I'm sorry for late but I was dealing with other tasks. Thanks for the suggestions, this one worked for me:
http://www.shorewall.net/MultiISP.html#Local. But now, I have another situation. The openvpn is connecting and working, the packets come IN and OUT from the same eth0 interface. With the Shorewall started, the TC is blocking the traffic from the DMZ servers to the Road Warrior client. I'll explain better. I have a DMZ called "dweb", and two ISP providers, both on the "net" zone. I have also some tcrules to mark and regulate some traffic. When my Road Warrior connect to the openvpn server on the Firewall and he start a Ping to a dweb server through eth3 interface, the packets reach the server but the icmp replay are catch somewhere in TC on the way back. I can't understand why. If I comment out the "1:P eth3 0.0.0.0/0 all -" rule in tcrules and restart shorewall, the Road Warriors can reach the "dweb" server as wanted. Thanks for any suggestion. Here are the configuration files: providers: ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY EU256 1 1 main eth1 62.94.175.33 track,balance eth2,eth3,eth4,eth5 EU512 2 2 main eth0 83.211.196.65 track,balance eth2,eth3,eth4,eth5 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE tcdevice ############################################################################### #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth1 2000kbit 2000kbit eth0 2000kbit 2000kbit #eth1 1000mbit 1000mbit eth3 1000mbit 1000mbit #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE tcrules ############################################################################### #MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS # PORT(S) PORT(S) 1:P eth2 0.0.0.0/0 all - 1:P eth3 0.0.0.0/0 all - # 3:F eth1 192.168.2.203/24 tcp 22 # FTP per SMS 2:P eth3:192.168.2.203 0.0.0.0/0 tcp 20,21 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE tcclasses ############################################################################### #INTERFACE MARK RATE CEIL PRIORITY OPTIONS # eth3 1 500kbit full 1 default eth3 3 500kbit 1500kbit 2 # Ftp per SMS eth0 2 200kbit 1500kbit 1 default # eth1 4 500kbit 1500kbit 1 default # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE Tom Eastep wrote: > Daniele Davolio wrote: > >> Hi, >> I sent the "shorewall dump" as attachment but Admins rejected it because >> it's ~95Kb. >> > > You can always forward it to [email protected]. > > >> Anyway, I'm wondering if I can Tag UDP packet from the Firewall to drive >> them through always the same interface, and how :) >> > > Possibly you should read about OpenVPN on a multi-ISP firewall at > http://www.shorewall.net/MultiISP.html#Local. Also, the subject of > marking packets that originate on the firewall has been recently > expanded at both http://www.shorewall.net/traffic_shaping.htm#tcrules > and at http://www.shorewall.net/manpages/shorewall-tcrules.html, > > -Tom > -- ============================================================== Daniele Davolio Master Training S.r.l. - Information Technology Department Sede Legale: via Timolini, N.18 Correggio (RE) - Italy Sede Operativa: via Sani N.15 (Int.6) 42100 REGGIO EMILIA (RE) Tel +39 0522 268059 - +39 0522 1846007 Fax +39 0522 331673 E-Mail [email protected] E-Mail [email protected] ============================================================== ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
