[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1216
  • Last Modified:

Routing port 80 over dual WAN

My setup is I have a 6mb/s DSL and a 3mb/s bonded T1 I would like to be able to route outbound web traffic and downloads over the DSL and keep the T1 open for games (lan center) since we are just starting up we dont have to money for a expensive solution from Cisco but i was hopeing for something maybe Linux based (free hopefully) and easy to manage (good GUI) we have a dedicated box right now running Smoothwall Express 2 so reuseing that box adding functionality would be the ideal solution.

Thank you in advance,
1 Solution
This is a dual gateway network. Indeed high end hardware is necessary for the hot setup, but...

You could run IPcop or other linux easy setup system (anything with squid caching proxy) proxy all web traffic on port 80 to ensure that it is going out and in via the DSL.  All other protocols will go out through your 3meg by virtue of having the gateway of all PC's point to the 3meg router.

Nothing to manage.  Proxying is ideal for web/download.
StammesOpferAuthor Commented:
Thanks that makes sense I was thinking too close mindedly that will serve my purposes very well I was planning on proxy anyway but hadn't thought of that.
You need policy based routing. It's available on moderb Linux and FreeBSD kernels for free. I'll tell you about Linux implementation.

I'm not shure about existing GUI for managing policy based routing, at least you may do it in Command Line Interface.
I suppose that behind your router you have a LAN with private addresses (suppose
Your router has 3 interfaces, call them ifLAN, ifT1, ifDSL (ok, they are probably eth0, eth1, eth2 in Linux). Your ifT1 default gateway has gwT1 and your ifDSL default gateway has gwDSL ips (suppose and respectively). Your ifLAN has gwLAN IP (suppose

Suppose we need to route TCP traffic to port 80 to gwDSL and UDP traffic to port 9999 to gwT1 all other traffic will be routed to gwDSL.
There is a very good book for policy based routing in Linux (available either on amazon or online): http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html

Read this chapters before my explanations:
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH06.web.html (6.3 Tag Routing with TOS and fwmark (nfmark))
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH08.web.html (8.3 NetFilter NAT)

Also this doc will help you in understanding 'tables' in Linux netfilter (-t switch of iptables command):

Here is a very simple example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

This type of routing is rather complex and you need to understand Linux NetFilter firewall functionality (man iptables).

Also note, that my example is needed to be ajusted and tested (it will probably may be tested on SmothWall Express 2, because it's linux 2.4.x based and it has all requiered kernel modules).

# You need to mark incoming packets from ifLAN interface
# We will modify 'nat' table.

# We will modify 'mangle' table (it will be processed before NAT)
iptables -t mangle -A PREROUTING -s -d 0/0  -p tcp  --in-interface eth0 --dport 80 -j MARK --set-mark 1
iptables -t mangle -A  PREROUTING -s -d 0/0  -p udp --in-interface eth0 --dport 9999 -j MARK --set-mark 2
# Any other packets will not be marked

# We may process route marked packets with different routing tables (and to route to different interfaces)
# We need two additional routing tables: for WEB traffic and for GAME traffic (append these linese only once)
echo 201     web.out >> /etc/iproute2/rt_tables
echo 202     game.out >> /etc/iproute2/rt_tables

ip rule add from fwmark 1 table web.out
ip rule add from fwmark 2 table game.out

# Now route packets in table web.out to gwT1 and device ifT1
ip route add default via dev eth1 table web.out
# Do the same with Game traffic
ip route add default via dev eth2 table game.out
# Any other traffic will go through default routing table

# Enable new routing tables
ip route flush cache

# That's not all... We need to do NAT (masquarade) in POSTROUTING so outgoibg packets will have interface
# outgoing address as source IP address
# read here: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html

# NAT to T1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUARADE
# NAT to DSL
iptables -t nat -A POSTROUTING -o eth2 -j MASQUARADE

# That's all


Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now