diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 8ec2927d2..8b72d4997 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1255,4 +1255,172 @@ wlan0 192.168.0.0/24 + +
+ A Complete Working Example + + This section describes the network at shorewall.net early in 2009. + The configuration is as follows: + + + + Two providers: + + + + Avvanta -- A slow (1.5mb/384kb) DSL service with 5 static IP + addresses. + + + + Comcast -- A fast (20mb/10mb) Cable circuit with a single + dynamic address. + + + + + + A local network consisting of wired and wireless client systems. + A Linksys WRT300N wireless router is used as an access point for the + wireless hosts; the WAN port on the router is unused as is the builtin + DHCP server. The firewall runs a DHCP server. + + + + A DMZ hosting a single server (lists.shorewall.net aka + www1.shorewall.net, ftp1.shorewall.net,etc.) + + + + The network is pictured in the following diagram: + + + + Because of the speed of the cable provider, all traffic uses that + provider unless there is a specific need for the traffic to use the DSL + line. As a consequence, I have disabled all route filtering on the + firewall and do not use the balance + option in /etc/shorewall/providers. + + /etc/sysctl.conf: + + net.ipv4.conf.all.rp_filter = 0 + + /etc/shorewall/providers: + + #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +Avvanta 1 0x100 main eth0 206.124.146.254 track,loose eth2,eth4,tun* +Comcast 2 0x200 mai eth3 detect track eth2,eth4,tun* +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + The loose option on Avvanta results + in fewer routing rules. The first two routing rules below insure that all + traffic from Avvanta-assigned IP addresses is sent via the Avvanta + provider. Note that because the Comcast line has a dynamic IP address, I + am not able to use USE_DEFAULT_RT=Yes in + /etc/shorewall/shorewall.conf. + + /etc/shorewall/route_rules: + + #SOURCE DEST PROVIDER PRIORITY +206.124.146.176/30 - Avvanta 26000 +206.124.146.180 - Avvanta 26000 +- 216.168.3.44 Avvanta 26000 # Avvanta NNTP Server -- verifies source IP address +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + The /etc/shorewall/route_rules entries provide + all of the provider selection necessary so my + /etc/shorewall/tcrules file is used exclusively for + traffic shaping of the Avvanta line. + + Here is the output of shorewall show + routing: + + Routing Rules + +0: from all lookup local +10000: from all fwmark 0x100 lookup Avvanta +10001: from all fwmark 0x200 lookup Comcast +20256: from 71.227.156.229 lookup Comcast +26000: from 206.124.146.176/30 lookup Avvanta +26000: from 206.124.146.180 lookup Avvanta +26000: from all to 216.168.3.44 lookup Avvanta +32766: from all lookup main +32767: from all lookup default + +Table Avvanta: + +206.124.146.254 dev eth0 scope link src 206.124.146.176 +206.124.146.177 dev eth4 scope link +172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254 +206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 +169.254.0.0/16 dev eth0 scope link +default via 206.124.146.254 dev eth0 src 206.124.146.176 + +Table Comcast: + +206.124.146.177 dev eth4 scope link +71.227.156.1 dev eth3 scope link src 71.227.156.229 +172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254 +71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229 +default via 71.227.156.1 dev eth3 src 71.227.156.229 + +Table default: + +Table local: + +broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 +broadcast 172.20.1.0 dev eth2 proto kernel scope link src 172.20.1.254 +broadcast 206.124.146.255 dev eth0 proto kernel scope link src 206.124.146.176 +local 206.124.146.179 dev eth0 proto kernel scope host src 206.124.146.176 +local 206.124.146.178 dev eth0 proto kernel scope host src 206.124.146.176 +local 206.124.146.176 dev eth0 proto kernel scope host src 206.124.146.176 +local 206.124.146.176 dev eth4 proto kernel scope host src 206.124.146.176 +broadcast 71.227.157.255 dev eth3 proto kernel scope link src 71.227.156.229 +broadcast 71.227.156.0 dev eth3 proto kernel scope link src 71.227.156.229 +local 172.20.1.254 dev eth2 proto kernel scope host src 172.20.1.254 +local 127.0.0.2 dev lo proto kernel scope host src 127.0.0.1 +broadcast 172.20.1.255 dev eth2 proto kernel scope link src 172.20.1.254 +local 71.227.156.229 dev eth3 proto kernel scope host src 71.227.156.229 +broadcast 206.124.146.0 dev eth0 proto kernel scope link src 206.124.146.176 +broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 +local 206.124.146.180 dev eth0 proto kernel scope host src 206.124.146.176 +local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 +local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 + +Table main: + +206.124.146.177 dev eth4 scope link +172.20.1.0/24 dev eth2 proto kernel scope link src 172.20.1.254 +206.124.146.0/24 dev eth0 proto kernel scope link src 206.124.146.176 +71.227.156.0/23 dev eth3 proto kernel scope link src 71.227.156.229 +169.254.0.0/16 dev eth0 scope link +127.0.0.0/8 dev lo scope link +default via 71.227.156.1 dev eth3 + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +loc eth2 detect dhcp,routeback +dmz eth4 detect +net eth0 detect dhcp,blacklist,tcpflags,optional +net eth3 detect dhcp,blacklist,tcpflags,optional +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + /etc/shorewall/masq: + + #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC + +COMMENT Masquerade Local Network +eth3 0.0.0.0/0 +eth0 !206.124.146.0/24 206.124.146.179 + +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + + All traffic leaving eth3 must use the dynamic IP address assigned to + that interface as the SOURCE address. All traffic leaving eth0 that does + not have an address falling within the Avvanta subnet (206.124.146.0/24) + must have its SOURCE address changed to 206.124.146.179. +
diff --git a/docs/images/Network2009.dia b/docs/images/Network2009.dia new file mode 100644 index 000000000..34894b055 Binary files /dev/null and b/docs/images/Network2009.dia differ diff --git a/docs/images/Network2009.png b/docs/images/Network2009.png new file mode 100644 index 000000000..ccabab6c6 Binary files /dev/null and b/docs/images/Network2009.png differ