Selective routing via 2 providers both with NAT

Posted on 2004-09-28
Last Modified: 2010-04-20

We have a debian router/firewall which currently does masq via iptables over a leased line and we want to add an ADSL line for non priority traffic like occasional surfing etc.

the interfaces are defined as followed:

217.x.x.0/28 dev eth0  proto kernel  scope link  src 217.x.x.2 dev eth1  proto kernel  scope link  src
82.x.x.72/29 dev eth3  proto kernel  scope link  src 82.x.x.74

With 217.x.x.1 as the gateway on eth0 and
with 82.x.x.73 as the gateway on eth1

The leased line on 217 is allready working properly for some time now but the adsl has been connected last week and now i am having difficulties getting traffic from certain internal hosts to route out over it.

In IPtables both eth0 & eth3 are set to do postroute masq.

ip route (apart from the above 3 networks) shows a default route:

default via 217.x.x.1 dev eth0

I have added to tables to the iproute2 config name leased and adsl.

~# ip route show table adsl
82.x.x.72/29 dev eth3  scope link dev eth1  scope link dev lo  scope link
default via 82.x.x.73 dev eth3

~# ip route show table leased
217.x.x.0/28 dev eth0  scope link dev eth1  scope link dev lo  scope link
default via 217.x.x.1 dev eth0

i added the 2 rules based on the from to the ip rule:

~# ip rule
0:      from all lookup local
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

For testing i wanted all traffice to still go over the leased line but traffic from ip to go over the adsl.

i tried both:

~# ip rule
0:      from all lookup local
32763:  from lookup adsl
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default


~# ip rule
0:      from all lookup local
32763:  from lookup adsl map-to 82.x.x.74
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

From external locations i can ssh in to the box via both the leased line  (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a seperate box on the adsl connection with the 82.x.x.74 ip just to make sure the ADSL connection works outgoing to.

So the main question what am i doing wrong/what should i change to be able to have NAT working on both interfaces in a way that i can choose via ip rule (or some other ruling system, maybe fwmark?) the outgoing interface.

Kind regards,

Question by:Tjardick
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 12179033
Found the solution in such a way that using source NAT works, but MASQ doesn't.

now just to find a way to allow DNAT (portmaps) to work on both lines instead of only the one for which the ip route rule is set to go over.



Expert Comment

ID: 12182377

From a quick reading of your situation I first thought of policy routing.  Policy routing in Cisco devices allows you to define a traffic policy for say internal traffic for outbound http gets its default gateway set to the adsl connection.

Hope this is able to assist you.



Author Comment

ID: 12187913

thanks for you suggestion, but the problem is more that i want to map a port on both lines both port 25 but want it to route back over the connection it came in on.

I guess the only solutions so far is to run the mailserver on 2 ports, one which is mapped from the leased line the other from the adsl then i can use an fwmark in iptables to mark traffic and then set routing filter accordingly.

I'll close down this question as it looks like i have figured it out all myself :-)



Accepted Solution

CetusMOD earned 0 total points
ID: 16238485
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question