Marcelo Bello
2016-09-26 02:27:09 UTC
Hello Tom,
I have 2 ISPs for redundancy, one is pppoe based and is the "main" link.
When this pppoe connection goes down (usually on ppp0 interface), I have
a 'ip-down' script that will run "shorewall disable main" and when the
pppoe connection goes up the 'ip-up' runs "shorewall enable main". This is
an ubuntu server 16.04.1 box with shorewall 5.0.4.
The good thing with pppoe in that interface is that pppoe protocol has
its own timers so if the link actually goes down it automatically brings
the ppp+ interface down which I use to trigger the ip-up/ip-down scripts.
*The bug:* when I run 'shorewall disable main' after the ppp0 interface
is down, shorewall will print the message "Device "ppp0" does not exist."
and fail to set the firewall so that all connections go through the backup
link. A workaround is to run
"shorewall restart" instead whenever 'main' goes down and then only
"shorewall enable main" when it is back up.
Hence, I think "shorewall disable <provider>" should not rely on the
provider interface to be up to work.
*Contents of providers file:*
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
backup 1 255 - eth1 detect track,balance=1
-
main 3 254 - $VIVO_IFACE - track,balance=100 -
Best regards,
Marcelo
I have 2 ISPs for redundancy, one is pppoe based and is the "main" link.
When this pppoe connection goes down (usually on ppp0 interface), I have
a 'ip-down' script that will run "shorewall disable main" and when the
pppoe connection goes up the 'ip-up' runs "shorewall enable main". This is
an ubuntu server 16.04.1 box with shorewall 5.0.4.
The good thing with pppoe in that interface is that pppoe protocol has
its own timers so if the link actually goes down it automatically brings
the ppp+ interface down which I use to trigger the ip-up/ip-down scripts.
*The bug:* when I run 'shorewall disable main' after the ppp0 interface
is down, shorewall will print the message "Device "ppp0" does not exist."
and fail to set the firewall so that all connections go through the backup
link. A workaround is to run
"shorewall restart" instead whenever 'main' goes down and then only
"shorewall enable main" when it is back up.
Hence, I think "shorewall disable <provider>" should not rely on the
provider interface to be up to work.
*Contents of providers file:*
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
backup 1 255 - eth1 detect track,balance=1
-
main 3 254 - $VIVO_IFACE - track,balance=100 -
Best regards,
Marcelo