When one has multiple upstream IPv6 (can happen with IPv4 also if you happen to have routable IPv4 space in your LAN from your ISP rather than NATting on a single address -- but this is probably pretty rare) connections, there doesn't seem to be any mechanism in place in Shorewall to ensure that packets from the LAN with a source IP address in ISP A's address space are actually directed out of the ISP A interface.
I am actually seeing on my Shorewall machine where my LAN host chooses to use a source address given to it on ISP A's network yet Shorewall is sending that packet out on ISP B's interface. It seems to me that there ought to be route rules (ip -6 rule add from ...) forcing packets to the ISPs for which their source address has been chosen. Maybe there is already an option to enforce this buried somewhere. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
