Firewall-base: add support for multi-wan
Add support for multi-wan configuration.
A virtually unlimited number of red interface should be allowed.
- weighted balanced mode: each new connection can use a random configured red interface
- active backup: all traffic is routed through the master interface, backup connections will be used only in case of master failure
createlinks, shorewall templates: add support for multi-wan, add oriDst prop for portforwards. Refs #2332
nethserver-shorewall-wan-update: disable interface if event is no 'up'. Refs #2332
createlinks, actions: add provider static routes to static-routes-save event. Refs #2332
Network configuration: support provider-static routes. Refs #2332
Handle special static routes for providers.
#3 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
- % Done changed from 30 to 60
Commited test implementation.
See Gateway Design.
#8 Updated by Giacomo Sanchietti over 5 years ago
- Assignee deleted (
For each configured provider, the system (LSM) will send ping to a configured IP (
When a provider status changes, the system will signal a
shorewall enable <interface>when a red interface is usable
shorewall disable <interface>then a red interface is not usable
When an interface is disabled, all associated routes will be deleted. If
checkip belongs to an external network, the system will not be able to check the link status because there will no route to the external host. With current implementation when an interface is disabled, there is no way to re-enabled it.
#9 Updated by Giacomo Sanchietti over 5 years ago
The solution is to add static routes for checkip inside the main table.
For example, if checkip is 18.104.22.168:
ip ro add 22.214.171.124/32 via 126.96.36.199Some considerations:
- static rules must be added in
firewall-adjustevent and after boot (maybe we can use http://shorewall.net/shorewall_extension_scripts.htm)
- a checkip can't be reused between providers
- when a red interface goes down, the host specified as checkip is no more reachable, so do not use system DNS as checkip
- probably the best checkip is the hop just next the gateway
To find the next hop use:
ping -c 1 -I eth2 -t 2 188.8.131.52 | grep 'Time to live' | cut -d' ' -f2
#10 Updated by Giacomo Sanchietti over 5 years ago
Added static routes support. Routes will be generate in
A static route is a record of type
static inside the
Each record has following properties:
- key: network address
- Mask: network mask
- Router: gateway for the network
- Description: a custom description (optional)
184.108.40.206=static Description=My route Mask=255.255.255.255 Router=220.127.116.11
Added also special static routes providers. These routes are auto-calculated by the system and
can't be edited by the user.
Static routes for providers are records of type
provider-static inside the
Valid properties are the same of
#15 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
- nethserver-squid-1.1.1-3.0git37fbdd7c.ns6.noarch.rpm (già su testing)
#18 Updated by Filippo Carletti over 5 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
I have verified both configuration modes: balance and backup.
routing is ok, traffic goes to both providers in balance and to highest weight link in active-backup
link failure disables failed link, traffic switches to working link
connection is re-enabled after link recovery
manually disabling a link (shorewall disable ethX) works as expected
check ip auto discovery gets the right ip in all tested cases
online help is correct
Not tested: 3 or more wan
I'd file a new issue about dhcp wan and failed link detection.