Re: [Shorewall-users] Switching between multi-ISP

Sun, 05 May 2019 12:00:24 -0700 


-----Original Message----- 
From: Tom Eastep 
Sent: Saturday, May 4, 2019 7:44 PM 
To: shorewall-users@lists.sourceforge.net 
Subject: Re: [Shorewall-users] Switching between multi-ISP 

On 5/4/19 7:52 AM, Andrey Andreev wrote:
> Last weeks we had a lot of holidays and I did some more testing. 
> Default route in table 254 showed up because on some adapters DEFROUTE=yes. I 
> still cannot set DEFROUTE=no on ISP A1 adapter connecting to GPRS router with 
> static IP. With DEFROUTE=no does not accept GW (in NetworkManager GUI) and 
> there is no internet connection. Below is the ifcfg-enp1s0 file which NM 
> creates for legacy as far as I understood:
> 
> HWADDR=50:3E:AA:04:A5:80
> MACADDR=50:3E:AA:04:A5:80
> TYPE=Ethernet
> PROXY_METHOD=none
> BROWSER_ONLY=no
> BOOTPROTO=none
> IPADDR=192.168.42.253
> PREFIX=24
> GATEWAY=192.168.42.1
> DEFROUTE=yes
> IPV4_FAILURE_FATAL=no
> IPV4_DNS_PRIORITY=100
> IPV6INIT=no
> NAME=enp1s0
> UUID=56586d38-7ac7-4f21-ba06-21879d410363
> DEVICE=enp1s0
> ONBOOT=yes
> 
> The adapter to ISP N3 has dhcp settings (static IP address over DHCP), it 
> gets GW from ISP:
> 
> HWADDR=84:16:F9:06:D9:F9
> MACADDR=84:16:F9:06:D9:F9
> TYPE=Ethernet
> PROXY_METHOD=none
> BROWSER_ONLY=no
> BOOTPROTO=dhcp
> DNS1=8.8.8.8
> DNS2=8.8.4.4
> DNS3=10.10.10.10
> DEFROUTE=no
> PEERDNS=no
> IPV4_FAILURE_FATAL=no
> IPV6INIT=no
> NAME=enp3s0
> UUID=ded60b05-53c5-457d-adc5-58b54481ca67
> ONBOOT=yes
> 
> Some lines advised in http://www.shorewall.org/MultiISP.html in "DHCP with 
> USE_DEFAULT_RT" section are missing in my config:
> PERSISTENT_DHCLIENT=yes
> PEERDNS=no
> PEERNTP=no
> DHCLIENTARGS="-nc"
> If not created from within NM GUI, these records are deleted when connection 
> parameters are edited, how can I insert them in NM?

No idea -- I've never use NM on a firewall.

> 
> Could it be that NM messes the routing? I noticed that NM adds default route 
> when A1 NIC goes up-->down-->up and a manual shorewall restart is needed to 
> clean it.

Yes -- that sounds like what is happening.

> 
> I did one more test: stopped NM and tried to start the old simple 
> network.service, but it fails with "Failed to start LSB: Bring up/down 
> networking" which I could not solve. 
> systemd-networkd starts OK but routing records do not change at all when ISP 
> is up/down. Guess the NICs state is not monitored dynamically.
> 

Then, I would use systemd-networkd for network configuration, rather
than NM. You want FooLSM alone to be monitoring the link state.

-Tom
-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Thanks for the advice! I followed it and switched to systemd-networkd. NM is 
stopped&disabled.
But the issue with default route being pushed into table 254 by the connection 
with static IP still persists. Here is the new net connections setup:

# /etc/systemd/network/10_enp3s0.network
[Match]
Name=enp3s0
[Network]
Description=enp3s0  -  ISP #1
DHCP=ipv4
DNS=8.8.8.8
DNS=8.8.4.4
[DHCP]
#UseRoutes=false
RouteMetric=50

# /etc/systemd/network/20_enp1s0.network
[Match]
Name=enp1s0
[Network]
Description=enp1s0       -  ISP #2
Address=192.168.42.253/24
DNS=8.8.8.8
DNS=8.8.4.4
[Route]
Gateway=192.168.42.1
Metric=200

In this state after network restart or cables plug out/in, 2 default routes are 
created in table 254:
    default via GW1 dev enp3s0 proto dhcp src WAN1 metric 50
    default via 192.168.42.1 .....    metric 200

Manual shorewall restart is required to clean them.
Uncommenting #UseRoutes=false stops the creation of first default route by the 
dhcp connection.
But there is no way to stop default route by static IP connection if GW is 
defined. If GW is omitted, no default route is created but there is no internet 
access through this connection either.
Similar was the situation with NM: DEFROUTE=no and GW exclude each other.
How to solve this puzzle? 
[Link] RequiredForOnline=no could make networkd insensitive to carrier loss, 
but restoring default routes on boot and networkd restart will still take 
place, I guess.

One observation with the above systemd-networkd configuration: metric values 
arrange the 2 default connections the way I need and yield some failover 
behaviour on cable disconnect: 
- when ISP1&2 are up (carrier available) the internet goes through ISP1 ruled 
by metric=50,
- when ISP1 is down (cable disconnected) the first default route disappears and 
net goes automatically through ISP2, 
- when ISP1 cable is reconneted the internet access is restored through ISP1 by 
a newly sreated default route.
That would be enough if "connection UP" = "cable plugged in" and vice versa, 
but that is not the case and here foolsm + shorewall should come in.

I start asking myself if pulling cables or issuing ifdown/ifup commands is the 
right thing to do to simulate no internet access. Carrier loss makes the 
network aware of the event and it takes some action. Is there a graceful way to 
cut out interactively just ping response?

Andrei









_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to