This topic contains 12 replies, has 0 voices, and was last updated by 
-
Posts
-
Thanks to Fulvio for creating a wonderful product, with a truly altruistic vision. Thanks to all the technical experts assisting in these forums, so selflessly. Highly appreciate the same.
Now, I need your help in solving this unique issue of mine.
I have setup 3 PPPOE modems on my Zeroshell box, to take advantage of the Automatic Restart feature in the Netbalancer, in case of connection failures. Two of them are Limited Bandwidth, Fast Connections ( ppp2 and ppp3 ) and the other, a slow, unlimited one ( ppp1 ).
Now, my query is, How do I prevent failover of connections taking place between the interfaces, through any rule ? I have configured Netbalancer Rules for pinning the connections to specific interfaces (which work fine, when all are active), but unable to prevent their failover from happening,
in case of telephone exchange faults, in any of them. I am okay with the loss of connectivity that may occur, if failover is prevented by any means. Thanks.Some more details : The lan interface is ETH00 and the pppoe modems are on ETH01, 02 and 03 respectively. The Netbalancer mode chosen is Failover.
Hi there,
it is not very clear what you want to do. With the netbalancer in failover only mode you achieve to have one active connection and the others as standby waiting for their turn to become active in the place of the first, when it goes down.
Sorry, if I have not made myself clear. I want to block certain ip addresses which must not use these limited fast interfaces. I tried setting firewall rules in the FORWARD chain as follows, but no success. These interfaces are allowing any website calls to go through, instead of blocking them, when they become active in failover mode.
How do I block them ? What chain should I use ? NAT is enabled on these ppp interfaces.
Chain: FORWARD Default Policy ACCEPTFORWARD Rules
Seq Input Output Description Log Active
1 ETH00 ppp2 REJECT all opt — in ETH00 out ppp2 0.0.0.0/0 !-> reject-with icmp-port-unreachable no
2 ETH00 ppp3 REJECT all opt — in ETH00 out ppp3 0.0.0.0/0 !-> reject-with icmp-port-unreachable no
Here is a genuine ip address of our remote application server. Thank you for any assistance.
If you are using proxy the sites will be opened, cause traffic will be originated from the ZS itself and not from the hosts, so it needs to be blocked on the OUTPUT chain as well.
If you are not using proxy, please show us the output of the command:
iptables -L -v
iptables -t nat -L -vYes, I am using http proxy to check for viruses, on the slower interface (ppp1), but not added the other faster interfaces so far.
Also, I have now added these new firewall rules ( hope they are correct )
OUTPUT Rules
Seq Input Output Description Log Active
1 * ppp2 REJECT all opt — in * out ppp2 0.0.0.0/0 !-> reject-with icmp-port-unreachable yes
2 * ppp3 REJECT all opt — in * out ppp3 0.0.0.0/0 !-> reject-with icmp-port-unreachable yesI have currently brought these fast interfaces down as a precautionary measure.
Will activate them by evening today ( GMT 12:30 PM ) and check and revert, if they block appropriately.
As my knowledge of firewall is limited, please guide me on this further, with examples.
Like, for example, if these rules need to be added as well, in pre or post boot or under firewall chain script as well, for getting priority over others.I want to make it absolutely sure that all website calls, except for my application server’s ip, are blocked on these interfaces, even under failover mode as well.
I am trying to use the Netbalancer only to restart my failed pppoe connections and not for load balancing or failover purposes. Hope I have made myself clear.
As I said before it will help us troubleshoot if you post the output of the iptables commands I mentioned above.
Thank you ppalias, as your suggestion of http proxy interfering with my firewall rules, helped me out.
As I required http proxy to be running for atleast one connection, I just shifted these modems to another vmware based zeroshell setup, where proxy was DOWN and all my Firewall Rules were followed to the letter. Thank you very much. Also, many thanks to Fulvio for making it so easy to configure, anything in Zeroshell.
Also, can you suggest with your experience, whether :
1. A workaround is possible to stop the Netbalancer from hopping to the next available interface, if it senses that the current interface has gone down ? ( I see this message in its logs : Default Route has been changed: nexthop via )
2. This workaround can also be called a “StandAlone” mode as it just follows our dictates in the “netbalancer balancing rules” and does not initiate balancing or failover in this case. Helpful for group of modems with varying cost usage plans and not suitable for use of all. Hope this can be considered as a feature in a new release. And yes, in this case, the “failover checking” just becomes “failure checking” for restarting the modems, individually, should their connections go down !
The point of net balancer is to change gateway if the current gateway goes down. From what you say I think you should disable net balancer.
But Sir, the most wanted feature of “Restarting pppoe and 3g connections” lies in the Netbalancer section, and so it cannot be disabled totally. Also, pinning specific connections to specific interfaces, is carried out very nicely by the balancing rules, whether they are in active or in spare mode, regardless of their weightage given !
So, my only request is for the possiblity of a “StandAlone” mode too, apart from the other two modes available currently.
That is a better explanation of what you want to do.
Remove the fast connections from the load balancer. Keep the “restart pppoe and 3g” feature, assign the traffic you want on the fast interfaces and you should be ok, at least with this workaround.
Yes, I tried that earlier. Unless, I add the interface in the “Gateway List” of the “Net Balancer”, the interface does not show up in the “Target Gateway” of the “Balancing Rules” section !
Another thing I can think of is to separate the 3 connections into 2 ZS routers. First router will have the LAN, the slow connection and a point to point link with the other router. The second router will have the 2 fast links and the point to point link with the first router. You apply the filters you want on the second router to prevent abuse of your fast lines and traffic mostly goes out from the slow link.
Thanks, I have done the same now and it works ! Although, it requires two machines now instead of just one, to manage the same. Could there be some possibility that I could consolidate the same, into one machine ?
Maybe if your donation convinced Fulvio to implement it or enough users request the same thing.
You must be logged in to reply to this topic.