LARTC - Feb 2006 - Route all LAN traffic through eth2 and keep web/mail traffic on eth0

Hi, 

I have the following config:

1 PC with 3 NICs, that shares internet connection to LAN. 
eth0 uses a public IP ($public_ip_1)
eth1 uses a private IP ($private_ip)
eth2 uses a public IP ($public_ip_2)

I have a webserver and a mailserver accesible by $public_ip_1 (eth0)
I have a LAN with all terminals using private IPs, and $private_ip (eth1) as
gateway.
$public_ip_1 and $public_ip_2 are from the same network segment (two
consecutive IPs).
eth0 and eth2 should use the same external IP as gateway (only 1 provider,
so this is not a load balancing/multiple providers case).
eth0 and eth2 are connected to the same switch.

How can I route all LAN traffic via eth2 and keep web/mail traffic on eth0?
And with this, make the LAN traffic use eth2''s IP to connect to the
Internet
and the PC traffic use eth0?

I tested masquerading through eth2 with
iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j
MASQUERADE

But LAN could not access the Internet, although the PC could.

Someone told me something about ip rules, which I tested but it seems that
they did not worked as both eth0 and eth2 should use the same gateway.

Please send me any comments/help regarding this issue, 

Thanks!

Edo

well, you can certainly force packets coming from the LAN use one
given interface. You have to use what''s called "Policy
Routing".

You have to create a new routing table in /etc/iproute2/rt_tables (use
any tect editor)

Then you have to polute that routing table with the routing
configuration you want to use for those packets you want to treat
specially.... say:
ip route add default gw gw_ip dev eth0 table newtable

all you have to do now is force the packets from the lan to use that
routing table instead of the default one... itr could be:

ip rule add pref 32000 from lannetwork table newtable

That sould force the lan traffic to go out through eth2

Maybe i could have made a mistake in my commands, but the ideas are
around that. Read about policy routing.


However, I see you are connected twice in the same subnet... that is a
major problem, in my experience. Be careful with that... good luck!

On 2/11/06, Eduardo Bejar <wonka@linkabu.net>
wrote:
> Hi,
>
> I have the following config:
>
> 1 PC with 3 NICs, that shares internet connection to LAN.
> eth0 uses a public IP ($public_ip_1)
> eth1 uses a private IP ($private_ip)
> eth2 uses a public IP ($public_ip_2)
>
> I have a webserver and a mailserver accesible by $public_ip_1 (eth0)
> I have a LAN with all terminals using private IPs, and $private_ip (eth1)
as
> gateway.
> $public_ip_1 and $public_ip_2 are from the same network segment (two
> consecutive IPs).
> eth0 and eth2 should use the same external IP as gateway (only 1 provider,
> so this is not a load balancing/multiple providers case).
> eth0 and eth2 are connected to the same switch.
>
> How can I route all LAN traffic via eth2 and keep web/mail traffic on eth0?
> And with this, make the LAN traffic use eth2''s IP to connect to
the Internet
> and the PC traffic use eth0?
>
> I tested masquerading through eth2 with
> iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j
> MASQUERADE
>
> But LAN could not access the Internet, although the PC could.
>
> Someone told me something about ip rules, which I tested but it seems that
> they did not worked as both eth0 and eth2 should use the same gateway.
>
> Please send me any comments/help regarding this issue,
>
> Thanks!
>
> Edo
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

Eduardo,

The idea is very simple simple. You must create two routing tables, one for
each oustside world interface (read the LARTC howto on how to make it). Then
all traffic coming from eth1 that want to go to the internet must go to
interface eth2, so lets mark it:

iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1

Now we must send this maked packges to routing table that has default
gateway to interface eth2:

ip rule add prio 200 fwmark 1 table route-eth2

This is only an example. Read the LARTC howto them, if you still have any
doubt, come back here.

Att,

Nataniel Klug
Gerente Cyber Nett

----- Original Message ----- 
From: "Eduardo Bejar" <wonka@linkabu.net>
To: <lartc@mailman.ds9a.nl>
Sent: Saturday, February 11, 2006 4:19 PM
Subject: [LARTC] Route all LAN traffic through eth2 and keep web/mailtraffic
on eth0

> Hi,
>
> I have the following config:
>
> 1 PC with 3 NICs, that shares internet connection to LAN.
> eth0 uses a public IP ($public_ip_1)
> eth1 uses a private IP ($private_ip)
> eth2 uses a public IP ($public_ip_2)
>
> I have a webserver and a mailserver accesible by $public_ip_1 (eth0)
> I have a LAN with all terminals using private IPs, and $private_ip (eth1)
as
> gateway.
> $public_ip_1 and $public_ip_2 are from the same network segment (two
> consecutive IPs).
> eth0 and eth2 should use the same external IP as gateway (only 1 provider,
> so this is not a load balancing/multiple providers case).
> eth0 and eth2 are connected to the same switch.
>
> How can I route all LAN traffic via eth2 and keep web/mail traffic on
eth0?
> And with this, make the LAN traffic use eth2''s IP to connect to
the
Internet
> and the PC traffic use eth0?
>
> I tested masquerading through eth2 with
> iptables -t nat -A POSTROUTING -s $private_ip_net/255.255.255.0 -o eth2 -j
> MASQUERADE
>
> But LAN could not access the Internet, although the PC could.
>
> Someone told me something about ip rules, which I tested but it seems that
> they did not worked as both eth0 and eth2 should use the same gateway.
>
> Please send me any comments/help regarding this issue,
>
> Thanks!
>
> Edo
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc