if I issue a 'shorewall restart' command I get an error on ---------------- IP Forwarding Enabled Setting up Proxy ARP... RTNETLINK answers: File exists ERROR: Command "ip route replace AAA.AAA.AAA.5 dev eth3" Failed Processing /etc/shorewall/stop ... IP Forwarding Enabled Processing /etc/shorewall/stopped .../sbin/shorewall: line 664: 13447 Terminated $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
----------------- where AAA.AAA.AAA.5 is first interface defined in proxyarp file **** NOTE: real IP addresses are substitued with: AAA.AAA.AAA. is on existing ISP range (ISP2 on eth2 and some on DMZ eth3) BBB.BBB.BBB. is on new ISP range (ISP1 on eth1) other are real ip on intranet (eth0) **** so to restart correctly I need to exec: shorewall stop service network restart shorewall startand this is a big problem because this stops me from remote connection and I have to run above commands from console.
2) Fixed routesI need to route some connections via ISP2 interface, because there are some web sites that need to see IPS2 address range to enable access.
I have added in route_rules this entries: #SOURCE DEST PROVIDER PRIORITY$DMZ_IF - ISP2 1000
$INT_IF CCC.CCC.CCC.CCC/24 ISP2 1000- DDD.DDD.DDD.DDD/24 main 1000
where CCC.CCC.CCC.CCC is public web site that checks origin ip address DDD.DDD.DDD.DDD is local ISP2 public address range (assigned to eth2)but, if I have providers balanced (option balance=1 to both) route not works, if I set balance=100 to ISP2 it works.
In masq I have: ################################################################################INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
$ISP2_IF $INT_IF $ISP2_IP $ISP1_IF $INT_IF $ISP1_IP $ISP2_IF $ISP1_IP $ISP2_IP $ISP1_IF $ISP2_IP $ISP1_IP #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVEwhere ISP1_IP and ISP2_IP are IPs assigned to public eth1 and eth2 interfaces
I have also added in tcrules ################################################################################MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS
# PORT(S) PORT(S) 2:P $INT_IF DDD.DDD.DDD.DDD/24 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE without results. I have also upgraded to shorewall 4.0.8-4 but result is the same.Also I have read MultiISP and other docs from shorewall.net site, but surely I'm missing something.
Attached there are dump from shorewall dump and current shorewall.conf TIA Best Regards Francesco Saverio GiudicePS: Thank you to Tom Eastep for have created this great software, for excellent docs and to you all for support.
dump_and_conf.tgz
Description: application/compressed
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
