Move Multi-ISP/routefilter information to FAQ

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4511 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-09-04 14:45:19 +00:00
parent 848a48e462
commit f33287f1b4
2 changed files with 43 additions and 32 deletions

View File

@ -1620,6 +1620,44 @@ iptables: Invalid argument
</section> </section>
</section> </section>
<section>
<title>Multiple ISPs</title>
<section id="faq57">
<title>(FAQ 57) I configured two ISPs in Shorewall but when I try to use
the second one, it doesn't work.</title>
<para><emphasis role="bold">Answer:</emphasis> The Multi-ISP
Documentation strongly recommends that you use the 'balance' option on
all providers even if you want to manually specify which ISP to use. If
you don't do that so that your main routing table only has one default
route, then you must disable route filtering. Do not specify the
'routefilter' option on the other interface(s) in
<filename>/etc/shorewall/interfaces</filename> and disable any
<emphasis>IP Address Spoofing</emphasis> protection that your
distribution supplies.</para>
</section>
<section id="faq58">
<title>(FAQ 58) But if I specify 'balance' then won't Shorewall balance
the traffic between the interfaces? I don't want that!</title>
<para><emphasis role="bold">Answer</emphasis>: Suppose that you want all
traffic to go out through ISP1 (mark 1) unless you specify otherwise;
your internal interface is <filename class="devicefile">eth0</filename>.
Then simply add these two rules as the first marking rules in your
<filename>/etc/shorewall/tcrules</filename> file:</para>
<programlisting>#MARK SOURCE DEST
1 eth0
1 $FW
&lt;other MARK rules&gt;</programlisting>
<para>Now any traffic that isn't marked by one of your other MARK rules
will have mark = 1 and will be sent via ISP1.</para>
</section>
</section>
<section> <section>
<title>About Shorewall</title> <title>About Shorewall</title>

View File

@ -336,36 +336,9 @@
specify 'balance' even if you don't need it. You can still specify 'balance' even if you don't need it. You can still
use entries in <filename>/etc/shorewall/tcrules</filename> use entries in <filename>/etc/shorewall/tcrules</filename>
to force traffic to one provider or another.<note> to force traffic to one provider or another.<note>
<para>There will be those of you who will say "Those <para>If you don't heed this advice then be prepared
idiots at shorewall.net don't understand. I don't want to read <ulink url="FAQ.htm#faq57">FAQ 57</ulink> and
my traffic balanced so I'm not going to set the <ulink url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
'balance' option!" If you are one of those users, then
if you can't get your second interface to work, check
the mailing list archives -- there have been others
before you who also thought that we were fools.</para>
</note><note>
<para>"Oh Tom -- I don't understand how to use
<filename>/etc/shorewall/tcrules</filename> to avoid
balancing if I set 'balance' on my interfaces".</para>
<para>I know -- that is only slightly less complex
than brain surgery but let me try to
explain:<itemizedlist>
<listitem>
<para>Your first tcrule should mark all traffic so
that it will go out through the "default"
provider.</para>
</listitem>
<listitem>
<para>Your remaining rules should be the "exception"
rules that mark traffic to go out the other
providers.</para>
</listitem>
</itemizedlist></para>
<para>I hope that you are not overwelmed by these
intricate instructions.</para>
</note></para> </note></para>
</important> </important>
@ -377,7 +350,7 @@
reported that this change has corrected similar reported that this change has corrected similar
problems.</para> problems.</para>
<para>The SUSE 10.0 kernel is subject to this problem, and <para>The SuSE 10.0 kernel is subject to this problem, and
<ulink <ulink
url="https://bugzilla.novell.com/show_bug.cgi?id=190908"> url="https://bugzilla.novell.com/show_bug.cgi?id=190908">
a kernel oops may result in this circumstance.</ulink> a kernel oops may result in this circumstance.</ulink>
@ -807,4 +780,4 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
</section> </section>
</section> </section>
</section> </section>
</article> </article>