Hi,
I've get a local network with several workstations attached through a
firewall to the internet by two types of connections: one is called
ADSL, which is cheaper, but with lower bandwidth. the other called T3,
faster but more expensive.
I want to enable each workstation from the localnet to choose it's
connection by setting it's default gateway to one of the firewall's ip
on eth0: 192.168.10.8 for ADSL and 192.168.10.9 for T3. additional each
workstation regardless its gateway ip should be able to access the dmz.
the topology of the net would be something like this:
INTERNET
=======================================
| |
| |
DynIP 212.x.x.195
/------------\ /---------------\
| DSL-ROUTER | | T3-ROUTER |
\------------/ \---------------/
192.168.11.1 62.x.x.89
192.168.11.0/24 62.x.x.88/29
| |
| |
192.168.11.8 62.x.x7.90
192.168.11.0/24 62.x.x.88/29
eth3 eth1 w/ ProxyARP
/---------------\
| FIREWALL |
\---------------/
eth0:1 eth0 eth2 w/ ProxyARP
192.168.10.8 192.168.10.9 62.x.x.90
192.168.10.0/24 62.x.x.88/29
| \
| \
=========================== eth0
LOCALNET 62.x.x.93
62.x.x.88/29
/-----\
| DMZ |
\-----/
My problem is how to route the packages from the localnet to either ADSL
or T3, depending on wether they were received by the ip 192.168.10.8 or
192.168.10.9.
I tried to mark the packages in the postrouting chain of iptables and
send them to different routing tables. but iptables can't handle aliased
interfaces like eth0:1 as source devices.
Next step was to set up routing depending on incoming interfaces, but
there was no effect in the actual routing.
my current configurations are:
# ip rule ls
0: from all lookup local
32765: from all iif eth0:1 lookup ADSL
32766: from all lookup main
32767: from all lookup default
# ip route show
62.x.x.89 dev eth1 scope link
62.x.x.88/29 dev eth2 scope link
192.168.11.0/24 dev eth3 proto kernel scope link src 192.168.11.8
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.9
default via 62.x.x.89 dev eth1
# ip route show table ADSL
62.153.117.88/29 dev eth2 scope link
default via 192.168.11.92 dev eth3
Has anyone ideas of solving the problem?
Thanks,
oli
oli,
Nice ASCII map. (Your mailer didn't line break it, and it's clear.)
: My problem is how to route the packages from the localnet to either
: ADSL or T3, depending on wether they were received by the ip
: 192.168.10.8 or 192.168.10.9. I tried to mark the packages in the
: postrouting chain of iptables and send them to different routing
: tables. but iptables can't handle aliased interfaces like eth0:1 as
: source devices.
The problem is that the gateway information (client's chosen destination
IP address) is lost the moment the packet is encapsulated by the client
and transmitted onto the ethernet.
Packet arrives on your firewall looking something like this:
Frame source: client MAC
Frame dest: firewall eth0 MAC
IP source: client IP
IP dest: real destination IP
The address 192.168.10.8 and 192.168.10.9 are logical IP addresses which
share the same MAC, so you can't even select on the destination MAC
address, because you can't assign two hardware addresses to the same
interface simultaneously.
If I had to allow the client to select its default gateway, I'd be
inclined to add another interface. But since I'm a control freak and
BOFH, I'd simply use "ip rule" on the firewall to determine which
client
IP (or outbound service) gets to use bandwidth on my two connections.
I have some documentation available on
http://plorf.net/linux-ip/html/adv-multi-internet.htm
which may be helpful to you in selecting different outbound routes based
on source IP or destination port.
If anybody else has a clever solution about how to accomplish his original
goal, I'd be interested in hearing the idea.
-Martin
: INTERNET
: =======================================
: | |
: | |
: DynIP 212.x.x.195
: /------------\ /---------------\
: | DSL-ROUTER | | T3-ROUTER |
: \------------/ \---------------/
: 192.168.11.1 62.x.x.89
: 192.168.11.0/24 62.x.x.88/29
: | |
: | |
: 192.168.11.8 62.x.x7.90
: 192.168.11.0/24 62.x.x.88/29
: eth3 eth1 w/ ProxyARP
: /---------------\
: | FIREWALL |
: \---------------/
: eth0:1 eth0 eth2 w/ ProxyARP
: 192.168.10.8 192.168.10.9 62.x.x.90
: 192.168.10.0/24 62.x.x.88/29
: | \
: | \
: =========================== eth0
: LOCALNET 62.x.x.93
: 62.x.x.88/29
: /-----\
: | DMZ |
: \-----/
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com