> On 20 Jul 2017, at 12:04, Simon Hobson <li...@thehobsons.co.uk> wrote:
>
> andreil1 <andre...@starlett.lv> wrote:
>
>> I have this setup of shorewall with 2 ISPs, and need to auto-switch
>> connection if main (LTC1) provider fails, and the revert back if it becomes
>> alive.
>>
>> *** shorewall.conf ***
>> USE_DEFAULT_RT=Yes
>>
>> *** providers ***
>> LTC1 1 0x1 - eth0 gw1.xx.xx.xx track,balance=1 -
>> BTC2 2 0x2 - eth1 gw2.yy.yy.yy track -
>>
>> *** interfaces ***
>> net eth0 tcpflags,nosmurfs,rpfilter,sourceroute=0
>> net eth1 tcpflags,nosmurfs,rpfilter,sourceroute=0
>> loc eth2 tcpflags,nosmurfs,rpfilter
>> dmz eth3 routeback
>>
>> *********************************
>>
>> Script which run via cron each 30 seconds.
>> Which commands need to be run within this script ?
>>
>> Thanks in advance for any suggestion(s) !
>>
>>
>> HOSTS="gw1.xx.xx.xx"
>> COUNT=2
>>
>> for myHost in $HOSTS
>> do
>> count=$(ping -c $COUNT $myHost | grep 'received' | awk -F',' '{ print $2 }'
>> | awk '{ print $1 }')
>> if [ $count -eq 0 ]; then
>> # 100% failed
>> # ?? what commands should be run to switch providers?
>> shorewall disable LTC1 # is this enough ? any command to explicitly
>> enable BTC1 ? shorewall restart required ?
>
> Yes that's enough. BTC1 will already be enabled (unless you've disabled it).
> However you'll probably want to keep some memory of the current state so you
> don't keep disabling it repeatedly - it won't cause any harm, but you'll get
> an error each time saying it's already disabled.
shorewall disable LTC1 <— Doesn’t work
ERROR: LTC1 is not an optional provider interface: Firewall state not changed
/usr/share/shorewall/lib.common: line 93: 28414 Terminated
$SHOREWALL_SHELL $script $options $@
Should I mark both providers (main LTC1 and failover backup BTC2) as optional ?
>
>> else
>> # how to determine which provider is active ?
>
> Ping the gateway again. I *THINK* you can still ping the gateway if the
> provider is disabled, but for a host past there, I think some explicit
> routing rule needs to be added so you can still send your test traffic.
> AIUI, all Shorewall does when you mark a provider as disabled is to remove
> the routing table entries that send traffic via it.
> As above, you probably want to keep some status so you don't keep re-enabling
> it when it's already enabled.
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
