On 4/14/19 1:30 PM, Andrey Andreev wrote: > Dear Tom, > I have been using Shorewall on all company routers, thanks for the great > work! > Recently installed GPRS routers as a backup to cable connections and > after an epic fight (like a pig with a pumpkin!) resorted to asking for > help here. > > The installation where I make initial testing is: Fedora 26 > 4.11.9-300.fc26.x86_64 & Shorewall 5.1.10.2-1, GPRS router HUAWEI > B310s for ISP2, cable ISP1 with DHCP. > > Below is my ISP 1&2 structure. My plan is: > (a) to route all traffic through the main ISP1 when it is available. No > load ballancing. > (b) if ISP1 goes down, all traffic is routed through the backup ISP2. > (c) when ISP1 goes up, all traffic is routed again through ISP1 though > ISP2 is still up. > > What I get successfully is a) and b), but c) does not happen. Is it > possible to achieve this functionality, where do I make mistakes? > > image > > I have installed foolsm as described in Multi-ISP shorewall tutorial. > Other settings: > *interfaces* contains: > net enp3s0 detect routeback,optional,dhcp,wait=20 > net enp1s0 detect routeback,optional,dhcp,wait=20 > > *masq* contains: > enp3s0 0.0.0.0/0 WAN1 > enp1s0 0.0.0.0/0 192.168.42.254 > > *providers* contains: > N3 1 1 - enp3s0 WAN1 track,primary - > A1 2 2 - enp1s0 192.168.42.1 track - > > *shorewall.conf* contains: > USE_DEFAULT_RT=Yes > TRACK PROVIDERS=Yes > BALLANCE_PROVIDERS=No > > In ifcfg files for enp1s0&enp3s0 DEFROUTE=no > > *lib.private* contains the following ISP1&2 description: > name=N3 > eventscript=/usr/libexec/foolsm/shorewall_script > checkip=GW1 > sourceip=WAN1 > device=enp3s0 > ttl=20 > > name=A1 > eventscript=/usr/libexec/foolsm/shorewall_script > checkip=192.168.42.1 # checkip=WAN2 – ??? > sourceip=192.168.42.254 > device=enp1s0 > ttl=20 > > The output of systemctl status shorewall and foolsm log look normal. > > Checking ISP1&2 routing tables shows: > *ip route ls table N3 (when connected):* > default via GW1 dev enp3s0 src WAN1 > GW1 dev enp3s0 scope link src WAN1 > *ip route ls table A1 (when connected):* > default via 192.168.42.1 dev enp1s0 src 192.168.42.254 > 192.168.42.1 dev enp1s0 scope link src 192.168.42.254 > *ip route ls table 253* – empty > > Now I fiddle with the cables to the LAN cards of the FW disconnecting > and connecting them in turn and check routing table 254: > *1. N3 up, A1 up restart FW CPU OK, traffic goes through ISP1 main > as expected* > *ip route ls table 254:* > GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100 > GW1 dev enp3s0 scope link src WAN1 > > *2. N3 up --> down, A1 up OK, traffic goes through ISP2 as > expected* > *ip route ls table 254:* > default via 192.168.42.1 dev enp1s0 proto static metric 100 > > *3. N3 down --> up, A1 up BAD, traffic goes through ISP2 but ISP1 > is expected* > *ip route ls table 254:* > default via 192.168.42.1 dev enp1s0 proto static metric 100 > default via GW1 dev enp3s0 proto static metric 101 > GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100 > GW1 dev enp3s0 scope link src WAN1 > > *4. nothing changed (N3 up, A1 up), restart shorewall OK, traffic > goes through ISP1 * > *ip route ls table 254:* > GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100 > GW1 dev enp3s0 scope link src WAN1 > > *5. . . . . after 1-2 minutes BAD, traffic goes through ISP2 but > ISP1 is expected* > *ip route ls table 254:* > default via 192.168.42.1 dev enp1s0 proto static metric 100 > GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100 > GW1 dev enp3s0 scope link src WAN1 > > *6. . . . disconnect A1:* > *ip route ls table 254 OK, traffic goes through ISP1 main as expected* > GW1.0/22 dev enp3s0 proto kernel scope link src WAN1 metric 100 > GW1 dev enp3s0 scope link src WAN1 > > It looks to me that things mess up in 3. as the priority of the default > routes are wrong, ideally there should be no default route through ISP2. > I am not sure what IP should be in lib.private for ISP2: > checkip=192.168.42.1 (LAN IP of the GPRS router) or checkip=WAN2 > (WAN IP of the GPRS router. It has no GW IP). > > I will supply any additional info if needed. Thanks for Your advice! >
How are you simulating interface failure and restoration? Are you downing and upping the devices? The reason that I ask is that FooLSM's default configuration uses 'shorewall disable' and 'shorewall enable' to react to an interface going down and up respectively. Those operations should *never* add default routes to the main routing table. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
