On 9/4/2015 5:49 AM, Vieri Di Paola wrote: > Hi, > > I'm trying to understand how to correctly configure load balancing > and policy-based routing within shorewall. > > I have the typical local (lan) and internet (wan) zones. > > I also have 2 "providers" (not ISPs, just remote private networks) as > defined here: > > CAIB 1 1 - $IF_CAIB $ADDR_GW_CAIB loose,track > IBS 2 2 - $IF_IBS $ADDR_GW_IBS loose,track > > My "main" routing table contains rules such as: > > 10.215.224.0/20 via $ADDR_GW_CAIB dev $IF_CAIB > > I also defined this in "rtrules": > > 10.215.247.194 10.215.236.221 IBS 300 > > So if I do a traceroute from 10.215.247.194 to 10.215.236.221 then > the packets are going out $IF_IBS as expected. Any other source to > that destination goes out $IF_CAIB. > > However, now I'd like to do something else. I'd like to load balance > outgoing traffic from source IP 10.215.247.194 ONLY to both CAIB and > IBS providers. In other words, destination IP 10.215.236.221 is > accessible via both providers CAIB and IBS, with connection tracking > on the destination router. > > How can I configure shorewall to load-balance connections from > 10.215.247.194 to 10.215.236.221 via CAIB and IBS providers? > > My first guess would be to remove the above "rtrules" entry and add > the following to the "providers" file: > > CAIB 1 1 - $IF_CAIB $ADDR_GW_CAIB loose,track,balance > IBS 2 2 - $IF_IBS $ADDR_GW_IBS loose,track,balance > > However, this should load balance all connections, not JUST > connections with source IP 10.215.247.194, right?
Correct.
> Again, is it possible to load-balance from only one source IP address?
>
> Also, how can I correctly configure the routing tables? Given the
> above example, should I remove 10.215.224.0/20 from the "main"
> routing table
Yes.
> and add the following to "routes"?
>
> CAIB 10.215.224.0/20 $ADDR_GW_CAIB $IF_CAIB
> IBS 10.215.224.0/20 $ADDR_GW_IB $IF_IBS
>
Those aren't necessary -- you have default routes through the providers.
Add this in /etc/shorewall/mangle:
INLINE(MARK(1)):P 10.215.247.194 10.215.236.221 ; \
-m statistic --mode random --probability 0.50
MARK(2):P 10.215.247.194 10.215.236.221 { test=0/0xff }
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
