On Wed, Nov 30, 2011 at 10:47 AM, Tom Eastep <[email protected]> wrote:
>
> On Nov 29, 2011, at 7:32 PM, Lee Brown wrote:
>
> I currently have a multi-ISP config and it's working great. Host is a
> CentOS5.4 machine. Shorewall 4.4.19.1
>
> I've been asked to add a new ISP which has a 1GB download limit during
> certain hours. When the cap is hit my users want to switch traffic to
> another, shared ISP.
>
> I was planning on just issuing some iptables commands to tag the traffic
> for ISP#1 during the on time and ISP#2 during the off time, the same way an
> entry in tcrules would.
>
> The question is really how does connection tracking enter this mix and how
> can it be avoided?
>
>
> What exactly is your concern with connection tracking? Can't you simply
> disable the interface to ISP#1 when the limit is reached?
>
The problem I find with that is once I bring the interface back up, traffic
continues to ISP#2 when it should switch back to ISP#1. I don't really
know, but I suspect connection tracking is causing that to happen.
One thing I am unclear on is if a packet that arrives as part of a
connection still goes through the same routing as the original packet, or
if that is short-circuited having been already established by the first
packet. Or, does a connection simply skip all the rules (unless in the
ESTABLISHED section)
There are 3 subnets on the same VLAN interface, if that's relevant.
Bringing eth1.9:0 down leaves it in the UP state, but removes the IP
address from it.
19: eth1.9@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb
link/ether 00:12:3f:25:39:e9 brd ff:ff:ff:ff:ff:ff
inet 10.3.11.64/24 brd 10.3.11.255 scope global eth1.9
inet 10.3.10.254/24 brd 10.3.10.255 scope global eth1.9:1
inet 24.52.191.244/29 brd 24.52.191.247 scope global eth1.9:0
>
> -Tom
>
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure
> contains a definitive record of customers, application performance,
> security threats, fraudulent activity, and more. Splunk takes this
> data and makes sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-novd2d
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
