On Sun, Sep 09, 2018 at 08:30:36PM +0100, Ben Webber wrote: > I have a connection to the internet (talktalk) and an openvpn connection to a > provider that uses redirect-gateway def1 to add entries to the main routing > table [...]
> Currently I have USE_DEFAULT_RT=No set in shorewall.conf. I then have an > entry in providers as follows (where the external IP of my internet > connection has been replaced with my.external.ip): > > TT 2 2 main enp5s5f1 my.external.ip > track wlp5s6,wlp5s6_0,enp5s5f0,virbr1,tun1,tun3 > > My openvpn connection uses tun4 as an interface. In mangle, I have several > entries to tell certain traffic to go via the ISP, here is an example of one > of the entries: > > MARK(2):P 192.168.4.11 0.0.0.0/0 > This configuration works fairly well, but I would like to be able to set > USE_DEFAULT_RT=Yes in shorewall.conf, however so far, no matter what I do I > can't seem to get the configuration right for this to work in the way I want. What doesn't work about it ? I think you'll want to disable openvpn's "def1" stuff: http://shorewall.org/MultiISP.html#USE_DEFAULT_RT | 5. You should disable all default route management outside of Shorewall. If a default route is inadvertently added to the main table while | Shorewall is started, then all policy routing will stop working except for those routing rules in the priority range 1-998. Note also: | 2. The balance option is assumed for all interfaces that do not have the loose option. When you want both balance and loose, both must be | specified. Further: shorewall.net/manpages/shorewall-interfaces.html | There are certain cases where routefilter cannot be used on an interface: | ยท If USE_DEFAULT_RT=Yes in shorewall.conf[12](5) and the interface is listed in shorewall-providers[18](5). Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
