Re: [Shorewall-users] providers track option and rtrules

Fri, 18 Sep 2015 00:39:49 -0700 

> From: Tom Eastep <[email protected]>


> You seem to have TC_EXPERT=Yes, however -- you probably want to change
> it to No.


I never changed that option and it has always been off:

# grep EXPERT /etc/shorewall/shorewall.conf
TC_EXPERT=No

I did use "loose" though in "providers" but took it out now. I guess that's the 
reason you suggested disabling TC_EXPERT.

Now the first "mangle" method for load balancing seems to work just fine.

I was using ICMP traceroute and I had to delete conntrack entries as you 
suggested:

# conntrack -D -s 10.215.144.48 -d 10.215.236.221 -p icmp
>> 2) using "rtrules" with high priority and "default" table ("mangle" file 
>> empty):
>> 
>> rtrules config file contains:
>> 
>> 10.215.144.48,10.215.247.194            10.215.244.250          default      
>>    11001
>> 
>> Table default:
>> 
>> 172.28.17.110 dev enp5s0 scope link
>> 172.20.11.49 dev enp5s1 scope link
>> default via 172.28.17.110 dev enp5s0 src 172.28.17.105 metric 3
>> default via 172.20.11.49 dev enp5s1 src 172.20.11.62 metric 2
>
> Looks like you simply specified 'fallback' rather than 'fallback=1'. You

> need the latter to get balancing.

Right. Changed to fallback=1.

However, the second "rtrules" method for load balancing still seems to be 
failing.

rtrules file contains:

10.215.144.48           10.215.236.221          default         11001

"ip rule list" starts with:

0:      from all lookup local
1:      from all fwmark 0x200/0x200 lookup Tproxy
220:    from all lookup 220
999:    from all lookup main
10000:  from all fwmark 0x1/0xff lookup WAN
10001:  from all fwmark 0x2/0xff lookup CAIB
10002:  from all fwmark 0x3/0xff lookup IBS
11000:  from 10.215.247.194 to 10.215.236.221 lookup IBS
11001:  from 10.215.144.48 to 10.215.236.221 lookup default

("mangle" config file is empty)

Table default:

default nexthop via 172.20.11.49 dev enp5s1 weight 1 nexthop via 172.28.17.110 
dev enp5s0 weight 1

Running ICMP traceroute from 10.215.144.48 to 10.215.236.221 and purging the 
conntrack entry between tests shows that the CAIB route is always used.

I'm attaching a shorewall dump and trace messages.

Vieri

Attachment: dump_rtrules_default.gz
Description: application/gzip

Attachment: iptrace_rtrules_default.gz
Description: application/gzip

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to