I'm just setting up multi-ISP and I just want to check if I have things right. I'm using Shorewall 4.5.5.3 on Debian Wheezy.
I have two internal networks (192.168.1.0/24 and 192.168.7.0/24), a connection via ethernet and another via dsl. In my providers file I've put : > isp1 1 1 - ethext a.b.c.1 track,balance > isp2 2 2 - ppp10 - track,balance In interfaces : > ext ethext detect tcpflags,nosmurfs,dhcp > int ethint detect tcpflags,routeback,nosmurfs,dhcp > wifi ethwifi detect tcpflags,nosmurfs,dhcp > fttc ethfttc detect tcpflags,nosmurfs > dsl ppp10 detect tcpflags,nosmurfs,optional,wait=15 (The PPPoE for the DSL runs over the ethfttc interface) And in masq I have(*) : > ethext:!a.b.c.9 192.168.1.0/24 a.b.c.4 > ppp10 192.168.1.0/24 w.x.y.2 > ethext:!a.b.c.9 192.168.7.0/24 a.b.c.3 > ppp10 192.168.7.0/24 w.x.y.1 The intention is that all the internal network traffic should do via the DSL line (except that destined for the a.b.c.n subnet), so is it just a matter of adding rtrules : > 192.168.1.0/24 - isp2 1000 > 192.168.7.0/24 - isp2 1000 And do I need to include a line > - a.b.c.0/n isp1 1000 or does that follow automatically since a.b.c.0 is a locally attached subnet ? Eventually I'll need to look at failover, but for now I just need "most" of the traffic to go out via isp2. If how I've read the docs is correct, I don't actually need to bother with packet marks, I can just do this with rtrules ? Supplementary question. If I then need to start adding lists of external addresses that have to be reached via isp1 (because they are, for example, customer equipment that only permits remote access from the a.b.c.0 subnet). Is this best done via rtrules or tcrules ? * The reason for masq-ing everything to the a.b.c.0 subnet except for one device is due to a recalcitrant hardware firewall that spits it's dummy out and drops packets otherwise. ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
