Tjardick
asked on
Selective routing via 2 providers both with NAT
Hello,
We have a debian router/firewall which currently does masq via iptables over a leased line and we want to add an ADSL line for non priority traffic like occasional surfing etc.
the interfaces are defined as followed:
217.x.x.0/28 dev eth0 proto kernel scope link src 217.x.x.2
192.168.0.0/22 dev eth1 proto kernel scope link src 192.168.0.1
82.x.x.72/29 dev eth3 proto kernel scope link src 82.x.x.74
With 217.x.x.1 as the gateway on eth0 and
with 82.x.x.73 as the gateway on eth1
The leased line on 217 is allready working properly for some time now but the adsl has been connected last week and now i am having difficulties getting traffic from certain internal hosts to route out over it.
In IPtables both eth0 & eth3 are set to do postroute masq.
ip route (apart from the above 3 networks) shows a default route:
default via 217.x.x.1 dev eth0
I have added to tables to the iproute2 config name leased and adsl.
~# ip route show table adsl
82.x.x.72/29 dev eth3 scope link
192.168.0.0/22 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 82.x.x.73 dev eth3
~# ip route show table leased
217.x.x.0/28 dev eth0 scope link
192.168.0.0/22 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 217.x.x.1 dev eth0
i added the 2 rules based on the from to the ip rule:
~# ip rule
0: from all lookup local
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
For testing i wanted all traffice to still go over the leased line but traffic from ip 192.168.1.247 to go over the adsl.
i tried both:
~# ip rule
0: from all lookup local
32763: from 192.168.1.247 lookup adsl
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
and
~# ip rule
0: from all lookup local
32763: from 192.168.1.247 lookup adsl map-to 82.x.x.74
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
From external locations i can ssh in to the box via both the leased line (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a seperate box on the adsl connection with the 82.x.x.74 ip just to make sure the ADSL connection works outgoing to.
So the main question what am i doing wrong/what should i change to be able to have NAT working on both interfaces in a way that i can choose via ip rule (or some other ruling system, maybe fwmark?) the outgoing interface.
Kind regards,
Tjardick
We have a debian router/firewall which currently does masq via iptables over a leased line and we want to add an ADSL line for non priority traffic like occasional surfing etc.
the interfaces are defined as followed:
217.x.x.0/28 dev eth0 proto kernel scope link src 217.x.x.2
192.168.0.0/22 dev eth1 proto kernel scope link src 192.168.0.1
82.x.x.72/29 dev eth3 proto kernel scope link src 82.x.x.74
With 217.x.x.1 as the gateway on eth0 and
with 82.x.x.73 as the gateway on eth1
The leased line on 217 is allready working properly for some time now but the adsl has been connected last week and now i am having difficulties getting traffic from certain internal hosts to route out over it.
In IPtables both eth0 & eth3 are set to do postroute masq.
ip route (apart from the above 3 networks) shows a default route:
default via 217.x.x.1 dev eth0
I have added to tables to the iproute2 config name leased and adsl.
~# ip route show table adsl
82.x.x.72/29 dev eth3 scope link
192.168.0.0/22 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 82.x.x.73 dev eth3
~# ip route show table leased
217.x.x.0/28 dev eth0 scope link
192.168.0.0/22 dev eth1 scope link
127.0.0.0/8 dev lo scope link
default via 217.x.x.1 dev eth0
i added the 2 rules based on the from to the ip rule:
~# ip rule
0: from all lookup local
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
For testing i wanted all traffice to still go over the leased line but traffic from ip 192.168.1.247 to go over the adsl.
i tried both:
~# ip rule
0: from all lookup local
32763: from 192.168.1.247 lookup adsl
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
and
~# ip rule
0: from all lookup local
32763: from 192.168.1.247 lookup adsl map-to 82.x.x.74
32764: from 217.x.x.2 lookup leased
32765: from 82.x.x.74 lookup adsl
32766: from all lookup main
32767: from all lookup default
From external locations i can ssh in to the box via both the leased line (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a seperate box on the adsl connection with the 82.x.x.74 ip just to make sure the ADSL connection works outgoing to.
So the main question what am i doing wrong/what should i change to be able to have NAT working on both interfaces in a way that i can choose via ip rule (or some other ruling system, maybe fwmark?) the outgoing interface.
Kind regards,
Tjardick
Tjardick,
From a quick reading of your situation I first thought of policy routing. Policy routing in Cisco devices allows you to define a traffic policy for say internal traffic for outbound http gets its default gateway set to the adsl connection.
Hope this is able to assist you.
Cheers!
Dan
From a quick reading of your situation I first thought of policy routing. Policy routing in Cisco devices allows you to define a traffic policy for say internal traffic for outbound http gets its default gateway set to the adsl connection.
Hope this is able to assist you.
Cheers!
Dan
ASKER
Dan,
thanks for you suggestion, but the problem is more that i want to map a port on both lines both port 25 but want it to route back over the connection it came in on.
I guess the only solutions so far is to run the mailserver on 2 ports, one which is mapped from the leased line the other from the adsl then i can use an fwmark in iptables to mark traffic and then set routing filter accordingly.
I'll close down this question as it looks like i have figured it out all myself :-)
regards,
Tjardick
thanks for you suggestion, but the problem is more that i want to map a port on both lines both port 25 but want it to route back over the connection it came in on.
I guess the only solutions so far is to run the mailserver on 2 ports, one which is mapped from the leased line the other from the adsl then i can use an fwmark in iptables to mark traffic and then set routing filter accordingly.
I'll close down this question as it looks like i have figured it out all myself :-)
regards,
Tjardick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
now just to find a way to allow DNAT (portmaps) to work on both lines instead of only the one for which the ip route rule is set to go over.
Regards,
Tjardick