On Fri, 2009-01-09 at 10:32 -0600, John McMonagle wrote: > Have a firewall with 2 isps, openvpn, ipsec and ospf in use. > The ospf is primarily for the openvpn tunnels. > I'm phasing out ipsec because of traffic shaping issues. > > Been rereading http://www.shorewall.net/MultiISP.html and realize I > probably have a couple things not right. > > in Table 200 are a few hacks to fix a couple problems. > ip route list table 200 > # iax routing mentioned next. > 192.168.11.0/24 via 192.168.2.254 dev eth0 # Makes outgoing packets > via ipsec use local net ip instead of isp1 > 192.168.10.0/24 via 192.168.2.254 dev eth0 # Makes outgoing packets > via ipsec use local net ip instead of isp1 > Example 2 on the MultiIsp page shows that the routes would be in the main table and "rouing rules" are used to force the lookup to use the main table.
You have a route to both 192.168.10.x 192.168.11.x using eth1 in the main table but no via gateway and no ipaddress assigned to eth1 in those ranges. Those routes are then being copied to that provider's table. Shouldn't those routes be in the main table or is there something with zebra that I'm missing? > The primary thing that is getting my attention is iax traffic will not > pass from 192.168.3.1 to 192.168.1.15 Yea, the traffic from 192.168.3.1 would have a route in the main table while the route to 192.168.1.0/24 via 172.17.2.2 is in table 200 > All icmp ssh etc works OK. Really strange. > The rule "192.168.1.0/24 via 172.17.2.2 dev tun1" makes it work but > besides not being correct I want to add redundant openvpn tunnels and > the static route must go. > That is not a routing rule, it a static route, try "ip rule ls" is see a routing rule. > This is shorewall version 4.2.1. I recently changed from 4.0 to fix some > traffic shaping issues and it did not have this problem. > > Is there any way to test if packets are marked? "shorewall show mangle" but I don't see you using the tcrules file, so I'm unsure of what you mean by "marked" > My guess is that some how these packets are being marked and going to > table ISP2. > I'll guess that the packets are being dropped as there is no route for the traffic. > Any suggestions? > Move the static routes to the main table from table 200 replacing these: 192.168.11.0/24 dev eth1 scope link 192.168.10.0/24 dev eth1 scope link Use the route_rules to have the lookup point to the main table - 192.168.1.0/24 main 1000 - 192.168.1.0/24 main 1000 - 192.168.1.0/24 main 1000 > My guess is I should change shorewall.conf to USE_DEFAULT_RT=Yes > > and providers > ISP1 1 256 - eth1 $gw1 > track,balance=1 > ISP2 2 512 - eth2 $gw2 > track,balance=2 > Shouldn't have too, you have both ISPs on different nics. Jerry ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
