shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] Shorewall gateway - routi

Re: [Shorewall-users] Shorewall gateway - routing issue with dual wan (looking to report possible bug ?)

From: Tom Eastep <teastep_at_nospam>
Date: Tue Jan 10 2012 - 15:51:01 GMT
To: Shorewall Users <>

On Mon, 2012-01-09 at 20:51 -0800, Tom Eastep wrote:
> > On Jan 9, 2012, at 7:51 PM, Nick wrote:
> >> I can reproduce the error by setting the gateways to the same address.
> >
> > Which is a configuration that will never work. Neither Shorewall nor the Linux IP stack will handle that.

I should quantify that. Balancing using a multi-hop default route will
not work in that case. Over the past couple of weeks, I have been
working on an alternative for balancing that does not involve multi-hop
routes. It rather uses the 'Statistic Match' feature in
iptables/Netfilter that allows a rule to match randomly with a specified
probability. I have been running it here at for the last
few days and it seems to work well. It will be available in the next
4.5.0 Beta and will provide relief to users with two WAN Ethernet
interfaces that happen to have the same default gateway.

Here is my providers file:

ComcastB 1 - - eth1 loose,balance
ComcastC 2 - - eth0 detect loose,fallback

I have PROVIDER_OFFSET=16 and PROVIDER_BITS=2 which means that the
'provider mask' is 0x30000, ComcastB's mark is 0x10000 and ComcastC's
mark is 0x20000. I also have TRACK_PROVIDERS=Yes.

Here are the relevant entries in my tcrules file:

0X10000/0x30000 eth2 - ; test=0/0x30000, probability=0.66666667
0x20000/0x30000 eth2 - ; test=0/0x30000
0X10000/0x30000 fw - ; test=0/0x30000, probability=0.66666667
0x20000/0x30000 fw - ; test=0/0x30000

The first two distribute connections from the local LAN (eth2) between
the two providers with a 2:1 advantage to ComcastB. The second two
perform the same distribution for connections originating on the
firewall itself (Note: $FW = 'fw' in my configuration). I include
0/0x30000 in the TEST column because earlier rules may have already
marked to packet based on other criteria.

I hope to be able to make this easier to configure before 4.5.0 final;
we'll see.

-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car \________________________________________________

Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity.

Shorewall-users mailing list