Dear Tom,
I have been using Shorewall on all company routers, thanks for the great work!
Recently installed GPRS routers as a backup to cable connections and after an
epic fight (like a pig with a pumpkin!) resorted to asking for help here.
The installation where I make initial testing is: Fedora 26
4.11.9-300.fc26.x86_64 & Shorewall 5.1.10.2-1, GPRS router HUAWEI B310s for
ISP2, cable ISP1 with DHCP.
Below is my ISP 1&2 structure. My plan is:
(a) to route all traffic through the main ISP1 when it is available. No load
ballancing.
(b) if ISP1 goes down, all traffic is routed through the backup ISP2.
(c) when ISP1 goes up, all traffic is routed again through ISP1 though ISP2 is
still up.
What I get successfully is a) and b), but c) does not happen. Is it possible
to achieve this functionality, where do I make mistakes?
I have installed foolsm as described in Multi-ISP shorewall tutorial. Other
settings:
interfaces contains:
net enp3s0 detect routeback,optional,dhcp,wait=20
net enp1s0 detect routeback,optional,dhcp,wait=20
masq contains:
enp3s0 0.0.0.0/0 WAN1
enp1s0 0.0.0.0/0 192.168.42.254
providers contains:
N3 1 1 - enp3s0 WAN1 track,primary -
A1 2 2 - enp1s0 192.168.42.1 track -
shorewall.conf contains:
USE_DEFAULT_RT=Yes
TRACK PROVIDERS=Yes
BALLANCE_PROVIDERS=No
In ifcfg files for enp1s0&enp3s0 DEFROUTE=no
lib.private contains the following ISP1&2 description:
name=N3
eventscript=/usr/libexec/foolsm/shorewall_script
checkip=GW1
sourceip=WAN1
device=enp3s0
ttl=20
name=A1
eventscript=/usr/libexec/foolsm/shorewall_script
checkip=192.168.42.1 # checkip=WAN2 – ???
sourceip=192.168.42.254
device=enp1s0
ttl=20
The output of systemctl status shorewall and foolsm log look normal.
Checking ISP1&2 routing tables shows:
ip route ls table N3 (when connected):
default via GW1 dev enp3s0 src WAN1
GW1 dev enp3s0 scope link src WAN1
ip route ls table A1 (when connected):
default via 192.168.42.1 dev enp1s0 src 192.168.42.254
192.168.42.1 dev enp1s0 scope link src 192.168.42.254
ip route ls table 253 – empty
Now I fiddle with the cables to the LAN cards of the FW disconnecting and
connecting them in turn and check routing table 254:
1. N3 up, A1 up restart FW CPU OK, traffic goes through ISP1 main as
expected
ip route ls table 254:
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100
GW1 dev enp3s0 scope link src WAN1
2. N3 up --> down, A1 up OK, traffic goes through ISP2 as expected
ip route ls table 254:
default via 192.168.42.1 dev enp1s0 proto static metric 100
3. N3 down --> up, A1 up BAD, traffic goes through ISP2 but ISP1 is
expected
ip route ls table 254:
default via 192.168.42.1 dev enp1s0 proto static metric 100
default via GW1 dev enp3s0 proto static metric 101
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100
GW1 dev enp3s0 scope link src WAN1
4. nothing changed (N3 up, A1 up), restart shorewall OK, traffic goes
through ISP1
ip route ls table 254:
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100
GW1 dev enp3s0 scope link src WAN1
5. . . . . after 1-2 minutes BAD, traffic goes through ISP2 but ISP1 is
expected
ip route ls table 254:
default via 192.168.42.1 dev enp1s0 proto static metric 100
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100
GW1 dev enp3s0 scope link src WAN1
6. . . . disconnect A1:
ip route ls table 254 OK, traffic goes through ISP1 main as expected
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100
GW1 dev enp3s0 scope link src WAN1
It looks to me that things mess up in 3. as the priority of the default routes
are wrong, ideally there should be no default route through ISP2.
I am not sure what IP should be in lib.private for ISP2: checkip=192.168.42.1
(LAN IP of the GPRS router) or checkip=WAN2 (WAN IP of the GPRS router.
It has no GW IP).
I will supply any additional info if needed. Thanks for Your advice!
Best regards!
Andrei
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
