Re: [Shorewall-users] high packet loss when using multi-provider on shorewall6

Sun, 04 Mar 2018 16:03:07 -0800 

Hello,

this is my first post to this list, and I hope I can reply to an already
existing thread.

I think I'm facing the same problem as this user reported:
> From: Brian J. Murrell <brian@in...> - 2017-11-29 17:33:24
> I have a shorewall6/shorewall6-lite installation where the router has
multiple IPv6 connections to the Internet.
> [...] I see major packet loss on the eth0.2 provider:

My shorewall6 version is 5.0.4 (on Ubuntu 16.04 LTS). The providers file:
#############################################################################################################
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY
                     OPTIONS                         COPY
mkn     1       -       -               eth0            2001:xxxx:xxx::1
                    track,primary
htp     2       -       -               eth1
fe80::464e:6dff:fe15:789a               track,fallback

I x'ed out our businesses public IPv6. "htp" is not a typo of "http", but
the name of our secondary provider. As their addresses are dynamic, I use
the link local address as gateway. When our primary provider 'mkn' should
go down, fallback on 'htp' will be done. I use a script to detect the link,
and can initiate a failover. This setup works fine.
The gateway is a Cisco router/DSL modem of the provider #1 in our
premisses, where I have no acces on.

However I'm facing massive packet losses (>50%, only on IPv6) on provider
#1 using this setup. If I leave out the providers file, there are no
losses, same as Brian reported above. To test the connection I usually do a
"ping6 google.com" or so. After a "shorewall6 restart" ping6s initially go
through, but then stops (after about 10 to 40 pings). When I do a "ping6
gateway-address" from another terminal, the pings to google will continue
to go through.

So I built this as workaround: I send continuous pings (by a cronjob)
against the router, then there are next to no losses. To me this looks very
similar to the problem described here:
https://forums.gentoo.org/viewtopic-t-855990-start-0.html

I tried to open shorewall6 for all ipv6-icmp traffic to and from the
router, but it didn't do much of a difference, as ipv6-icmp was allowed
anyway.

Would appreciate any help ...
Cheers
Udo







-- 
Udo Schacht-Wiegand
cantamen support team
-- 
cantamen :: Am Hohen Ufer 3A :: 30159 Hannover :: GERMANY
Phone: +49-511-270424-20 :: Fax: +49-511-5902-6264
http://www.cantamen.de

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to