Hi Eric,
I didn't look at your dump however, it sounds like you are having the same
problem that I had. The specific solution to being able to ping out on a
disabled link, is in an Email from Tom on this list on June 20:
ME: "> - if a provider is flaky it needs to be disabled, otherwise it
remains
> the chosen route for users and they don't get any Internet.
> - Meaningful testing of the status of a path requires the interface to be
> enabled. For example, pings over an interface that is up, but for which
> the provider is marked "down" in Shorewall alternately succeed or report
> "Operation not permitted".
TOM: Use 'persistent' in /etc/shorewall/providers."
Hope that helps! It worked for me in terms of being able to ping via a
disabled provider.
I had other problems with disabling (but not shutting down) a USB stick,
which I can't remember clearly at the moment, so I reverted to "ifdown
usb0". And I haven't got to the place that I trust FOOLSM enough to put it
in production; partly because in our context, a ping test isn't enough to
determine link status. In some cases, pings are fine even to a distant
site, but web traffic is slow.
I stopped investing time in this and resigned myself to assessing and
controlling providers manually. I think SWPING / FOOLSM really are only
smart enough to deal with first world situations, mostly last-mile
failures. Third world network failures are amazingly diverse! Thankfully,
our main provider has made dramatic infrastructure improvements in the past
few weeks and for now, they are fast and reliable versus variable and
unreliable. That makes manual monitoring easier ;)
Best regards, Norm
On Sat, Oct 21, 2017 at 4:19 PM, 3ric Johanson <[email protected]>
wrote:
> Hi there,
>
> I've been using the multi-isp functions in shorewall for years, and
> recently updated my version of shorewall and the failover scripts I've been
> using have stopped working (swping). I've also tried to make FOOLSM work
> without any success. I've modified my old version of swping to use the
> firewall disable/enable methods vs. updating the status files. It's
> attached. But neither my hacked version of swping or FOOLSM seem to work.
>
> Here seems to be my problem: Either can correctly detect a down internet
> connection, but once it calls ${VARDIR}/firewall disable ${DEVICE} then
> no more packets can be sent out via that internet connection so the script
> can't successfully determine when the link is back.
>
>
> # ping -I wlan0 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) from 192.168.128.11 wlan0: 56(84) bytes of data.
> 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=92.1 ms
> 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=62.1 ms
> ^C
> --- 8.8.8.8 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1000ms
> rtt min/avg/max/mdev = 62.106/77.106/92.106/15.000 ms
> # /var/lib/shorewall/firewall disable wlan0
> # ping -I wlan0 8.8.8.8
> PING 8.8.8.8 (8.8.8.8) from 192.168.128.11 wlan0: 56(84) bytes of data.
> From 192.168.128.11 icmp_seq=1 Destination Host Unreachable
> From 192.168.128.11 icmp_seq=2 Destination Host Unreachable
> From 192.168.128.11 icmp_seq=3 Destination Host Unreachable
> ^C
> --- 8.8.8.8 ping statistics ---
> 5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4016ms
> pipe 3
> #
>
> It is possible this is because one of the links is an usb wifi dongle, and
> that's breaking something. Its also possible something else in my configs
> is breaking something?
>
> I don't see any blocked messages in my logs.
>
> Internet connections: wlan0 & eth3. I've attached shorewall dump and the
> swping config I'm using.
>
> Any ideas?
>
> Thanks in advance,
> -3ric Johanson
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
