Re: [Shorewall-users] providers track option and rtrules

Wed, 09 Sep 2015 01:56:43 -0700 


> ----- Original Message -----
> From: Tom Eastep <[email protected]>
> 
> 
> You can nevertheless do what you want by adding a provider for interface
> enp4s1. Make it the 'primary' provider (if your version of Shorewall
> doesn't support the 'primary' option, use 'balance'). Then use the
> mangle rules that I suggested to balance traffic to the private network.



I've added the "internet" primary provider as suggested:

WAN     1       1       -       $IF_WAN         $ADDR_GW_WAN    
loose,track,primary
CAIB    2       2       -       $IF_CAIB        $ADDR_GW_CAIB   loose,track
IBS     3       3       -       $IF_IBS         $ADDR_GW_IBS    loose,track

Note: I'm supposing CAIB and IBS do not require "fallback" or "balance". I also 
tried adding "fallback" to both and saw how $ADDR_GW_CAIB and $ADDR_GW_IBS were 
added to "table default" but it did not change the outcome of my test (see 
below).

I then defined NOTHING in "routes" and "rtrules" and as you suggested I only 
set up marking in "mangle":

MARK(2):P       10.215.144.0/22 10.215.224.0/20         all
MARK(2):P       10.215.248.0/24 10.215.224.0/20         all
MARK(3):P       10.215.247.194  10.215.236.221          all

Traffic to WAN seems to work but connections to CAIB or IBS fail 
(10.215.224.0/20).

eg. ping from 10.215.144.48 ("lan" zone) to 10.215.237.237 ("caib" zone) fails 
and a traceroute shows that it reaches the shorewall firewall but is not routed 
out the CAIB provider.

I'm attaching the shorewall dump.

According to it, the default gateway to internet is in "table balance" and not 
in "main" anymore (good). Also, according to the routing rules and "mangle", 
packets sent from 10.215.144.48 to 10.215.237.237 should be marked "2" and 
should route out via "10001: from all fwmark 0x2/0xff lookup CAIB" (right?). 
However, traceroute from 10.215.144.48 does not indicate access to 
$ADDR_GW_CAIB.

What's wrong or what am I missing?

Thanks,

Vieri

Attachment: dump1.gz
Description: application/gzip

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to