Hinrich Fraemcke wrote: > Hi all > > I just implemented a squid proxy running *shorewall* as firewall and > load balancer under f9. > > Kernel: 2.6.25-14.fc9.i686 > > The setup run fine except that *shorewall* doesn't seem to untilize the > two ISP connections and favours one of them
Shorewall itself has nothing to do with ISP selection. Once 'shorewall start' completes, there is no Shorewall code running in your system at all. > and I have the feeling that > the balancing is not working properly: > > If I just diconnect the defaultrouted ISP the internet connectivity for > the proxy still persists via the default route. > If I disconnect the other 'non-defaultroute' ISP I have to restart the > network service and *shorewall* before the proxy has connectivity again. I couldn't follow that at all. If you are using balancing, both ISPs have a part of the default route. But the Multi-ISP documentation clearly states that there is no failover capability in what Shorewall configures and if a connection fails, 'shorewall restart' is required (assuming that both connections are marked as 'optional'). > > The *shorewall* documentation states that the kernel is caching the > routes and will use the same ISP again and again. That is necessary -- you can't have a single connection ping-ponging packets between the two ISPs! > Setting the Kernel Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n is supposed > to solve this problem. It *was* supposed to solve that problem but it didn't work -- it prevented balancing from working at all. It is even mentioned in the Shorewall Multi-ISP doc. > > So I went to build a new Kernel with this option but can't find it. The > only one comming close is: CONFIG_IP_ROUTE_MULTIPATH which is set to yes > by default. > > *My question:* > > 1) Am I barking up the wrong tree in trying to build a new Kernel? Almost certainly. > > a) if no: can I just add the Option CONFIG_IP_ROUTE_MULTIPATH_CACHED=n > into the .config file before building the new kernel? CONFIG_IP_ROUTE_MULTIPATH_CACHED has been de-implemented because it was broken. Forget about it! > b) is the problem more likely based on the *shorewall* coniguration? > Hard to say. Multi-ISP works differently for connections originating on the firewall itself which is what occurs when you run a Proxy on the firewall. See http://www.shorewall.net/MultiISP.html#Local. > > *here my ifconfig:* Please see http://www.shorewall.net/support.htm#Guidelines -- we need to see the output of 'shorewall dump' in order to be able to help you further. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
