[Shorewall-users] Q: 2 Links (providers) Behaviour

Simon Hobson

2017-05-12 09:55:38 UTC

Post by andreil1
LTC1 1 0x1 - eth0 gw1.xx.xx.xx track,balance=1 -
BTC2 2 0x2 - eth1 gw2.yy.yy.yy track -
net eth0 tcpflags,nosmurfs,rpfilter,sourceroute=0
net eth1 tcpflags,nosmurfs,rpfilter,sourceroute=0
loc eth2 tcpflags,nosmurfs,rpfilter
dmz eth3 routeback
Activity indicator shows that traffic go through eth0 provider LTC1.
Disconnecting cable (provider LTC1) simply stops traffic.
BTC2 seem to be silent - no traffic.
What is wrong with my config?
Basically I’m need either failover )BTC2 as backup) either load balancing.
In other words, failure of any provider should not result in stopped traffic.

You need some form of state monitor that will "shorewall disable LTC1" if that connection is down. With PPP connections (xDSL) it's easy* because there's glue scripts called by pppd when links come up/go down. With ethernet, you are probably best using a link state monitor daemon that will ping a particular address and provide the link up/down events needed. IME, just monitoring for the ethernet link state isn't going to be very useful - local ISP router still up, internet connection behind it down.

* Well mostly. We had a case at work a few weeks back when a fixed IP got assigned to another customer of the ISP. Our client lost connectivity as the router could see the PPP link was up, it's just that the ISP wasn't routing traffic back to them !