diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 7d6c81be1..3495d77b2 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1022,113 +1022,214 @@ gateway:~ #Note that because we used a priority of 1000, the
Example:
- Providers Blarg (1) and Avvanta (2) are both connected to eth0. The
- firewall's IP address with Blarg is
- 206.124.146.176/24 (gateway 206.124.146.254) and the IP address from
- Avvanta is 130.252.144.8/24 (gateway
- 130.252.144.254). We have a second IP address (206.124.146.177) from
- Blarg.
+ This is our home network circa fall 2008. We have two internet
+ providers:
- /etc/shorewall/providers:#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY
-Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ...
-Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ...
- If the same address is used for both
+
+
+ Comcast -- Cable modem with one dynamic IP address.
+
+
+
+ Avvanta -- ADSL with 5 static IP addresses.
+
+
+
+ Because the old Compaq Presario that I use for a firewall only has
+ three PCI slots and no onboard Ethernet, it doesn't have enough Ethernet
+ controllers to support both providers. So I use a Linksys WRT300n pre-N
+ router as a gateway to that system.
+
+ On my personal laptop (ursa), I have 9 virtual machines running
+ various Linux distributions. It is the Shorewall configuration
+ on ursa that I will describe here.
+
+ Below is a diagram of our network:
+
+ The local wired network in my office is connected to both
+ gateways. The Comcast gateway has local IP address 172.20.1.1 while the
+ Avvanta gateway has local IP address 172.20.1.1. Ursa's eth0 interface
+ has a single IP address (172.20.1.130).
+
+ This configuration uses USE_DEFAULT_RT=Yes in
+ shorewall.conf (see below).
+
+ Here is the providers file:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+comcast 1 1 - eth0:172.20.1.130 172.20.1.1 track,loose,balance,optional
+avvanta 2 2 - eth0:172.20.1.130 172.20.1.254 track,optional,loose
+
+ Several things to note:
+
+
+
+ 172.20.1.130 is specified as the eth0 IP address for both
+ providers.
+
+
+
+ Both providers have the loose
+ option. This prevents Shorewall from automatically generating
+ routing rules based on the source IP address.
+
+
+
+ Only comcast has the
+ balance option. With
+ USE_DEFAULT_RT=yes, that means that comcast will be the default provider. While
+ balance is the default, with
+ USE_DEFAULT_RT=Yes, it must be specified explicitly when loose is also specified.
+
+
+
+ Here is the route_rules file:#SOURCE DEST PROVIDER PRIORITY
+- 206.124.146.176/31 avvanta 1000
+- 206.124.146.178/31 avvanta 1000
+- 206.124.146.180/32 avvanta 1000
+
+ Those rules direct traffic to the five static Avvanta IP addresses
+ through the avvanta provider.
+
+ Here is the tcrules file (MARK_IN_FORWARD_CHAIN=No in
+ shorewall.conf):#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER
+# PORT(S)
+2 $FW 206.124.146.176/31
+2 $FW 0.0.0.0/0 tcp 21
+2 $FW 0.0.0.0/0 tcp - - - - - - - ftp
+2 $FW 0.0.0.0/0 tcp 119
+
+ These rules:
+
+
+
+ Mark traffic from 206.124.146.176 and 206.124.146.177 to be
+ associated with avvanta.
+
+
+
+ Use avvanta for FTP.
+
+
+
+ Use avvanta for NTTP
+
+
+
+ The remaining files are for a rather standard two-interface config
+ with a bridge as the local interface.
+
+ zones:#ZONE IPSEC OPTIONS IN OUT
+# ONLY OPTIONS OPTIONS
+fw firewall
+lan ipv4
+net ipv4
+kvm ipv4policy:net net NONE
+lan lan NONE
+fw net ACCEPT
+fw lan ACCEPT
+fw kvm ACCEPT
+kvm all ACCEPT
+lan fw ACCEPT
+net lan NONE
+lan net NONE
+net all DROP info
+all all REJECT info
+
+ interfaces:#ZONE INTERFACE BROADCAST OPTIONS GATEWAY
+#
+net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore
+net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional
+lan tun0 detect optional #OpenVPN
+kvm br0 detect routeback #Virtual Machines
+ wlan0 is the wireless adapter in the notebook. Used when I'm
+ not in the office.
- /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS
-eth0(Blarg) 130.252.144.8 206.124.146.176
-eth0(Avvanta) 206.124.146.176 130.252.144.8
-eth0(Blarg) eth1 206.124.146.176
-eth0(Avvanta) eth1 130.252.144.8
- /etc/shorewall/route_rules:
-
- #SOURCE DEST PROVIDER PRIORITY
-- 206.124.146.0/24 Blarg 1000
-- 130.252.144.0/24 Avvanta 1000
-206.124.146.177 - Blarg 26000
-
- /etc/shorewall/tcrules:#MARK/CLASSIFY SOURCE DEST PROTO
-1:P eth0:206.124.146.0/24 0.0.0.0/0
-2:P eth0:130.252.144.8/24 0.0.0.0/0
+ masq:#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
+tun0 192.168.0.0/24
+eth0 192.168.0.0/24
+wlan0 192.168.0.0/24
-
-
- ROUTE_BALANCE (Experimental)
+
+ USE_DEFAULT_RT
- Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported a
- ROUTE_BALANCE option in shorewall.conf (5).
+ Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported
+ a USE_DEFAULT_RT option in shorewall.conf (5).
- ROUTE_BALANCE=Yes is marked as Experimental currently. This means
- that it is a 'use at your own risk' feature; if you encounter problems,
- the Shorewall support staff may not be able to provide you with a quick
- solution.
+ One of the drawbacks of the Mulit-ISP support as described in the
+ preceding section is that changes to the main table made by applications
+ are not added to the individual provider tables. This makes route rules
+ such as described in one of the examples
+ above necessary.
- One of the drawbacks of the Mulit-ISP support as described in the
- preceding section is that changes to the main table made by applications
- are not added to the individual provider tables. This makes route rules
- such as described in one of the examples
- above necessary.
+ USE_DEFAULT_RT=Yes works around that problem by passing packets
+ through the main table first rather than last. This has a number of
+ implications:
- ROUTE_BALANCE=Yes works around that problem by passing packets
- through the main table first rather than last. This has a number of
- implications:
+
+
+ Both the DUPLICATE and the COPY columns in the providers file
+ must remain empty or contain "-". The individual provider routing
+ tables generated when USE_DEFAULT_RT=Yes contain only a host route
+ to the gateway and a default route via the gateway.
+
-
-
- Both the DUPLICATE and the COPY columns in the providers file
- must remain empty or contain "-". The individual provider routing
- tables generated when ROUTE_BALANCE=Yes contain only a host route to
- the gateway and a default route via the gateway.
-
+
+ The balance option is assumed
+ for all interfaces that do not have the loose option. When you want both balance and loose, both must be specified.
+
-
- The balance option is assumed for all interfaces that do not
- have the loose option.
-
+
+ The default route generated by Shorewall is added to the
+ default routing table (253) rather than to the
+ main routing table (254).
+
-
- The default route generated by Shorewall is added to the
- default routing table (253) rather than to the
- main routing table (254).
-
+
+ Packets are sent through the main routing table by a routing
+ rule with priority 999. In ), the priority range 1-998 may be used
+ for inserting rules that bypass the main table.
+
-
- Packets are sent through the main routing table by a routing
- rule with priority 999. In ), the priority range 1-998 may be used for
- inserting rules that bypass the main table.
-
+
+ All provider gateways must be specified explicitly in the
+ GATEWAY column. 'detect' may not be specified. Note that for ppp
+ interfaces, the GATEWAY may remain unspecified ("-").
+
-
- All provider gateways must be specified explicitly in the
- GATEWAY column. 'detect' may not be specified. Note that for ppp
- interfaces, the GATEWAY may remain unspecified ("-").
-
+
+ You should disable all default route management outside of
+ Shorewall. If a default route is inadvertently added to the main
+ table while Shorewall is started, then all policy routing will stop
+ working except for those routing rules in the priority range
+ 1-998.
+
+
-
- You should disable all default route management outside of
- Shorewall. If a default route is inadvertently added to the main table
- while Shorewall is started, then all policy routing will stop working
- except for those routing rules in the priority range 1-998.
-
-
+ Although 'balance' is automatically assumed when
+ USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider
+ except when you explicitly direct it to use the other provider via
+ shorewall-route_rules
+ (5) or shorewall-tcrules
+ (5).
- Although 'balance' is automatically assumed when ROUTE_BALANCE=Yes,
- you can easily cause all traffic to use one provider except when you
- explicitly direct it to use the other provider via shorewall-route_rules
- (5) or shorewall-tcrules
- (5).
+ Example (send all traffic through the 'shorewall' provider unless
+ otherwise directed).
- Example (send all traffic through the 'shorewall' provider unless
- otherwise directed).
-
- /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+ /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional
shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional/etc/shorewall/rules:#SOURCE DEST PROVIDER PRIORITY
- - shorewall 11999
+
\ No newline at end of file