StammesOpfer
asked on
Routing port 80 over dual WAN
My setup is I have a 6mb/s DSL and a 3mb/s bonded T1 I would like to be able to route outbound web traffic and downloads over the DSL and keep the T1 open for games (lan center) since we are just starting up we dont have to money for a expensive solution from Cisco but i was hopeing for something maybe Linux based (free hopefully) and easy to manage (good GUI) we have a dedicated box right now running Smoothwall Express 2 so reuseing that box adding functionality would be the ideal solution.
Thank you in advance,
Ryan
Thank you in advance,
Ryan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need policy based routing. It's available on moderb Linux and FreeBSD kernels for free. I'll tell you about Linux implementation.
I'm not shure about existing GUI for managing policy based routing, at least you may do it in Command Line Interface.
I suppose that behind your router you have a LAN with private addresses (suppose 192.168.0.0/24)
Your router has 3 interfaces, call them ifLAN, ifT1, ifDSL (ok, they are probably eth0, eth1, eth2 in Linux). Your ifT1 default gateway has gwT1 and your ifDSL default gateway has gwDSL ips (suppose 1.1.1.1 and 2.2.2.2 respectively). Your ifLAN has gwLAN IP (suppose 192.168.0.254).
Suppose we need to route TCP traffic to port 80 to gwDSL and UDP traffic to port 9999 to gwT1 all other traffic will be routed to gwDSL.
There is a very good book for policy based routing in Linux (available either on amazon or online): http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
Read this chapters before my explanations:
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH06.web.html (6.3 Tag Routing with TOS and fwmark (nfmark))
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH08.web.html (8.3 NetFilter NAT)
Also this doc will help you in understanding 'tables' in Linux netfilter (-t switch of iptables command):
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2
Here is a very simple example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
This type of routing is rather complex and you need to understand Linux NetFilter firewall functionality (man iptables).
Also note, that my example is needed to be ajusted and tested (it will probably may be tested on SmothWall Express 2, because it's linux 2.4.x based and it has all requiered kernel modules).
# You need to mark incoming packets from ifLAN interface
# We will modify 'nat' table.
# We will modify 'mangle' table (it will be processed before NAT)
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -d 0/0 -p tcp --in-interface eth0 --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -d 0/0 -p udp --in-interface eth0 --dport 9999 -j MARK --set-mark 2
# Any other packets will not be marked
# We may process route marked packets with different routing tables (and to route to different interfaces)
# We need two additional routing tables: for WEB traffic and for GAME traffic (append these linese only once)
echo 201 web.out >> /etc/iproute2/rt_tables
echo 202 game.out >> /etc/iproute2/rt_tables
ip rule add from 192.168.0.0/24 fwmark 1 table web.out
ip rule add from 192.168.0.0/24 fwmark 2 table game.out
# Now route packets in table web.out to gwT1 and device ifT1
ip route add default via 1.1.1.1 dev eth1 table web.out
# Do the same with Game traffic
ip route add default via 2.2.2.2 dev eth2 table game.out
# Any other traffic will go through default routing table
# Enable new routing tables
ip route flush cache
# That's not all... We need to do NAT (masquarade) in POSTROUTING so outgoibg packets will have interface
# outgoing address as source IP address
# read here: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
# NAT to T1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUARADE
# NAT to DSL
iptables -t nat -A POSTROUTING -o eth2 -j MASQUARADE
# That's all
I'm not shure about existing GUI for managing policy based routing, at least you may do it in Command Line Interface.
I suppose that behind your router you have a LAN with private addresses (suppose 192.168.0.0/24)
Your router has 3 interfaces, call them ifLAN, ifT1, ifDSL (ok, they are probably eth0, eth1, eth2 in Linux). Your ifT1 default gateway has gwT1 and your ifDSL default gateway has gwDSL ips (suppose 1.1.1.1 and 2.2.2.2 respectively). Your ifLAN has gwLAN IP (suppose 192.168.0.254).
Suppose we need to route TCP traffic to port 80 to gwDSL and UDP traffic to port 9999 to gwT1 all other traffic will be routed to gwDSL.
There is a very good book for policy based routing in Linux (available either on amazon or online): http://www.policyrouting.org/PolicyRoutingBook/ONLINE/TOC.html
Read this chapters before my explanations:
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH06.web.html (6.3 Tag Routing with TOS and fwmark (nfmark))
http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH08.web.html (8.3 NetFilter NAT)
Also this doc will help you in understanding 'tables' in Linux netfilter (-t switch of iptables command):
http://www.netfilter.org/documentation/HOWTO//netfilter-hacking-HOWTO-3.html#ss3.2
Here is a very simple example: http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
This type of routing is rather complex and you need to understand Linux NetFilter firewall functionality (man iptables).
Also note, that my example is needed to be ajusted and tested (it will probably may be tested on SmothWall Express 2, because it's linux 2.4.x based and it has all requiered kernel modules).
# You need to mark incoming packets from ifLAN interface
# We will modify 'nat' table.
# We will modify 'mangle' table (it will be processed before NAT)
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -d 0/0 -p tcp --in-interface eth0 --dport 80 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -s 192.168.0.0/24 -d 0/0 -p udp --in-interface eth0 --dport 9999 -j MARK --set-mark 2
# Any other packets will not be marked
# We may process route marked packets with different routing tables (and to route to different interfaces)
# We need two additional routing tables: for WEB traffic and for GAME traffic (append these linese only once)
echo 201 web.out >> /etc/iproute2/rt_tables
echo 202 game.out >> /etc/iproute2/rt_tables
ip rule add from 192.168.0.0/24 fwmark 1 table web.out
ip rule add from 192.168.0.0/24 fwmark 2 table game.out
# Now route packets in table web.out to gwT1 and device ifT1
ip route add default via 1.1.1.1 dev eth1 table web.out
# Do the same with Game traffic
ip route add default via 2.2.2.2 dev eth2 table game.out
# Any other traffic will go through default routing table
# Enable new routing tables
ip route flush cache
# That's not all... We need to do NAT (masquarade) in POSTROUTING so outgoibg packets will have interface
# outgoing address as source IP address
# read here: http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
# NAT to T1
iptables -t nat -A POSTROUTING -o eth1 -j MASQUARADE
# NAT to DSL
iptables -t nat -A POSTROUTING -o eth2 -j MASQUARADE
# That's all
ASKER