Good afternoon,

Just recently Ive installed a second link in my Debian 4.0 border firewall.
Now, I have the following design:


eth1 ------------------ ISP1 Router ---------------- Internet
FW
eth2 ------------------ ISP2 Router ---------------- Internet

Both links are operational. Heres how I configured this:

ip route add <ISP1_network> dev eth1 src <eth1_IP> table 1
ip route add <ISP2_network> dev eth2 src <eth2_IP> table 2
# Here Ive created the local route for communication between interfaces and routers

ip route add default via <ISP1_Router_IP> table 1
ip route add default via <ISP2_Router_IP> table 2
# Here Ive created the default routes for both routing tables

ip rule add from <eth1_IP> table 1
ip rule add from <eth2_IP> table 2
# Here Ive created a set rules so everything goes its correct routing table

ip route add default scope global nexthop via 189.57.40.25 dev eth1 weight 1 nexthop via 200.99.5.33 dev eth2 weight 1
# Here Ive created a default global route so both paths are used equally

And thats it. Ive also created some rules for marked packets, but since thats a very specific need, and it works, I dont see why to put it here.

This config actually works pretty well, but with two problems.

1. Using tcpdump in both eth1 and eth2, I sometimes (actually, more frequently than Id prefer) I get some connections trying to go out through eth1 using eth2s IP and going through eth2 using eth1s IP. I thought my rules to be correct, but it seens Im wrong.

2. Did some tests (shutting down one of the routers, stuff like that) to check the failsafe. When I do that, all connections become veeeery slow, and mostly stop working. Ive noticed some connections still going out through the link Ive just dropped. One solution was killing the multipath route and just setting a default one through the other ISP. Altough I believe I can try and turn it into an automatic process, Id prefer to try something more dynamic. Any suggestions?

Thanks everyone for the attention.