From 25ccc0ba1298da44c78a693bb34ae750c3e3ecad Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 6 Sep 2008 19:33:59 +0000 Subject: [PATCH] Add working example of two providers on one interface git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8695 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/MultiISP.xml | 277 +++++++++++++++++++++++++++++++--------------- 1 file changed, 189 insertions(+), 88 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 7d6c81be1..3495d77b2 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -1022,113 +1022,214 @@ gateway:~ #Note that because we used a priority of 1000, the Example: - Providers Blarg (1) and Avvanta (2) are both connected to eth0. The - firewall's IP address with Blarg is - 206.124.146.176/24 (gateway 206.124.146.254) and the IP address from - Avvanta is 130.252.144.8/24 (gateway - 130.252.144.254). We have a second IP address (206.124.146.177) from - Blarg. + This is our home network circa fall 2008. We have two internet + providers: - /etc/shorewall/providers:#PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY -Blarg 1 1 main eth0:206.124.146.176 206.124.146.254 ... -Avvanta 2 2 main eth0:130.252.144.8 130.252.144.254 ... - If the same address is used for both + + + Comcast -- Cable modem with one dynamic IP address. + + + + Avvanta -- ADSL with 5 static IP addresses. + + + + Because the old Compaq Presario that I use for a firewall only has + three PCI slots and no onboard Ethernet, it doesn't have enough Ethernet + controllers to support both providers. So I use a Linksys WRT300n pre-N + router as a gateway to that system. + + On my personal laptop (ursa), I have 9 virtual machines running + various Linux distributions. It is the Shorewall configuration + on ursa that I will describe here. + + Below is a diagram of our network: + + The local wired network in my office is connected to both + gateways. The Comcast gateway has local IP address 172.20.1.1 while the + Avvanta gateway has local IP address 172.20.1.1. Ursa's eth0 interface + has a single IP address (172.20.1.130). + + This configuration uses USE_DEFAULT_RT=Yes in + shorewall.conf (see below). + + Here is the providers file:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY +comcast 1 1 - eth0:172.20.1.130 172.20.1.1 track,loose,balance,optional +avvanta 2 2 - eth0:172.20.1.130 172.20.1.254 track,optional,loose + + Several things to note: + + + + 172.20.1.130 is specified as the eth0 IP address for both + providers. + + + + Both providers have the loose + option. This prevents Shorewall from automatically generating + routing rules based on the source IP address. + + + + Only comcast has the + balance option. With + USE_DEFAULT_RT=yes, that means that comcast will be the default provider. While + balance is the default, with + USE_DEFAULT_RT=Yes, it must be specified explicitly when loose is also specified. + + + + Here is the route_rules file:#SOURCE DEST PROVIDER PRIORITY +- 206.124.146.176/31 avvanta 1000 +- 206.124.146.178/31 avvanta 1000 +- 206.124.146.180/32 avvanta 1000 + + Those rules direct traffic to the five static Avvanta IP addresses + through the avvanta provider. + + Here is the tcrules file (MARK_IN_FORWARD_CHAIN=No in + shorewall.conf):#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST LENGTH TOS CONNBYTES HELPER +# PORT(S) +2 $FW 206.124.146.176/31 +2 $FW 0.0.0.0/0 tcp 21 +2 $FW 0.0.0.0/0 tcp - - - - - - - ftp +2 $FW 0.0.0.0/0 tcp 119 + + These rules: + + + + Mark traffic from 206.124.146.176 and 206.124.146.177 to be + associated with avvanta. + + + + Use avvanta for FTP. + + + + Use avvanta for NTTP + + + + The remaining files are for a rather standard two-interface config + with a bridge as the local interface. + + zones:#ZONE IPSEC OPTIONS IN OUT +# ONLY OPTIONS OPTIONS +fw firewall +lan ipv4 +net ipv4 +kvm ipv4policy:net net NONE +lan lan NONE +fw net ACCEPT +fw lan ACCEPT +fw kvm ACCEPT +kvm all ACCEPT +lan fw ACCEPT +net lan NONE +lan net NONE +net all DROP info +all all REJECT info + + interfaces:#ZONE INTERFACE BROADCAST OPTIONS GATEWAY +# +net eth0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional,arp_ignore +net wlan0 detect dhcp,tcpflags,routefilter,blacklist,logmartians,optional +lan tun0 detect optional #OpenVPN +kvm br0 detect routeback #Virtual Machines + wlan0 is the wireless adapter in the notebook. Used when I'm + not in the office. - /etc/shorewall/masq:#INTERFACE SOURCE ADDRESS -eth0(Blarg) 130.252.144.8 206.124.146.176 -eth0(Avvanta) 206.124.146.176 130.252.144.8 -eth0(Blarg) eth1 206.124.146.176 -eth0(Avvanta) eth1 130.252.144.8 - /etc/shorewall/route_rules: - - #SOURCE DEST PROVIDER PRIORITY -- 206.124.146.0/24 Blarg 1000 -- 130.252.144.0/24 Avvanta 1000 -206.124.146.177 - Blarg 26000 - - /etc/shorewall/tcrules:#MARK/CLASSIFY SOURCE DEST PROTO -1:P eth0:206.124.146.0/24 0.0.0.0/0 -2:P eth0:130.252.144.8/24 0.0.0.0/0 + masq:#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +tun0 192.168.0.0/24 +eth0 192.168.0.0/24 +wlan0 192.168.0.0/24 - -
- ROUTE_BALANCE (Experimental) +
+ USE_DEFAULT_RT - Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported a - ROUTE_BALANCE option in shorewall.conf (5). + Beginning with Shorewall 4.2.0 Beta3, Shorewall-perl has supported + a USE_DEFAULT_RT option in shorewall.conf (5). - ROUTE_BALANCE=Yes is marked as Experimental currently. This means - that it is a 'use at your own risk' feature; if you encounter problems, - the Shorewall support staff may not be able to provide you with a quick - solution. + One of the drawbacks of the Mulit-ISP support as described in the + preceding section is that changes to the main table made by applications + are not added to the individual provider tables. This makes route rules + such as described in one of the examples + above necessary. - One of the drawbacks of the Mulit-ISP support as described in the - preceding section is that changes to the main table made by applications - are not added to the individual provider tables. This makes route rules - such as described in one of the examples - above necessary. + USE_DEFAULT_RT=Yes works around that problem by passing packets + through the main table first rather than last. This has a number of + implications: - ROUTE_BALANCE=Yes works around that problem by passing packets - through the main table first rather than last. This has a number of - implications: + + + Both the DUPLICATE and the COPY columns in the providers file + must remain empty or contain "-". The individual provider routing + tables generated when USE_DEFAULT_RT=Yes contain only a host route + to the gateway and a default route via the gateway. + - - - Both the DUPLICATE and the COPY columns in the providers file - must remain empty or contain "-". The individual provider routing - tables generated when ROUTE_BALANCE=Yes contain only a host route to - the gateway and a default route via the gateway. - + + The balance option is assumed + for all interfaces that do not have the loose option. When you want both balance and loose, both must be specified. + - - The balance option is assumed for all interfaces that do not - have the loose option. - + + The default route generated by Shorewall is added to the + default routing table (253) rather than to the + main routing table (254). + - - The default route generated by Shorewall is added to the - default routing table (253) rather than to the - main routing table (254). - + + Packets are sent through the main routing table by a routing + rule with priority 999. In ), the priority range 1-998 may be used + for inserting rules that bypass the main table. + - - Packets are sent through the main routing table by a routing - rule with priority 999. In ), the priority range 1-998 may be used for - inserting rules that bypass the main table. - + + All provider gateways must be specified explicitly in the + GATEWAY column. 'detect' may not be specified. Note that for ppp + interfaces, the GATEWAY may remain unspecified ("-"). + - - All provider gateways must be specified explicitly in the - GATEWAY column. 'detect' may not be specified. Note that for ppp - interfaces, the GATEWAY may remain unspecified ("-"). - + + You should disable all default route management outside of + Shorewall. If a default route is inadvertently added to the main + table while Shorewall is started, then all policy routing will stop + working except for those routing rules in the priority range + 1-998. + + - - You should disable all default route management outside of - Shorewall. If a default route is inadvertently added to the main table - while Shorewall is started, then all policy routing will stop working - except for those routing rules in the priority range 1-998. - - + Although 'balance' is automatically assumed when + USE_DEFAULT_RT=Yes, you can easily cause all traffic to use one provider + except when you explicitly direct it to use the other provider via + shorewall-route_rules + (5) or shorewall-tcrules + (5). - Although 'balance' is automatically assumed when ROUTE_BALANCE=Yes, - you can easily cause all traffic to use one provider except when you - explicitly direct it to use the other provider via shorewall-route_rules - (5) or shorewall-tcrules - (5). + Example (send all traffic through the 'shorewall' provider unless + otherwise directed). - Example (send all traffic through the 'shorewall' provider unless - otherwise directed). - - /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS + /etc/shorewall/providers:#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS linksys 1 1 - wlan0 172.20.1.1 track,balance=1,optional shorewall 2 2 - eth0 192.168.1.254 track,balance=2,optional/etc/shorewall/rules:#SOURCE DEST PROVIDER PRIORITY - - shorewall 11999 +
\ No newline at end of file