Thanks Tuomo.
The interfaces of course require a gateway since they are not
point-to-point.
Today I disabled foolsm so I am sure those scripts are not doing anything.
I cannot guess what other system component could be reacting to a change in
interface status and creating a default route in table main - unless there
is some misconfiguration in shorewall, but I don't see any evidence of that.
I have off.d and routable.d scripts in networkd-dispatcher, which end with
shorewall reload. So as far as I am aware, any changes to interfaces would
be caught by those scripts and shorewall reload will be run after the
interface changes state.
Today I noted on the firewall running shorewall that (1) periodically a
default route for the flaky interface, I believe actually totally down all
day, would appear in table main (2) as a result the firewall could not ping
out (unless specifying another interface) and no-one else on the network
had outside access either (3) shorewall reload removes the offending
default route and then everything works again.
This afternoon (after all-day complaints from users "no internet") I
created a cron job to run:
[[ `ip route show table main |grep default` ]] && {
echo "`date`: Default route found in table main, running shorewall
reload" >> /var/log/elim-default-route-main.log
shorewall reload
}
This logs messages every minute for maybe 20 minutes and then stops for a
while and then restarts. The networkd-dispatcher script is not logging
anything at all against the offending interfaces.
I wish I could tell you in detail what changed in the shorewall config but
I can't, at this point I really need some pointers on what could be causing
the behavior and what to do for further diagnosis.
Best, Norman
On Mon, Jul 26, 2021 at 11:23 AM Tuomo Soini <t...@foobar.fi> wrote:
> On Sat, 24 Jul 2021 13:38:17 +0100
> Norman and Audrey Henderson <norm.aud...@gmail.com> wrote:
>
> > However if vlan5 goes down briefly or if I simulate that by: ifconfig
> > vlan5 down; sleep 2; ifconfig vlan5 up - then a default route to the
> > gateway of vlan5 gets added to table main. The preference for vlan7
> > (being after the main table) is then not applied.
> >
> > shorewall reload fixes it.
> >
> > Any ideas of why this would be occurring? Or, is there a way to
> > trigger shorewall reload whenever a link changes state?
>
> This is normal problem if you have gateway configured for interface.
> And with multi-isp you are always required to reload shorewall after
> operations to interface.
>
> --
> Tuomo Soini <t...@foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
