[Shorewall-users] providers and balance

Fri, 12 May 2017 01:45:56 -0700 

Hi,

I have 4 Internet providers and I would like all outgoing connections (from LAN 
to WAN) to be load-balanced on only 2 of the links (ISP1 and ISP2).
The other 2 links are for special cases (some policy-based outgoing connections 
only and some inbound accesses).

I have this in my providers file:

ISP1    1       1       -               $IF_ISP1        $IF_ISP1_GW     
track,balance=3,persistent
ISP2    2       2       -               $IF_ISP2        $IF_ISP2_GW     
track,balance=2,persistent
ISP3    3       3       -               $IF_ISP3        $IF_ISP3_GW     
track,balance=1,persistent
ISP4    4       4       -               $IF_ISP4        $IF_ISP4_GW     
track,balance=1,persistent

In order to achieve my goal I add this in the mangle file:

MARK(1-2):P     0.0.0.0/0
# exception (force use of ISP3):
MARK(3):P       10.215.144.7/32 0.0.0.0/0       tcp     25
# exception (force use of ISP4):
MARK(4):P       10.215.147.110/32       0.0.0.0/0       all
# etc...

I've done this because on one hand I need to keep ISP3 and ISP4 in the 
providers file and on the other, I don't think it's possible to set balance=0.

This setup seems to work as I hoped except for the fact that MARK(1-2) is as if 
I had balance=1 for both ISP1 and ISP2 (whereas I would prefer to have 
statistically more outgoing connections through ISP1 than ISP2).

Is there a better way to do this?

Another issue I would like to solve or mitigate has to do with client hosts 
that access http-authenticated web sites through a load-balancing gateway such 
as in the above example.
A simple example is when a LAN host logs into a forum via HTTP while going out 
ISP1. Subsequent connections may go out ISP2. If that happens the user often 
experiences trouble such as forced user log-off, invalid sessions, etc.
I usually recur to the mangle file and add exceptions such as
MARK(1):P       0.0.0.0/0       $FORUM_IP    tcp     80,443

However, is there another way to do this?
If a LAN host SRC initiates a connection to DST and it just so happens it went 
out ISP1, can subsequent connections from SRC to DST (on any port) be 
automatically forced out through ISP1 for at least 8 hours?

Vieri

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to