On 9/8/2015 6:05 AM, Vieri Di Paola wrote: > Hi, > > My goal is to have 2 NICs associated to 2 providers for specific private IP > address ranges (eg. all traffic to/from 10.215.224.0/20 should go through > these two providers). > Another NIC allows access to Internet and that should be the default route. > The other NIC of course is connected to the local network. > > At the moment I don't want to load-balance outgoing connections. I understand > that I can force outbound connections with rtrules: > > 10.215.247.194 10.215.236.221 IBS 11000 > - 10.215.224.0/20 CAIB 11001 > > So connections from "lan" src 10.215.247.194 to destination 10.215.236.221 > will imperatively go via IBS provider. > All other connections to 10.215.224.0/20 will go through CAIB provider. > > Now, suppose "providers" contains the following: > > CAIB 1 1 - $IF_CAIB $ADDR_GW_CAIB loose,track > IBS 2 2 - $IF_IBS $ADDR_GW_IBS loose,track > > and the remote router behind IBS and CAIB decides to send a packet from > 10.215.236.221 to 10.215.247.194 via the CAIB provider (new connection) then > where will shorewall reply? > If the "track" option is specified in "providers" then the packet will be > MARKed with 1 in this case and I guess that it should go back out the CAIB > provider DESPITE the rtrule shown above, right? > > However, "shorewall show routing" displays among other things: > > Routing Rules > > 0: from all lookup local > 1: from all fwmark 0x200/0x200 lookup Tproxy > 220: from all lookup 220 > 999: from all lookup main > 10000: from all fwmark 0x1/0xff lookup CAIB > 10001: from all fwmark 0x2/0xff lookup IBS > 11000: from 10.215.247.194 to 10.215.236.221 lookup IBS > 11001: from all to 10.215.224.0/20 lookup CAIB > 32765: from all lookup balance > 32767: from all lookup default > > Furthermore, table "default" is empty and table "main" has: > default via 172.16.0.2 dev enp4s1 > > Note: 172.16.0.2 is my internet gateway. > > Trying to initiate from 10.215.247.194 to 10.215.236.221 does not go out the > IBS provider, probably because we're reaching the "main" table and the > default route to 172.16.0.2. > Likewise, any incoming CAIB connections will hit the default internet gateway > in "main" before looking up CAIB table. > > Would moving "default via 172.16.0.2 dev enp4s1 metric 4" from "main" to > "default" make sense? > If so, how can I do that? >
When you use providers, it is assumed that: a) Each provider either has an uplink to the internet or it's default gateway is running a proxy. In the latter case, only connections to be proxied are sent via the provider. b) *All* interfaces that have a default route are defined in the providers file. You can nevertheless do what you want by adding a provider for interface enp4s1. Make it the 'primary' provider (if your version of Shorewall doesn't support the 'primary' option, use 'balance'). Then use the mangle rules that I suggested to balance traffic to the private network. One caveat: Prior to 4.6.13, there is a bug that prevents you from being able to specify a chain designator (:P) in an INLINE rule. You can work around that by setting INLINE_MATCHES=Yes in shorewall.conf or by omitting the designator and setting MARK_IN_FORWARD_CHAIN=No in shorewall.conf. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
