Hi all I have a Shorewall firewall with CentOS7 and shorewall-5.2.0.4, connected to two ISPs. For locally generated traffic, even if I mark all the firewall traffic with on ISP mark, the traffic gets randomly or roud robin routed through one ISP, ho the other. This leads to some difficulties: for example, with VPNs, I have to lock them on a source address, but when a provider goes down, I have to modify the vpn configs, where I would like only to change the mark value, and refresh the rules. Is there something I should do to make the MARK...$FW line in mangle work?
Thanks in advance. My setup is like this: Shorewall.conf: USE_DEFAULT_RT=Yes TC_BITS=8 PROVIDER_BITS=8 PROVIDER_OFFSET=8 MASK_BITS=8 Params: MARKGBED=0x100 MARKFWAD=0x200 # I change these variables via foolsm when a provider goes down MARKGBE=$MARKGBED MARKFWA=$MARKFWAD GBE_IF=enp1s0 FWGBE=217.5.2.30 GWGBE=217.5.2.25 FWA_IF=enp2s0 FWFWA=93.4.1.62 GWFWA=93.4.1.49 Interfaces: net $GBE_IF tcpflags,nosmurfs,logmartians,sourceroute=0,optional net $FWA_IF tcpflags,nosmurfs,logmartians,sourceroute=0,optional loc $LOC_IF tcpflags,nosmurfs,routefilter,logmartians,optional providers: GBE 1 $MARKGBED - $GBE_IF $GWGBE track,balance=1 - FWA 2 $MARKFWAD - $FWA_IF $GWFWA track,balance=1 - Mangle: MARK($MARKGBE):P 0.0.0.0/0 0.0.0.0/0 MARK($MARKGBE) $FW 0.0.0.0/0 The test: Run for host in 8.8.8.8 8.8.4.4 4.2.2.1 4.2.2.2 4.2.2.3 4.2.2.4 4.2.2.6; do ping -c2 $host & done Then # conntrack -L|grep icmp conntrack v1.4.4 (conntrack-tools): 11 flow entries have been shown. icmp 1 25 src=217.5.2.30 dst=4.2.2.6 type=8 code=0 id=13766 src=4.2.2.6 dst=217.5.2.30 type=0 code=0 id=13766 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 24 src=93.4.1.62 dst=8.8.4.4 type=8 code=0 id=13761 src=8.8.4.4 dst=93.4.1.62 type=0 code=0 id=13761 mark=512 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 25 src=217.5.2.30 dst=4.2.2.4 type=8 code=0 id=13765 src=4.2.2.4 dst=217.5.2.30 type=0 code=0 id=13765 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 24 src=93.4.1.62 dst=8.8.8.8 type=8 code=0 id=13760 src=8.8.8.8 dst=93.4.1.62 type=0 code=0 id=13760 mark=512 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 25 src=217.5.2.30 dst=4.2.2.1 type=8 code=0 id=13762 src=4.2.2.1 dst=217.5.2.30 type=0 code=0 id=13762 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 25 src=93.4.1.62 dst=4.2.2.2 type=8 code=0 id=13763 src=4.2.2.2 dst=93.4.1.62 type=0 code=0 id=13763 mark=512 secctx=system_u:object_r:unlabeled_t:s0 use=1 icmp 1 25 src=217.5.2.30 dst=4.2.2.3 type=8 code=0 id=13764 src=4.2.2.3 dst=217.5.2.30 type=0 code=0 id=13764 mark=256 secctx=system_u:object_r:unlabeled_t:s0 use=1 Traffic gets balanced between both providers. Tcpdump confirms this. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
