mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-08 22:58:50 +01:00
Move Multi-ISP/routefilter information to FAQ
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4511 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
848a48e462
commit
f33287f1b4
38
docs/FAQ.xml
38
docs/FAQ.xml
@ -1620,6 +1620,44 @@ iptables: Invalid argument
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Multiple ISPs</title>
|
||||
|
||||
<section id="faq57">
|
||||
<title>(FAQ 57) I configured two ISPs in Shorewall but when I try to use
|
||||
the second one, it doesn't work.</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> The Multi-ISP
|
||||
Documentation strongly recommends that you use the 'balance' option on
|
||||
all providers even if you want to manually specify which ISP to use. If
|
||||
you don't do that so that your main routing table only has one default
|
||||
route, then you must disable route filtering. Do not specify the
|
||||
'routefilter' option on the other interface(s) in
|
||||
<filename>/etc/shorewall/interfaces</filename> and disable any
|
||||
<emphasis>IP Address Spoofing</emphasis> protection that your
|
||||
distribution supplies.</para>
|
||||
</section>
|
||||
|
||||
<section id="faq58">
|
||||
<title>(FAQ 58) But if I specify 'balance' then won't Shorewall balance
|
||||
the traffic between the interfaces? I don't want that!</title>
|
||||
|
||||
<para><emphasis role="bold">Answer</emphasis>: Suppose that you want all
|
||||
traffic to go out through ISP1 (mark 1) unless you specify otherwise;
|
||||
your internal interface is <filename class="devicefile">eth0</filename>.
|
||||
Then simply add these two rules as the first marking rules in your
|
||||
<filename>/etc/shorewall/tcrules</filename> file:</para>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST
|
||||
1 eth0
|
||||
1 $FW
|
||||
<other MARK rules></programlisting>
|
||||
|
||||
<para>Now any traffic that isn't marked by one of your other MARK rules
|
||||
will have mark = 1 and will be sent via ISP1.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>About Shorewall</title>
|
||||
|
||||
|
@ -336,36 +336,9 @@
|
||||
specify 'balance' even if you don't need it. You can still
|
||||
use entries in <filename>/etc/shorewall/tcrules</filename>
|
||||
to force traffic to one provider or another.<note>
|
||||
<para>There will be those of you who will say "Those
|
||||
idiots at shorewall.net don't understand. I don't want
|
||||
my traffic balanced so I'm not going to set the
|
||||
'balance' option!" If you are one of those users, then
|
||||
if you can't get your second interface to work, check
|
||||
the mailing list archives -- there have been others
|
||||
before you who also thought that we were fools.</para>
|
||||
</note><note>
|
||||
<para>"Oh Tom -- I don't understand how to use
|
||||
<filename>/etc/shorewall/tcrules</filename> to avoid
|
||||
balancing if I set 'balance' on my interfaces".</para>
|
||||
|
||||
<para>I know -- that is only slightly less complex
|
||||
than brain surgery but let me try to
|
||||
explain:<itemizedlist>
|
||||
<listitem>
|
||||
<para>Your first tcrule should mark all traffic so
|
||||
that it will go out through the "default"
|
||||
provider.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your remaining rules should be the "exception"
|
||||
rules that mark traffic to go out the other
|
||||
providers.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
|
||||
<para>I hope that you are not overwelmed by these
|
||||
intricate instructions.</para>
|
||||
<para>If you don't heed this advice then be prepared
|
||||
to read <ulink url="FAQ.htm#faq57">FAQ 57</ulink> and
|
||||
<ulink url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
|
||||
</note></para>
|
||||
</important>
|
||||
|
||||
@ -377,7 +350,7 @@
|
||||
reported that this change has corrected similar
|
||||
problems.</para>
|
||||
|
||||
<para>The SUSE 10.0 kernel is subject to this problem, and
|
||||
<para>The SuSE 10.0 kernel is subject to this problem, and
|
||||
<ulink
|
||||
url="https://bugzilla.novell.com/show_bug.cgi?id=190908">
|
||||
a kernel oops may result in this circumstance.</ulink>
|
||||
@ -807,4 +780,4 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user