Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Selective routing via 2 providers both with NAT

Posted on 2004-09-28
Last Modified: 2010-04-20

We have a debian router/firewall which currently does masq via iptables over a leased line and we want to add an ADSL line for non priority traffic like occasional surfing etc.

the interfaces are defined as followed:

217.x.x.0/28 dev eth0  proto kernel  scope link  src 217.x.x.2 dev eth1  proto kernel  scope link  src
82.x.x.72/29 dev eth3  proto kernel  scope link  src 82.x.x.74

With 217.x.x.1 as the gateway on eth0 and
with 82.x.x.73 as the gateway on eth1

The leased line on 217 is allready working properly for some time now but the adsl has been connected last week and now i am having difficulties getting traffic from certain internal hosts to route out over it.

In IPtables both eth0 & eth3 are set to do postroute masq.

ip route (apart from the above 3 networks) shows a default route:

default via 217.x.x.1 dev eth0

I have added to tables to the iproute2 config name leased and adsl.

~# ip route show table adsl
82.x.x.72/29 dev eth3  scope link dev eth1  scope link dev lo  scope link
default via 82.x.x.73 dev eth3

~# ip route show table leased
217.x.x.0/28 dev eth0  scope link dev eth1  scope link dev lo  scope link
default via 217.x.x.1 dev eth0

i added the 2 rules based on the from to the ip rule:

~# ip rule
0:      from all lookup local
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

For testing i wanted all traffice to still go over the leased line but traffic from ip to go over the adsl.

i tried both:

~# ip rule
0:      from all lookup local
32763:  from lookup adsl
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default


~# ip rule
0:      from all lookup local
32763:  from lookup adsl map-to 82.x.x.74
32764:  from 217.x.x.2 lookup leased
32765:  from 82.x.x.74 lookup adsl
32766:  from all lookup main
32767:  from all lookup default

From external locations i can ssh in to the box via both the leased line  (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a seperate box on the adsl connection with the 82.x.x.74 ip just to make sure the ADSL connection works outgoing to.

So the main question what am i doing wrong/what should i change to be able to have NAT working on both interfaces in a way that i can choose via ip rule (or some other ruling system, maybe fwmark?) the outgoing interface.

Kind regards,

Question by:Tjardick
  • 2

Author Comment

ID: 12179033
Found the solution in such a way that using source NAT works, but MASQ doesn't.

now just to find a way to allow DNAT (portmaps) to work on both lines instead of only the one for which the ip route rule is set to go over.



Expert Comment

ID: 12182377

From a quick reading of your situation I first thought of policy routing.  Policy routing in Cisco devices allows you to define a traffic policy for say internal traffic for outbound http gets its default gateway set to the adsl connection.

Hope this is able to assist you.



Author Comment

ID: 12187913

thanks for you suggestion, but the problem is more that i want to map a port on both lines both port 25 but want it to route back over the connection it came in on.

I guess the only solutions so far is to run the mailserver on 2 ports, one which is mapped from the leased line the other from the adsl then i can use an fwmark in iptables to mark traffic and then set routing filter accordingly.

I'll close down this question as it looks like i have figured it out all myself :-)



Accepted Solution

CetusMOD earned 0 total points
ID: 16238485
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
linux / python expert needed 3 98
Cant reach dockers repository (pull command) 11 92
Iptables and mirroring ports 4 88
App holding yum lock unable to update my rpm package 1 72
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question