Routing port 80 over dual WAN

Posted on 2006-04-11
Last Modified: 2012-05-05
My setup is I have a 6mb/s DSL and a 3mb/s bonded T1 I would like to be able to route outbound web traffic and downloads over the DSL and keep the T1 open for games (lan center) since we are just starting up we dont have to money for a expensive solution from Cisco but i was hopeing for something maybe Linux based (free hopefully) and easy to manage (good GUI) we have a dedicated box right now running Smoothwall Express 2 so reuseing that box adding functionality would be the ideal solution.

Thank you in advance,
Question by:StammesOpfer
    LVL 18

    Accepted Solution

    This is a dual gateway network. Indeed high end hardware is necessary for the hot setup, but...

    You could run IPcop or other linux easy setup system (anything with squid caching proxy) proxy all web traffic on port 80 to ensure that it is going out and in via the DSL.  All other protocols will go out through your 3meg by virtue of having the gateway of all PC's point to the 3meg router.

    Nothing to manage.  Proxying is ideal for web/download.
    LVL 1

    Author Comment

    Thanks that makes sense I was thinking too close mindedly that will serve my purposes very well I was planning on proxy anyway but hadn't thought of that.
    LVL 27

    Expert Comment

    You need policy based routing. It's available on moderb Linux and FreeBSD kernels for free. I'll tell you about Linux implementation.

    I'm not shure about existing GUI for managing policy based routing, at least you may do it in Command Line Interface.
    I suppose that behind your router you have a LAN with private addresses (suppose
    Your router has 3 interfaces, call them ifLAN, ifT1, ifDSL (ok, they are probably eth0, eth1, eth2 in Linux). Your ifT1 default gateway has gwT1 and your ifDSL default gateway has gwDSL ips (suppose and respectively). Your ifLAN has gwLAN IP (suppose

    Suppose we need to route TCP traffic to port 80 to gwDSL and UDP traffic to port 9999 to gwT1 all other traffic will be routed to gwDSL.
    There is a very good book for policy based routing in Linux (available either on amazon or online):

    Read this chapters before my explanations: (6.3 Tag Routing with TOS and fwmark (nfmark)) (8.3 NetFilter NAT)

    Also this doc will help you in understanding 'tables' in Linux netfilter (-t switch of iptables command):

    Here is a very simple example:

    This type of routing is rather complex and you need to understand Linux NetFilter firewall functionality (man iptables).

    Also note, that my example is needed to be ajusted and tested (it will probably may be tested on SmothWall Express 2, because it's linux 2.4.x based and it has all requiered kernel modules).

    # You need to mark incoming packets from ifLAN interface
    # We will modify 'nat' table.

    # We will modify 'mangle' table (it will be processed before NAT)
    iptables -t mangle -A PREROUTING -s -d 0/0  -p tcp  --in-interface eth0 --dport 80 -j MARK --set-mark 1
    iptables -t mangle -A  PREROUTING -s -d 0/0  -p udp --in-interface eth0 --dport 9999 -j MARK --set-mark 2
    # Any other packets will not be marked

    # We may process route marked packets with different routing tables (and to route to different interfaces)
    # We need two additional routing tables: for WEB traffic and for GAME traffic (append these linese only once)
    echo 201     web.out >> /etc/iproute2/rt_tables
    echo 202     game.out >> /etc/iproute2/rt_tables

    ip rule add from fwmark 1 table web.out
    ip rule add from fwmark 2 table game.out

    # Now route packets in table web.out to gwT1 and device ifT1
    ip route add default via dev eth1 table web.out
    # Do the same with Game traffic
    ip route add default via dev eth2 table game.out
    # Any other traffic will go through default routing table

    # Enable new routing tables
    ip route flush cache

    # That's not all... We need to do NAT (masquarade) in POSTROUTING so outgoibg packets will have interface
    # outgoing address as source IP address
    # read here:

    # NAT to T1
    iptables -t nat -A POSTROUTING -o eth1 -j MASQUARADE
    # NAT to DSL
    iptables -t nat -A POSTROUTING -o eth2 -j MASQUARADE

    # That's all


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now