T1 and DSL through one firewall

Posted on 2003-03-31
Medium Priority
Last Modified: 2011-10-07
I am going to be setting up a new network for our business. We are going to have a fractal T1 (768) and a DSL line. I want to run all of my servers on the T1 line and the internal users will use the DSL. I am looking for a firewall to use and need some good advice on getting a firewall that can have two WAN interfaces and one internal interface.

I would be using NAT to assign IP address to all of the computers in the network.

Right now I have the following servers on the T1:
Windows 2k server, IIS 5
Windows 2k server, SQL 2000
Windows 2k, Domain Controller/Internal DNS server
Windows 2k, Exchange 2000

I would assign all of the server an IP address that would go through the T1 line and all of the other computers will use DHCP and run off of the DSL.

I read a little on the Cisco PIX firewalls and they can run multiple interfaces. Is this all I need? Are there are other firewalls that can forward packets based on the internal IP address through a specified WAN interface?

Would I have all of the computer point to my DNS server (which runs on the T1) and then send their network traffic through the DSL?

Any help would be greatly appreciated.
Question by:danman226
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2

Expert Comment

ID: 8243835
You can also do this with the iptables built-in to the Linux 2.4 kernel.  I have two broadband connections at home and use a single firewall to split the outbound traffic (HTTP over one and everything else over the other).  Runs on old PC with 10mpbs ISA cards and works great.  One ISP gives a static IP, the other gives DHCP and that works fine.  Also allows for incoming traffic over either connection or can be filtered to only allow incoming traffic over one of the two.

If this sounds like something you'd be interested in, let me know and I can post the type of rules you'd need for a setup like this.
LVL 79

Expert Comment

ID: 8245309
The PIX won't work the way you want. You cannot have two WAN interfaces on a PIX because you can only have one default gateway. In your case, if you want to split the oubound traffic, one simple solution would be two PIX's. One used by all the normal traffic outbound through the dsl, and one used by the servers.

The Linux solution may work, though I don't know any businesses that can afford a T1 that use Linux as their gateway router/firewall.

There are other solutions such as Fatpipes' Warp device that can help:

Author Comment

ID: 8246841
I would like some more info on the Linux solution. I have an extra server that I could run it off of. I am assuming I would need three ethernet cards. Am I correct?

To lrmoore: The fat pipe looks good, but probally way to expensive. Thank for the info.
The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

LVL 79

Expert Comment

ID: 8249697
These products may be less expensive than the fatpipes (which cost around $7k):


Accepted Solution

TheAmigo earned 500 total points
ID: 8251032
If you'd like a GUI to configure rules, you can check out Firewall Builder:

It generates a shell script that will put your rules in place.  I haven't used it since v0.99 so I'm not sure if it can handle your rather complex setup now or not.

Here's a shell script that should be pretty close to working for you.  This assumes only one IP is assigned by each ISP (one for DSL and one for T1).  If you've got multiple IPs from the T1, then some changes would need to be made.  This script has the following basic features:
 - Outbound packets default to going over the DSL
 - Outbound packets from any of the servers goes over the T1
 - Incoming packets on the T1 are forwarded to the appropriate server

I've added a couple samples of different types of rules that you could use in various situations:
 - allowing an internal machine to run MRTG for traffic monitoring (requires SNMP be installed)
 - allowing ssh in from a specific external host

You'd also asked if you'd need 3 NICs and the answer is "normally".  It *can* be done with 2 (that's how my setup is).  I've got two ISPs and each of their connections runs in to adjacent ports on a 4-port hub.  Of the two remaining ports, one connects to the external interface of my firewall and the other goes to an IDS.  For your situation though, I'd recommend 3 NICs as it's a more straight-forward way to go.

#Change IPs and network numbers here
# eth0 = internal interface
# eth1 = DSL
# eth2 = T1
T1IP =


#If you're using either FTP or IRC, include this line
modprobe ip_conntrack || exit 1

#If using FTP, include these two
modprobe ip_conntrack_ftp || exit 1
modprobe ip_nat_ftp || exit 1

#If using IRC, include these two
modprobe ip_conntrack_irc || exit 1
modprobe ip_nat_irc || exit 1

# suspend routing while rules are applied... don't let anything through while rules are being changed.
echo "0" > /proc/sys/net/ipv4/ip_forward

# drop packets that arrive on an interface they shouldn't
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# bug in iptables will drop returned packets when mixing MASQ and SNAT
# may be fixed in newer version, present in 1.2.5
echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

#Set some more basic options
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Set default filter policy to drop packets by default
iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  iptables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
  iptables -t $table -X

#clear old IPs
ip addr flush dev lo scope link
ip addr flush dev eth0 scope link
ip addr flush dev eth1 scope link
ip addr flush dev eth2 scope link

#Clear old route
ip route delete default table t1traffic

# Setup custom routing table:
ip rule delete priority 10
ip rule add priority 10 fwmark 1 lookup t1traffic
route add -net $T1NET netmask $T1NETMASK dev eth2
ip route add default via $T1ROUTER dev eth2 src $T1IP table t1traffic

#Allow connections that were already in place to continue.
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Outbound traffic will default to the DSL, but exceptions can be made here
#This rule sends all traffic from machines on $SERVERNET out the T1
iptables -t mangle -A PREROUTING -s $SERVERNET/$SERVERNETBITS -i eth0 -j MARK --set-mark 0x1

# Create new NAT chain for the T1 traffic
iptables -t nat -N t1outbound
iptables -t nat -A t1outbound -o eth2 -j SNAT --to-source $T1IP
# Send packets that are marked in the above section to the new chain
iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j t1outbound

# Outbound everything else through DSL
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Inbound stuff via T1 is NAT'd to $SERVERNET
#these rules need to be customized depending on if IPs are allocated from the T1's ISP.
iptables -t nat -A PREROUTING -i eth2 -p udp -d $T1IP --dport 53  -j DNAT --to-destination $DNSSERVER
iptables -t nat -A PREROUTING -i eth2 -p tcp -d $T1IP --dport 80  -j DNAT --to-destination $WEBSERVER
iptables -t nat -A PREROUTING -i eth2 -p tcp -d $T1IP --dport 443 -j DNAT --to-destination $WEBSERVER
# Allow ssh in from one external host
iptables -t nat -A PREROUTING -i eth2 -p tcp -s $MYHOMEIP -d $T1IP --d-port 22 -j DNAT --to-destination $SSHSERVER

# Reject incoming ident requests to avoid login delays
#iptables -A INPUT -p tcp -d $T1IP --d-port 113 -j REJECT

# Allow internal server to run MRTG:
iptables -A INPUT -t filter -i eth0 -s $MRTGSERVER -p udp --dport 161 -j ACCEPT

# Allow traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from trusted internal interface.
iptables -A INPUT   -i eth0 -p tcp --dport 22  -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

#Re-enable packet forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

Author Comment

ID: 8255804
Thanks a lot. This will be a good base to get started on.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question