diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 8ec2927d2..8b72d4997 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1255,4 +1255,172 @@ wlan0 192.168.0.0/24
+
+
+ A Complete Working Example
+
+ This section describes the network at shorewall.net early in 2009.
+ The configuration is as follows:
+
+
+
+ Two providers:
+
+
+
+ Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP
+ addresses.
+
+
+
+ Comcast -- A fast (20mb/10mb) Cable circuit with a single
+ dynamic address.
+
+
+
+
+
+ A local network consisting of wired and wireless client systems.
+ A Linksys WRT300N wireless router is used as an access point for the
+ wireless hosts; the WAN port on the router is unused as is the builtin
+ DHCP server. The firewall runs a DHCP server.
+
+
+
+ A DMZ hosting a single server (lists.shorewall.net aka
+ www1.shorewall.net, ftp1.shorewall.net,etc.)
+
+
+
+ The network is pictured in the following diagram:
+
+
+
+ Because of the speed of the cable provider, all traffic uses that
+ provider unless there is a specific need for the traffic to use the DSL
+ line. As a consequence, I have disabled all route filtering on the
+ firewall and do not use the balance
+ option in /etc/shorewall/providers.
+
+ /etc/sysctl.conf:
+
+ net.ipv4.conf.all.rp_filter = 0
+
+ /etc/shorewall/providers:
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun*
+Comcast 2 0x200 mai eth3 detect track eth2,eth4,tun*
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+ The loose option on Avvanta results
+ in fewer routing rules. The first two routing rules below insure that all
+ traffic from Avvanta-assigned IP addresses is sent via the Avvanta
+ provider. Note that because the Comcast line has a dynamic IP address, I
+ am not able to use USE_DEFAULT_RT=Yes in
+ /etc/shorewall/shorewall.conf.
+
+ /etc/shorewall/route_rules:
+
+ #SOURCE DEST PROVIDER PRIORITY
+206.124.146.176/30 - Avvanta 26000
+206.124.146.180 - Avvanta 26000
+- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+ The /etc/shorewall/route_rules entries provide
+ all of the provider selection necessary so my
+ /etc/shorewall/tcrules file is used exclusively for
+ traffic shaping of the Avvanta line.
+
+ Here is the output of shorewall show
+ routing:
+
+ Routing Rules
+
+0: from all lookup local
+10000: from all fwmark 0x100 lookup Avvanta
+10001: from all fwmark 0x200 lookup Comcast
+20256: from 71.227.156.229 lookup Comcast
+26000: from 206.124.146.176/30 lookup Avvanta
+26000: from 206.124.146.180 lookup Avvanta
+26000: from all to 216.168.3.44 lookup Avvanta
+32766: from all lookup main
+32767: from all lookup default
+
+Table Avvanta:
+
+206.124.146.254 dev eth0 scope link src 206.124.146.176
+206.124.146.177 dev eth4 scope link
+172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
+206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
+169.254.0.0/16 dev eth0 scope link
+default via 206.124.146.254 dev eth0 src 206.124.146.176
+
+Table Comcast:
+
+206.124.146.177 dev eth4 scope link
+71.227.156.1 dev eth3 scope link src 71.227.156.229
+172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
+71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
+default via 71.227.156.1 dev eth3 src 71.227.156.229
+
+Table default:
+
+Table local:
+
+broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
+broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254
+broadcast 206.124.146.255 dev eth0 proto kernel scope link src 206.124.146.176
+local 206.124.146.179 dev eth0 proto kernel scope host src 206.124.146.176
+local 206.124.146.178 dev eth0 proto kernel scope host src 206.124.146.176
+local 206.124.146.176 dev eth0 proto kernel scope host src 206.124.146.176
+local 206.124.146.176 dev eth4 proto kernel scope host src 206.124.146.176
+broadcast 71.227.157.255 dev eth3 proto kernel scope link src 71.227.156.229
+broadcast 71.227.156.0 dev eth3 proto kernel scope link src 71.227.156.229
+local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254
+local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1
+broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254
+local 71.227.156.229 dev eth3 proto kernel scope host src 71.227.156.229
+broadcast 206.124.146.0 dev eth0 proto kernel scope link src 206.124.146.176
+broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
+local 206.124.146.180 dev eth0 proto kernel scope host src 206.124.146.176
+local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
+local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
+
+Table main:
+
+206.124.146.177 dev eth4 scope link
+172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254
+206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176
+71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229
+169.254.0.0/16 dev eth0 scope link
+127.0.0.0/8 dev lo scope link
+default via 71.227.156.1 dev eth3
+
+ /etc/shorewall/interfaces:
+
+ #ZONE INTERFACE BROADCAST OPTIONS
+loc eth2 detect dhcp,routeback
+dmz eth4 detect
+net eth0 detect dhcp,blacklist,tcpflags,optional
+net eth3 detect dhcp,blacklist,tcpflags,optional
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+
+ /etc/shorewall/masq:
+
+ #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
+
+COMMENT Masquerade Local Network
+eth3 0.0.0.0/0
+eth0 !206.124.146.0/24 206.124.146.179
+
+#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
+
+
+ All traffic leaving eth3 must use the dynamic IP address assigned to
+ that interface as the SOURCE address. All traffic leaving eth0 that does
+ not have an address falling within the Avvanta subnet (206.124.146.0/24)
+ must have its SOURCE address changed to 206.124.146.179.
+
diff --git a/docs/images/Network2009.dia b/docs/images/Network2009.dia
new file mode 100644
index 000000000..34894b055
Binary files /dev/null and b/docs/images/Network2009.dia differ
diff --git a/docs/images/Network2009.png b/docs/images/Network2009.png
new file mode 100644
index 000000000..ccabab6c6
Binary files /dev/null and b/docs/images/Network2009.png differ