Solved

Selective routing via 2 providers both with NAT

Posted on 2004-09-28
5
464 Views
Last Modified: 2010-04-20
Hello,

We have a debian router/firewall which currently does masq via iptables over a leased line and we want to add an ADSL line for non priority traffic like occasional surfing etc.

the interfaces are defined as followed:

217.x.x.0/28 dev eth0  proto kernel  scope link  src 217.x.x.2
192.168.0.0/22 dev eth1  proto kernel  scope link  src 192.168.0.1
82.x.x.72/29 dev eth3  proto kernel  scope link  src 82.x.x.74

With 217.x.x.1 as the gateway on eth0 and
with 82.x.x.73 as the gateway on eth1

The leased line on 217 is allready working properly for some time now but the adsl has been connected last week and now i am having difficulties getting traffic from certain internal hosts to route out over it.

In IPtables both eth0 & eth3 are set to do postroute masq.

ip route (apart from the above 3 networks) shows a default route:

default via 217.x.x.1 dev eth0

I have added to tables to the iproute2 config name leased and adsl.

~# ip route show table adsl
82.x.x.72/29 dev eth3  scope link
192.168.0.0/22 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 82.x.x.73 dev eth3

~# ip route show table leased
217.x.x.0/28 dev eth0  scope link
192.168.0.0/22 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 217.x.x.1 dev eth0

i added the 2 rules based on the from to the ip rule:

~# ip rule
0:      from all lookup local
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default


For testing i wanted all traffice to still go over the leased line but traffic from ip 192.168.1.247 to go over the adsl.

i tried both:

~# ip rule
0:      from all lookup local
32763:  from 192.168.1.247 lookup adsl
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

and

~# ip rule
0:      from all lookup local
32763:  from 192.168.1.247 lookup adsl map-to 82.x.x.74
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

From external locations i can ssh in to the box via both the leased line  (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a seperate box on the adsl connection with the 82.x.x.74 ip just to make sure the ADSL connection works outgoing to.

So the main question what am i doing wrong/what should i change to be able to have NAT working on both interfaces in a way that i can choose via ip rule (or some other ruling system, maybe fwmark?) the outgoing interface.

Kind regards,

Tjardick
0
Comment
Question by:Tjardick
  • 2
5 Comments
 
LVL 1

Author Comment

by:Tjardick
ID: 12179033
Found the solution in such a way that using source NAT works, but MASQ doesn't.

now just to find a way to allow DNAT (portmaps) to work on both lines instead of only the one for which the ip route rule is set to go over.

Regards,

Tjardick
0
 
LVL 2

Expert Comment

by:peteysa
ID: 12182377
Tjardick,

From a quick reading of your situation I first thought of policy routing.  Policy routing in Cisco devices allows you to define a traffic policy for say internal traffic for outbound http gets its default gateway set to the adsl connection.

Hope this is able to assist you.

Cheers!

Dan
0
 
LVL 1

Author Comment

by:Tjardick
ID: 12187913
Dan,

thanks for you suggestion, but the problem is more that i want to map a port on both lines both port 25 but want it to route back over the connection it came in on.

I guess the only solutions so far is to run the mailserver on 2 ports, one which is mapped from the leased line the other from the adsl then i can use an fwmark in iptables to mark traffic and then set routing filter accordingly.

I'll close down this question as it looks like i have figured it out all myself :-)

regards,

Tjardick
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 16238485
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now