"If you used 'balance' for tun0 and 'fallback' for eth0, that wouldn't happen. Note that you must also set 'routefilter=0' on both interfaces in /etc/shorewall/interfaces, if you chose to take that approach."
#providers #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS loc 1 1 - eth0 192.168.0.1 track,fallback=1 iPredator 2 2 - tun0 - track,balance=2 #interfaces #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,nosmurfs,routefilter=0,logmartians,required vpn tun0 detect optional,routefilter=0 I completed the above steps, which caused some odd behavior: 1) When already connected to OpenVPN, the VPN functioned as expected 2) When disconnecting from the VPN, traffic was routed through eth0 through my default connection (seemingly ignoring all the work with providers / tcrules / etc) 3) When reconnecting to the OpenVPN my traffic continued through my default connection, ignoring the VPN entirely! 4) Disconnecting from the VPN, applying the firewall and reconnecting now allows no traffic to exit my firewall at all! 5) Disconnecting from the VPN when in state (4), will allow traffic, but then only through my default connection. Reverting to previous, semi-working configuration. On 1/3/13, Tom Eastep <[email protected]> wrote: > On 01/03/2013 11:21 AM, f q wrote: >> I did find something while inspecting the routing table, I believe: >> >> Before connecting to Open VPN: >> >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.38 >> metric 1 >> 10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.1 metric 1 >> default via 192.168.0.1 dev eth0 >> >> After connecting, before applying firewall: >> >> 93.182.186.129 via 192.168.0.1 dev eth0 >> 93.182.186.128/25 dev tun0 proto kernel scope link src 93.182.186.162 >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.38 >> metric 1 >> 10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.1 metric 1 >> 0.0.0.0/1 via 93.182.186.254 dev tun0 >> 128.0.0.0/1 via 93.182.186.254 dev tun0 >> default via 192.168.0.1 dev eth0 >> >> After connecting, after applying firewall: >> >> 93.182.186.129 via 192.168.0.1 dev eth0 >> 93.182.186.128/25 dev tun0 proto kernel scope link src 93.182.186.162 >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.38 >> metric 1 >> 10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.1 metric 1 >> 0.0.0.0/1 via 93.182.186.254 dev tun0 >> 128.0.0.0/1 via 93.182.186.254 dev tun0 >> default >> nexthop via 192.168.0.1 dev eth0 weight 1 >> nexthop dev tun0 weight 2 >> >> After disconnecting OpenVPN: >> >> 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.38 >> metric 1 >> 10.0.0.0/8 dev eth1 proto kernel scope link src 10.0.0.1 metric 1 >> >> Disconnecting from openVPN appears to clobber my routing table! I >> don't even have a default gateway configured after it get done. > > That's a consequence of your using 'balance' for both providers. When > OpenVPN stops, tun0 disappears which causes the balanced route to be > removed. > > If you used 'balance' for tun0 and 'fallback' for eth0, that wouldn't > happen. Note that you must also set 'routefilter=0' on both interfaces > in /etc/shorewall/interfaces, if you chose to take that approach. > > Also, when you are running multi-ISP, you must use 'shorewall show > routing' to see the whole routing picture. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnmore_122712 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
