-----Original Message-----
From: Tom Eastep
Sent: Monday, May 6, 2019 12:31 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Switching between multi-ISP
On 5/5/19 2:27 PM, Andrey Andreev wrote:
>> Then don't specify GW in the network config, and define it in
>> /etc/shorewall/providers instead.
> ISP #2 with static IP has already its GW listed in /etc/shorewall/providers:
>
> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
> COPY
> N3 1 1 - enp3s0
> GW1 track,primary -
> A1 2 2 - enp1s0
> 192.168.42.1 track -
Then simply take it out of the systemd network config for that interface.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
Did it for A1 static IP connection:
[Route]
#Gateway=192.168.42.1
Metric=200
Here is the result when testing connection failure by temporary clogging foolsm
ping monitoring with:
iptables -I OUTPUT 1 -d GW1 -p icmp --icmp-type echo-request -j DROP
networkd active, NM stopped.
N3 dhcp (static IP WAN1 by dhcp), UseRoutes=false, GW not set (received by
dhcp)
A1 static IP 192.168.42.253 , no GW set
1. N3 up, A1 up. net OK through N3
ip route ls table 254
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1
GW1 dev enp3s0 scope link src WAN1
192.168.42.1 dev enp1s0 scope link src 192.168.42.253
2a. N3 --> down (cable disconnected), A1 up. net NO,
ip route ls table 254
192.168.42.0/24 dev enp1s0 proto kernel scope link src 192.168.42.253
192.168.42.1 dev enp1s0 scope link src 192.168.42.253
2b. N3 --> down (ping to GW1 dropped), A1 up. net NO,
ip route ls table 254
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1
GW1 dev enp3s0 scope link src WAN1
192.168.42.0/24 dev enp1s0 proto kernel scope link src 192.168.42.253
192.168.42.1 dev enp1s0 scope link src 192.168.42.253
3.networkd restart, shorewall restart (takes a long time) --> net OK through A1
(temporarily dropped ping to GW1 is restored)
Maybe shorewall restart came too early, status shows: Adding Providers...
WARNING: Interface enp3s0 is not usable -- Provider N3 (1) not Started
WARNING: No Default route added (all 'balance' providers are down)
ip route ls table 254
default via 192.168.42.1 dev enp1s0 proto static metric 200
192.168.42.0/24 dev enp1s0 proto kernel scope link src 192.168.42.253
192.168.42.1 dev enp1s0 scope link src 192.168.42.253
second shorewall restart (takes a short time) --> net OK through N3
ip route ls table 254
GW1.0/22 dev enp3s0 proto kernel scope link src WAN1
GW1 dev enp3s0 scope link src WAN1
192.168.42.0/24 dev enp1s0 proto kernel scope link src 192.168.42.253
192.168.42.1 dev enp1s0 scope link src 192.168.42.253
At this point I give it up. Today the Pope was in our city, should have asked
him for a blessing - the only chance to start automatic fail safe switching of
multi ISP on my Fedora configuration . . .
I notice that the content of table 254 depends on how internet access is lost
(cable disconnected or ping dropped), still one default route appears at some
point for ISP2 configured with static IP.
I asked Huawei support if the GPRS router-access point can be configured to
supply GW by DHCP. If they answer at all and if there is such an option, I will
test again with both ISP configured with DHCP.
For now I will allow default routes for both ISP so that table 254 begins with:
default via GW1 dev enp1s0 proto static metric 50
default via 192.168.42.1 dev enp1s0 proto static metric 200
and internet access is through the main ISP. If internet is lost, a smart hand
pulls out ISP1 cable and its default route is cleared from table 254 - net
comes from ISP2. After some time cable can be reconnected to check if the
blackout is over - the default route for ISP1 is created again.
Maybe Debian networking scripts perform as foolsm&shorewall expect them to
work and rule switching is performed correctly. Friends of mine are using it on
Debian with no problem.
Andrei
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
