Also, if you're looking for resiliency and fault tolerance, this isn't going to do it for you either.  That you'll have no choice but to implement yourself (i.e. dynamically swapping default routes and whatnot).  Importantly, the load balancing function of shorewall works fine until one of the links goes down.  When it does, everyone who was using that link will be cut off.  This isn't because of Shorewall, it's because of how linux routing works.

This is a not-so-trivial problem to solve regardless of how it seems.  I for one haven't found an elegant solution (using Linux!) for circuit load-balancing/failover problem in a dual-ISP scenario.  Perhaps if someone is aware of one they can offer some links/insight?

Cheers.

Diego Rivera wrote:
My suggestion echoes Laurent Caron's suggestion: there are scripts in /etc/ppp/ip-{up|down}.d that are executed when the PPTP link goes down, so you could brand the interface(s) as optional and execute shorewall restarts there.  Similarly, there are scripts that can be executed whenever an ethernet interface goes up or down (in CentOS they're in /etc/sysconfig/network-scripts/if{up|down}.d, not sure where they would be in Debian) - so those can also be used to do all of this manual intervention you mention.

Using those, and some clever link state detection using ethtool, ip, or other network-related utilities you should be able to write some simple scripts that take care of the dynamic up/down states of the links.  If there is DHCP involved in either of those, you should also look into your DHCP client's hook scripts feature and use that as well.

The tools are there, you'll just have to invest some time into figuring things out.

Cheers.

Roberto C. Sánchez wrote:
Josh,

Unfortunately, since you do not really provide relevant details about
your setup, my suggestions below are only guesses.

On Sun, Sep 20, 2009 at 02:13:01AM -0700, JoSH Lehan wrote:
  
1) If the router is rebooted while either the cable or the DSL is down,
Shorewall won't come up  It requires *both* interfaces to be fully 
active before Shorewall will start.  If either is down, my firewall is 
DOA, requiring manual intervention.

I was hoping to set up a dual WAN setup for redundancy and safety, and 
unfortunately instead, this makes it *more* brittle.

    
Have you tried specifying the interfaces as optional?  That should fix
all the problems you have described having.
  
I'm running Shorewall 4.2.10 on Debian.  Is it worth upgrading to 4.4?

    
I think that it is.  I have a Lenny repository that has those packages:

http://people.connexer.com/~roberto/debian/

  
What Shorewall output should I provide here, that might assist in asking
for help?

    
The output of 'shorewall dump' at various stages (e.g., started with
both providers and interfaces up and available, after one or the other
interface has gone down, etc.).

Regards,

-Roberto

  

------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf

_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users

--
Diego Rivera
Director / System Operations
Roundbox Global : enterprise : technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695
email: [email protected] | www.rbxglobal.com
------------------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf

_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users

--
Diego Rivera
Director / System Operations
Roundbox Global : enterprise : technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695
email: [email protected] | www.rbxglobal.com
------------------------------------------------------------------------------------------------------------------

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to