[Shorewall-users] Multi-ISP, mangle, rtrules

Tom Eastep

2016-06-08 17:57:52 UTC

Post by Holger Schramm
Hi there,
i am struggeling with the setup of mangle and rtrules.
- provider 1: mark 256
- provider 2: mark 512
- ip based routing via rtrules works
- port/app based routing via marking does not work
i connect to an ip via ssh and port 47238
i get a connection but it is stalled and unusable.
it feels like the backroute is not working, or packages are lost
mangle superseeds rtrules
mark 256
route via provider 1
route via provider given in rtrules
I have added a shorewall dump to this mail and appreciate your help.

You need to disable rp_filter route filtering; I suspect that your
system log is full of martian messages. Set ROUTE_FILTER=No in
shorewall.conf and be sure that *routefilter* isn't specified on your
provider interfaces. Also check /etc/sysctl.conf to be sure that it
isn't enabling rp_filter (net.ipv4.conf.all.rp_filter=1). If you want
route filtering on those interfaces, use the *rpfilter* option instead.

One word of caution -- you have a large number of rtrules with priority
< 10000. If the hosts in those rules connect to your network via an
interface other than the one specified in the rule, the connection will
not work because the replies will go out of the rule-specified interface
rather than the interface that accepted the connection.

-Tom

--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________