• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

How do I use Linux as a multihomed router/firewall?

I have a situation where I have two independent ADSL connections from the same supplier.  Each connection has a different IP addresses and there is a block of IP addresses that are routed over both connections.  For example assume:

83.1.1.2 is the 1st ADSL connection with a gateway of 83.1.1.1
82.1.1.2 is the 2nd ADSL connection with a gateway of 82.1.1.1
81.1.1.0 mask 255.255.255.240 is a routed block
10.1.1.0 mask 255.255.255.0 is used for the internal network.

I want to achieve:
1)  traffic from the Internet to the 81.1.1.0 address block will be received over either ASDL connection and routed on (fire walled).
2)  traffic from the 81.1.1.0 address block to the Internet will be routed out over either of the two ADSL lines, ideally load balanced.
3)  traffic from any of the 10.1.1.0 to the Internet will be passed to the Internet using NAT (and the replies sent to the correct place, obviously) over either of the two ADSL lines, ideally load balanced.
4)  everything will continue to work if one of the ADSL lines fails

If load balancing isn't easy/possible/practical my next preference would be to use one connection (primarily) for the 10 network & the other for the 81 network.  The 81 network does not have to actually exist - it would be done using NAT mappings if that's easier.

What I had in mind was something like:
eth0 connected to the first ADSL line
eth1 connected to the second ADSL line
eth2 connected to the internal network, which will use this as a gateway.

then either:
     eth3 connected to the 81.1.1.0 network, which will use this as a gateway
or  eth2 multi-homed to the 81.1.1.0 network, which will use this as a gateway.
or  NAT translation for inbound services from the 81.1.1.0 block to the 10.1.1.1 block

Will this work? I know I'll have to set up iptables to provide the firewall & NAT (though I don't know how to do that yet), but what else will I need to do?  If there are two default routes to the Internet (from within the machine) – i.e.

0.0.0.0 mask 0.0.0.0 interface eth0 gateway 83.1.1.1
and
0.0.0.0 mask 0.0.0.0 interface eth1 gateway 82.1.1.1

will this cause a problem?

I plan to use Centos-4 (AKA RHEL 4).

Are there any other things to watch out for?
0
DrBeaker
Asked:
DrBeaker
2 Solutions
 
Gabriel OrozcoSolution ArchitectCommented:
You need iproute2.

check this:  http://mailman.ds9a.nl/pipermail/lartc/2001q1/000615.html

but even that example follows this howto:

http://www.lartc.org/howto/lartc.rpdb.multiple-links.html


0
 
lhboiCommented:
Because you write the interface name is eth0 and eth1, I assume that you have two routers on two ADSL lines. The situation is slightly different if you have two PPPoE connection from your Linux through 2 ADSL modem.

Q1)  traffic from the Internet to the 81.1.1.0 address block will be received over either ASDL connection and routed on (fire walled).
A: This depends on your service provider. Your service provider must set the route to 81.1.1.0 address block go through both your ADSL address.

Q2)  traffic from the 81.1.1.0 address block to the Internet will be routed out over either of the two ADSL lines, ideally load balanced.
If there are two default routes to the Internet (from within the machine) – i.e.
0.0.0.0 mask 0.0.0.0 interface eth0 gateway 83.1.1.1
and
0.0.0.0 mask 0.0.0.0 interface eth1 gateway 82.1.1.1
will this cause a problem?
You can have one default route on many interface. The command is:
   ip route add default nexthop via 83.1.1.1 dev eth0 weight 1  nexthop via 82.1.1.1 dev eth1 weight 1
see more in man page of ip command.

3)  traffic from any of the 10.1.1.0 to the Internet will be passed to the Internet using NAT (and the replies sent to the correct place, obviously) over either of the two ADSL lines, ideally load balanced.
If the source address is NATted to one in the block 81.1.1.0, there is no thing special here.

4)  everything will continue to work if one of the ADSL lines fails
You must write some script to monitor the two routers to see if any of them fails. When failure happens, run another script to change default route (use only one nexthop).

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now