Add new example to the Multi-ISP doc including the output of 'shorewall show routing'

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9245 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-05 23:40:56 +00:00
parent 88c2361323
commit 150ca2c2f6
3 changed files with 168 additions and 0 deletions

View File

@ -1255,4 +1255,172 @@ wlan0 192.168.0.0/24</programlisting><note>
</note></para>
</section>
</section>
<section>
<title>A Complete Working Example</title>
<para>This section describes the network at shorewall.net early in 2009.
The configuration is as follows:</para>
<itemizedlist>
<listitem>
<para>Two providers:</para>
<itemizedlist>
<listitem>
<para>Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP
addresses.</para>
</listitem>
<listitem>
<para>Comcast -- A fast (20mb/10mb) Cable circuit with a single
<emphasis>dynamic</emphasis> address.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>A local network consisting of wired and wireless client systems.
A Linksys WRT300N wireless router is used as an access point for the
wireless hosts; the WAN port on the router is unused as is the builtin
DHCP server. The firewall runs a DHCP server.</para>
</listitem>
<listitem>
<para>A DMZ hosting a single server (lists.shorewall.net aka
www1.shorewall.net, ftp1.shorewall.net,etc.)</para>
</listitem>
</itemizedlist>
<para>The network is pictured in the following diagram:</para>
<graphic align="center" fileref="images/Network2009.png" />
<para>Because of the speed of the cable provider, all traffic uses that
provider unless there is a specific need for the traffic to use the DSL
line. As a consequence, I have disabled all route filtering on the
firewall and do not use the <emphasis role="bold">balance</emphasis>
option in <filename>/etc/shorewall/providers</filename>.</para>
<para><filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.ipv4.conf.all.rp_filter = 0</programlisting>
<para><filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun*
Comcast 2 0x200 mai eth3 detect track eth2,eth4,tun*
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para>The <emphasis role="bold">loose</emphasis> option on Avvanta results
in fewer routing rules. The first two routing rules below insure that all
traffic from Avvanta-assigned IP addresses is sent via the Avvanta
provider. Note that because the Comcast line has a dynamic IP address, I
am not able to use USE_DEFAULT_RT=Yes in
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
<para><filename>/etc/shorewall/route_rules</filename>:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY
206.124.146.176/30 - Avvanta 26000
206.124.146.180 - Avvanta 26000
- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para>The <filename>/etc/shorewall/route_rules </filename>entries provide
all of the provider selection necessary so my
<filename>/etc/shorewall/tcrules</filename> file is used exclusively for
traffic shaping of the Avvanta line.</para>
<para>Here is the output of <command>shorewall show
routing</command>:</para>
<programlisting>Routing Rules
0: from all lookup local
10000: from all fwmark 0x100 lookup Avvanta
10001: from all fwmark 0x200 lookup Comcast
20256: from 71.227.156.229 lookup Comcast
26000: from 206.124.146.176/30 lookup Avvanta
26000: from 206.124.146.180 lookup Avvanta
26000: from all to 216.168.3.44 lookup Avvanta
32766: from all lookup main
32767: from all lookup default
Table Avvanta:
206.124.146.254 dev eth0 scope link src 206.124.146.176
206.124.146.177 dev eth4 scope link
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
169.254.0.0/16 dev eth0 scope link
default via 206.124.146.254 dev eth0 src 206.124.146.176
Table Comcast:
206.124.146.177 dev eth4 scope link
71.227.156.1 dev eth3 scope link src 71.227.156.229
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
default via 71.227.156.1 dev eth3 src 71.227.156.229
Table default:
Table local:
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254
broadcast 206.124.146.255 dev eth0 proto kernel scope link src 206.124.146.176
local 206.124.146.179 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.178 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.176 dev eth0 proto kernel scope host src 206.124.146.176
local 206.124.146.176 dev eth4 proto kernel scope host src 206.124.146.176
broadcast 71.227.157.255 dev eth3 proto kernel scope link src 71.227.156.229
broadcast 71.227.156.0 dev eth3 proto kernel scope link src 71.227.156.229
local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254
local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1
broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254
local 71.227.156.229 dev eth3 proto kernel scope host src 71.227.156.229
broadcast 206.124.146.0 dev eth0 proto kernel scope link src 206.124.146.176
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 206.124.146.180 dev eth0 proto kernel scope host src 206.124.146.176
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
206.124.146.177 dev eth4 scope link
172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 71.227.156.1 dev eth3 </programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc eth2 detect dhcp,routeback
dmz eth4 detect
net eth0 detect dhcp,blacklist,tcpflags,optional
net eth3 detect dhcp,blacklist,tcpflags,optional
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq</filename>:</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
COMMENT Masquerade Local Network
eth3 0.0.0.0/0
eth0 !206.124.146.0/24 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
</programlisting>
<para>All traffic leaving eth3 must use the dynamic IP address assigned to
that interface as the SOURCE address. All traffic leaving eth0 that does
not have an address falling within the Avvanta subnet (206.124.146.0/24)
must have its SOURCE address changed to 206.124.146.179.</para>
</section>
</article>

BIN
docs/images/Network2009.dia Normal file

Binary file not shown.

BIN
docs/images/Network2009.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 77 KiB