On Mon, 2012-01-09 at 20:51 -0800, Tom Eastep wrote: > > On Jan 9, 2012, at 7:51 PM, Nick wrote: > >> I can reproduce the error by setting the gateways to the same address. > > > > Which is a configuration that will never work. Neither Shorewall nor the > > Linux IP stack will handle that.
I should quantify that. Balancing using a multi-hop default route will
not work in that case. Over the past couple of weeks, I have been
working on an alternative for balancing that does not involve multi-hop
routes. It rather uses the 'Statistic Match' feature in
iptables/Netfilter that allows a rule to match randomly with a specified
probability. I have been running it here at shorewall.net for the last
few days and it seems to work well. It will be available in the next
4.5.0 Beta and will provide relief to users with two WAN Ethernet
interfaces that happen to have the same default gateway.
Here is my providers file:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
COPY
ComcastB 1 - - eth1 70.90.191.126
loose,balance
ComcastC 2 - - eth0 detect
loose,fallback
I have PROVIDER_OFFSET=16 and PROVIDER_BITS=2 which means that the
'provider mask' is 0x30000, ComcastB's mark is 0x10000 and ComcastC's
mark is 0x20000. I also have TRACK_PROVIDERS=Yes.
Here are the relevant entries in my tcrules file:
...
0X10000/0x30000 eth2 - ; test=0/0x30000, probability=0.66666667
0x20000/0x30000 eth2 - ; test=0/0x30000
0X10000/0x30000 fw - ; test=0/0x30000, probability=0.66666667
0x20000/0x30000 fw - ; test=0/0x30000
The first two distribute connections from the local LAN (eth2) between
the two providers with a 2:1 advantage to ComcastB. The second two
perform the same distribution for connections originating on the
firewall itself (Note: $FW = 'fw' in my configuration). I include
0/0x30000 in the TEST column because earlier rules may have already
marked to packet based on other criteria.
I hope to be able to make this easier to configure before 4.5.0 final;
we'll see.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
