Friends, This seems to be an interesting conundrum. I have a medium-sized LAN fed by a server with six ethernet ports, as follows:
eth0 = Static IP 3Mbps/640Kbps, business class connection with ISP; stable eth1 = Static IP 10Mbps/2Mbps, PPPoE connection; faster but less stable -- [eth2 = (relic from the past--no longer exists)] eth3 = internal LAN eth4 = Static IP 10Mbps/2Mbps, second PPPoE connection eth5 = [unused/empty port] eth6 = [unused/empty port] I have setup shorewall to share the load among the three internet connections, which each have their own gateways, by using the 'balance' option in the providers file. In practice, here is what happens: eth0 -- receives sporadic traffic, mostly due to incoming http requests eth1 -- averages a few Kbps in/out eth4 -- averages a Mbps or more, outgoing; incoming fluctuates widely It seems that in spite of the 'balance', the buck always stops at the last route in the list. I'm sure I have not set things up perfectly, and that someone will be able to help me--though I have spent days and weeks trying to improve the situation through research online. I have read and re-read the Multi-ISP documentation for shorewall, but I feel about the same as I did in math class as a student--sometimes I just need to see an example before the light will dawn! I've tried playing with these variables: --using 'track' as an option for one or all of the named interfaces in providers file --using marks and tcrules to shape the traffic to particular interfaces --adjusting the high_route_marks = Yes or No, and changing the mark numbers accordingly But these have not seemed to change anything in the way the firewall functions. I have somehow not hit upon the magic combination of things to have it all working as desired. I am confused, from what I understand, on one point of theory--namely this: 1) The load is supposed to be balanced on a per-connection basis such that each client computer will have its traffic directed through a single interface. 2) The traffic can be directed to a particular interface based upon its type (e.g. icmp, http, p2p). It seems that one could not have it both ways. ?? Shorewall's dump is attached, and relevant lines from the rest of the setup are attached with it. Perhaps I should mention that I recently connected our PPPoE lines through external routers, since the ISP keeps dropping the connection at random times, and this was disruptive to the server--through no fault of shorewall. The pppd would simply add a new ppp number to the list of interfaces, and of course this would not be matched in the providers list nor the interfaces. However, we seem to be having some problems with the new routers--and while I think the setup for shorewall is correct (for this), I'm open to suggestions. And, in case you wonder why we want to share the load among multiple internet lines--basically, our ISP has been unable to offer us any faster connection, and they also do not offer bonded lines. This seems our only viable solution. They tell us, even though they have built the fiber optic lines right into our building now, that they do not currently have the infrastructure to give us a better speed, unless we are willing to purchase 10 business class lines all at once, at about $1000/month per line. That's just not feasible for us. Blessings! Erik. _________________________________________________________________ Windows Live Hotmail is giving away Zunes. http://www.windowslive-hotmail.com/ZuneADay/?locale=en-US&ocid=TXT_TAGLM_Mobile_Zune_V3
status_and_setup.tar.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
