On Tue, Apr 17, 2001 at 07:11:51PM -0400, Jonathan Glass
wrote:> We are changing providers, and have a 30-day period of simultaneous access
> to both ISP''s T1 Circuits. I thought it would be a waste to be
paying for
> 3Mbps, and only using 1.544, so recommended we do this.
>
> We have 15 LANs behind our single masquerading firewall
> (192.168.0.0/24 -192.168.15.0/24). I have a backbone switch linking all
of
> these LANs (3Com Corebuilder 3500) over 100 Mbps switched fiber.
>
> I have the corebuilder set to a default route of 192.168.254.1, which is my
> Linux firewall.
>
> The Linux firewall has 16 static routes defined to our private networks,
> pointing back to the corebuilder (192.168.254.2), and a default route
> pointing to our current ISPs T1 (111.111.111.111). It also has the IP
> addresses for each of our servers configured as aliases, and port forwards
> only the traffic I allow to the correct internal IP address. Works like a
> charm, even with 800 machines using 1 IP for masquerading...
>
> I tried adding an alias (eth1:7) for our new ISP''s network (isp
router
> 222.222.222.222, our firewall 222.222.222.223). They can ping each other,
> but the firewall cannot respond to pings from beyond the router.
Monitoring
> the packet flow, it tries to respond to all packtes via the 111.111.111.111
> route with the 222.222.222.223 IP source address, which of course is
> filtered out. If I change the default route to 222.222.222.222, everything
> works fine, but then it cannot respond to the other circuit.
>
> Looking at this, I believe that the best solution is to use the multipath
> statement in the "ip route" command. The only concerns I have is
that all
> outgoing student traffic MUST be masqueraded with the 111.111.111.111 IP
> address until May 5 (I think I can solve this using ipchains commands), and
> the ip route command for multipath seemed to require distinct device
> definitions (eth0, eth1, etc). Will it work with an aliased interface
> (eth1:7) or can I bypass the "dev" option completely?
>
Yes, use "via ip" instead of "dev" :)
You should not be using the ifconfig type ip aliasing if you''re going
to use
the ip command. There are subtle issues with this, as 2.0.xx kernels
couldn''t assign two IPs to a single interface so they made virtual
interfaces. 2.2.xx doesn''t need that.
> Thanks for any help.
>
> Jonathan
>
> PS. When I get this solved, would you like me to post it to the LARTC list
> serve?
I''d like you to send every message after this to the list.
I''m on the list,
and I''ll be monitoring it, but there are people with more experience
than
myself there.
> ----- Original Message -----
> From: "Mike Fedyk" <mfedyk@matchmail.com>
> To: <JGlass@WesleyanCollege.edu>
> Sent: Monday, April 16, 2001 6:41 PM
> Subject: Re: Advanced Routing Question
>
>
> > On Mon, Apr 16, 2001 at 11:31:33AM -0400, JGlass@WesleyanCollege.edu
> wrote:
> > > I saw your post at the Advanced routing archives site, and have a
> > > question... Using the same scenario found at
> > > http://mailman.ds9a.nl/pipermail/lartc/2000q4/000156.html
> > > <http://mailman.ds9a.nl/pipermail/lartc/2000q4/000156.html>
, would it
> be
> > > possible to use ONE network card to connect to TWO T1 links? Any
> thoughts,
> > > or am I wasting my time?
> > >
> > Yes, it''s possible.
> >
> > Two T1s to the same or different ISP? Same ip range or MASQed as one
ip
> > provided by two differing ISPs? Masq adds another level of
complexity,
> but
> > it''s quite workable. You''re not wasting time....
> >
> > Mike
>