Apologies if this turns out to be an FAQ, but I'm having trouble getting
to grips with things.
I've got a Raspberry Pi (little ARM box) here running Debian "Jessie"
with the as-supplied Shorewall 4.6. As well as eth0 (192.168.1.5) as the
"internal" side of the router, it's using VLANs on eth1 to provide 2x
upstream interfaces (172.27.200.5 and 172.27.201.5) plus some more
reserved for DMZ systems (90.155.84.x).
The upstream systems are configured with 4G wireless (carrier-grade NAT)
and L2TP endpoints. Incoming traffic on the L2TP can see the DMZ. Custom
iptables and tc stuff on these systems ensures that traffic originating
on a routable address (90.155.84.x) goes out over the tunnel, but
anything on an RFC-1918 address goes over carrier-grade NAT on the 4G.
Setting this up was "fun", but these aren't causing me significant problems.
At our ISP, the L2TP tunnels are bonded on a Firebrick router. I think
it's reasonable to assume that they know what they're doing, since they
design and manufacture the things :-)
How do I tell Shorewall on the Raspberry Pi to do this:
* Anything originating at an internal RFC-1918 address is to be routed
over one or the other 172.27.x.x paths, hence over 4G with carrier-grade
NAT. Am I correct that this falls into the "multiple provider" basket?
* Anything originating at a DMZ routable address is to be split
proportionally onto both tunnels, i.e. a 50:50 bandwidth split.
* Incoming traffic over both tunnels is to be merged for the DMZ (SMTP
etc.).
I believe that our ISP monitors the performance of the tunnels and
balances traffic accordingly. I expect I'll have to do something similar
for this end at some point, but that's the least of my problems right now.
I've read the FAQ, support guide etc. but I think that what I need is an
initial kick in the right direction: I have a few years experience with
iptables etc. but am new to Shorewall.
I'm subscribed, CC not necessary.
--
Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk
[Opinions above are the author's, not those of his employers or colleagues]
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
