Good afternoon,

Just recently I´ve installed a second link in my Debian 4.0 border firewall.
Now, I have the following design:


eth1 ------------------ ISP1 Router ---------------- Internet
FW
eth2 ------------------ ISP2 Router ---------------- Internet

Both links are operational. Here´s how I configured this:

ip route add <ISP1_network> dev eth1 src <eth1_IP> table 1
ip route add <ISP2_network> dev eth2 src <eth2_IP> table 2
# Here I´ve created the local route for communication between interfaces and routers

ip route add default via <ISP1_Router_IP> table 1
ip route add default via <ISP2_Router_IP> table 2
# Here I´ve created the default routes for both routing tables

ip rule add from <eth1_IP> table 1
ip rule add from <eth2_IP> table 2
# Here I´ve created a set rules so everything goes it´s correct routing table

ip route add default scope global nexthop via 189.57.40.25 dev eth1 weight 1 nexthop via 200.99.5.33 dev eth2 weight 1
# Here I´ve created a default global route so both paths are used equally

And that´s it. I´ve also created some rules for marked packets, but since that´s a very specific need, and it works, I don´t see why to put it here.

This config actually works pretty well, but with two problems.

1. Using tcpdump in both eth1 and eth2, I sometimes (actually, more frequently than I´d prefer) I get some connections trying to go out through eth1 using eth2´s IP and going through eth2 using eth1´s IP. I thought my rules to be correct, but it seens I´m wrong.

2. Did some tests (shutting down one of the routers, stuff like that) to check the failsafe. When I do that, all connections become veeeery slow, and mostly stop working. I´ve noticed some connections still going out through the link I´ve just dropped. One solution was killing the multipath route and just setting a default one through the other ISP. Altough I believe I can try and turn it into an automatic process, I´d prefer to try something more dynamic. Any suggestions?

Thanks everyone for the attention.