Re: [Shorewall-users] providers track option and rtrules

Mon, 14 Sep 2015 15:23:10 -0700 

On 09/14/2015 09:25 AM, Vieri Di Paola wrote:
>> The traffic is being routed back out of enp5s3 as a result of this route
>> in the main table:
>>
>> 10.215.0.0/16 dev enp5s3 proto kernel scope link src 10.215.144.91
> 
> 
> enp5s3 is the NIC to the "lan" zone. Hosts in this zone must be withn these 
> IP ranges:
> 
> 10.215.144.0/22
> 10.215.246.0/23
> 10.215.248.0/24
> 
> All other networks (eg. 10.215.245.0/24 or 10.215.149.0/24) are to be found 
> via other interfaces (CAIB and IBS providers). 
> 
> To simplify maintenance all "lan" clients have the same shorewall server as 
> default gateway (one IP addr.) and their netmask is an extensive /16.
> So the Shorewall server's LAN IP address was set to 10.215.144.91/16. 
> 
> Simple example:
> "lan" client with IP addr. 10.215.144.48 and netmask /16 has default gateway 
> 10.215.144.91 (shorewall). Same for "lan" client with IP addr. 10.215.246.26.
> Routing to remote 10.215.x.x is decided on Shorewall system at 10.215.144.91.
> 
> This is why you're seeing that traffic is routed back out of enp5s3 (ie. the 
> "lan" nic).
> 
> So what is the best approach in a situation like this?
> 
> Should I leave the "lan" clients as they are (/16 with default gw 
> 10.215.144.91) and set up the shorewall system with the following?
> lan nic IP addr: 10.215.144.91/22
> lan nic routes: 
> 10.215.246.0/23 dev enp5s3  proto kernel  scope link  src 10.215.144.91
> 10.215.248.0/24 dev enp5s3  proto kernel  scope link  src 10.215.144.91
> 
> Sorry for asking but I'd like to know what others usually do in these cases.
> 

Here's what we can do:

a)  Make both CAIB and IBS 'fallback' providers. That will generate a
multi-path route in the 'default' table.

b)  Add a rule with priority 998 that routes traffic that you want
balanced between the two via the default table.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to