Link to home
Create AccountLog in
Avatar of estrelow
estrelowFlag for Chile

asked on

Allowing incoming connections from two ISP

I have a linux box which I use as a router.
I am in the middle of the process of migrating ISP.

I want to be able on some point in time to provide services to two connections coming from the two ISP at the same time.

The Linux box has 4 factory provided NIC:
eth0: to the LAN 192.168.0.0/16
eth1: to the old ISP y.y.y.184/29
eth2: to the new ISP  x.x.x.208/29

I already tested the OUTGOING traffic and we can navigate the internet from the LAN to the OUTSIDE, either load-balancing, shaping or spare-connection.

The problem comes from the INCOMING traffic. Connections from the outside consuming our services can't be open to the two ISP at the same time.

The services are:
DNS
web
a cumbersome and mission-critical ETL interface going on SQL Server from an outside B2B application which I don't have full control


The SQL service for instance is provided by the LAN host 192.168.1.111

Incoming y.y.y.185 nats to 192.168.1.111
Incoming x.x.x.211 nats to 192.168.1.111

My normal router tool is fwbuilder, which generates mostly an iptables script.

The problem is that I can either turn on/off the y.y.y.185 connections and the x.x.x.211 by changing the box's default gateway. If the two default gateways are up, apparently one masks the other.

So I can either ping from the outside:
ping y.y.y.185 -good
ping x.x.x.211 -bad

ping y.y.y.185 -bad
ping x.x.x.211 -good

I know I can go with a full DNS solution, via changing the A record for sql.mydoma.in from y.y.y.185 to x.x.x.211. The problem is I don't have control of the outside end of the ETL, and I don't trust the ones that are in control. So, I want to have  the option of allowing both connections at a time.
I'm about to drop it and go with the DNS solution.

This kind of scenario is supposed to be handled by a wise iproute2 configuration, but I'm not iproute2-wise wise.

There are other questions on several forums, but most relates to OUTGOING connections.

So far I have done this:
 TABLE_MOVISTAR=101
TABLE_FULLCOM=102

IF_MOVISTAR=eth2
IF_FULLCOM=eth1

GW_MOVISTAR=x.x.x.209
GW_FULLCOM=y.y.y.186

ip route flush all

#Rutas desde el firewall
ip route add 127.0.0.0/8 dev lo
ip route add 192.168.0.0/16 dev eth0
ip route add x.x.x.208/29 dev $IF_MOVISTAR
ip route add y.y.y.184/29 dev $IF_FULLCOM
ip route add default via $GW_MOVISTAR

#Ruta por Movistar
ip route flush all table $TABLE_MOVISTAR
ip route add 127.0.0.0/8 dev lo table $TABLE_MOVISTAR
ip route add 192.168.0.0/16 dev eth0 table $TABLE_MOVISTAR
ip route add x.x.x.208/29 dev $IF_MOVISTAR table $TABLE_MOVISTAR
ip route add default via $GW_MOVISTAR dev $IF_MOVISTAR table $TABLE_MOVISTAR

#Ruta por Fullcom
ip route flush all table $TABLE_FULLCOM
ip route add 127.0.0.0/8 dev lo table $TABLE_FULLCOM
ip route add 192.168.0.0/16 dev eth0 table $TABLE_FULLCOM
ip route add y.y.y.184/29 dev $IF_FULLCOM table $TABLE_FULLCOM
ip route add default via $GW_FULLCOM dev $IF_FULLCOM table $TABLE_FULLCOM

ip rule flush
ip rule add iif $IF_FULLCOM table $TABLE_FULLCOM priority 1
ip rule add iif $IF_MOVISTAR table $TABLE_MOVISTAR priority 2
ip rule add from 192.168.0.0/16 table $TABLE_MOVISTAR priority 3
ip rule add from all lookup local priority 0
ip rule add from all lookup main priority 100
ip rule add from all lookup default priority 101

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Aaron Tomosky
Aaron Tomosky
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of estrelow

ASKER

aarontomosky, I'm already moving to the DNS solution. I moved the DNS site to other node to avoind getting cornered with no DNS.
I'm not pushing too much on the ttl, though, since I don't trust the other end of the integration system and they may not have a well tuned DNS node.

I'll wait till tomorrow to get an iproute2 kind of answer. If not I'm giving the points to you, since you got the problem right.

Regards.