Hamish Whittal
2005-May-11 06:00 UTC
Multiple Internet links - routing traffic to the correct one.
Hi all,
I have the following configuration:
_______
+------------+ /
diginet link | | |
+-------------+ Provider 1 +-------
__ | | | /
___/ \_ +------+-------+ +------------+ |
_/ \__(eth0)| eth1 (stat) | /
/ \ 254| | |
| Local network -----+ Linux router | | Internet
\192.168.1.x __/ | | |
\__ __/ | eth2 (dyn) | \
\___/ +------+-------+ +------------+ |
254| |ppp0 | | \
(eth3)| +-------------+ Telecomms +-------
| adsl link | ADSL | |
___ | +------------+ \________
_/ \__ |
__/ \___ |
/ \----+
| Local Network |
\__172.16.1.x__/
\__ ___/
\_/
In words:
Two local LAN''s (172.16.1.x) and (192.168.1.x). They service different
parts of the organisation. The point is, the client does not want
traffic from the 172.16.1.x network going over the ADSL link otherwise
the cap will be reached in hours (iterally). The Router is also the mail
server, so mail is delivered to the eth1 interface via a static IP
address (eth1 in the diagram) - it is a 196.xx.xx.xx address.
The ADSL is not a static address - 165.146.yy.yy.
The LAN interface from the 192.168.1.x network on the router is
192.168.1.254. The LAN interface on the other network is 172.16.1.254.
The 10.x.x.x network is an IP I have assigned to the eth2 interface to
ensure that I can still talk to my adsl router, but the ppp0 link is a
pppoe connection to the telecomms provider.
So, with some assistance, I have set up the following:
Table main:
165.146.128.1 dev ppp0 proto kernel scope link src 165.146.yy.yy
196.xx.xx.xx/nn dev eth1 proto kernel scope link src 196.xx.xx.xx
10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254
default via 196.xx.xx.xx dev eth1
(the default route here is going out through the diginet link -
196.xx.xx.xx in this table)
table adsl:
10.0.0.0/24 dev eth2 scope link
192.168.1.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 165.146.yy.yy dev ppp0
the rules:
0: from all lookup local
90: from all to 192.168.1.0/24 lookup main
100: from 192.168.1.0/24 lookup adsl
32766: from all lookup main
32767: from all lookup default
ip route add default via 165.146.yy.yy dev ppp0 table adsl
Now here it croaks. When I add this route, the continuous ping to a host
on the internet from a machine on the Local Network (192) stops, which
tells me it cannot get out via the ADSL link. In order to check whether
the ADSL was working, I tried swapping the routes around so that the
default traffic uses to ADSL link, and this worked - so it''s not a
problem with the physical ADSL link to the Internet.
I have tested the following:
1) From a PC on the 192 net, I can ping the Telcomms ADSL gateway on the
remote side (in my case, this is 165.146.128.1), but not further.
2) From the Linux router, I can ping to the 165.146.128.1 and beyond.
3) I know the firewall rules are not blocking traffic since I am logging
any traffic that is blocked by the firewall and nothing is showing up in
the logs.
My NAT firewall rules are as follows:
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source
196.xx.xx.xx
So, what''s so hard about that! And yet, the minute I add a default
route
to the adsl table, things go pear shaped. Take that out, and the people
on the LAN (192 net) can talk to everything on the Internet.
So, what am I doing wrong here? I hope this is sufficient information to
assist me in my routing woes.
Any help.....yadda yadda.
Cheers
H
Alexander Samad
2005-May-12 06:12 UTC
Re: Multiple Internet links - routing traffic to the correct one.
On Wed, May 11, 2005 at 08:00:30AM +0200, Hamish Whittal wrote:> Hi all, > I have the following configuration: > _______ > +------------+ / > diginet link | | | > +-------------+ Provider 1 +------- > __ | | | / > ___/ \_ +------+-------+ +------------+ | > _/ \__(eth0)| eth1 (stat) | / > / \ 254| | | > | Local network -----+ Linux router | | Internet > \192.168.1.x __/ | | | > \__ __/ | eth2 (dyn) | \ > \___/ +------+-------+ +------------+ | > 254| |ppp0 | | \ > (eth3)| +-------------+ Telecomms +------- > | adsl link | ADSL | | > ___ | +------------+ \________ > _/ \__ | > __/ \___ | > / \----+ > | Local Network | > \__172.16.1.x__/ > \__ ___/ > \_/ > > In words: > Two local LAN''s (172.16.1.x) and (192.168.1.x). They service different > parts of the organisation. The point is, the client does not want > traffic from the 172.16.1.x network going over the ADSL link otherwise > the cap will be reached in hours (iterally). The Router is also the mail > server, so mail is delivered to the eth1 interface via a static IP > address (eth1 in the diagram) - it is a 196.xx.xx.xx address. > The ADSL is not a static address - 165.146.yy.yy. > The LAN interface from the 192.168.1.x network on the router is > 192.168.1.254. The LAN interface on the other network is 172.16.1.254. > The 10.x.x.x network is an IP I have assigned to the eth2 interface to > ensure that I can still talk to my adsl router, but the ppp0 link is a > pppoe connection to the telecomms provider. > > So, with some assistance, I have set up the following: > Table main: > 165.146.128.1 dev ppp0 proto kernel scope link src 165.146.yy.yy > 196.xx.xx.xx/nn dev eth1 proto kernel scope link src 196.xx.xx.xx > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254 > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 > default via 196.xx.xx.xx dev eth1 > (the default route here is going out through the diginet link - > 196.xx.xx.xx in this table) > > table adsl: > 10.0.0.0/24 dev eth2 scope link > 192.168.1.0/24 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 165.146.yy.yy dev ppp0 > > the rules: > 0: from all lookup local > 90: from all to 192.168.1.0/24 lookup main > 100: from 192.168.1.0/24 lookup adsl > 32766: from all lookup main > 32767: from all lookup defaultYou need to have another rule 100: from {adsladdress}/32 lookup adsl because your packets is getting MASQ and then rehitting the routing table, which says roue out the default link which is actually the digi link, most isp don;t allow asym routing of packets (ie will not allow you to send a packet with a source address not in their address space), it will probably still have the 172 address on it (not sure) You should be able to confirm this by tcpdump''ing on eth1> > ip route add default via 165.146.yy.yy dev ppp0 table adsl > Now here it croaks. When I add this route, the continuous ping to a host > on the internet from a machine on the Local Network (192) stops, which > tells me it cannot get out via the ADSL link. In order to check whether > the ADSL was working, I tried swapping the routes around so that the > default traffic uses to ADSL link, and this worked - so it''s not a > problem with the physical ADSL link to the Internet. > > I have tested the following: > 1) From a PC on the 192 net, I can ping the Telcomms ADSL gateway on the > remote side (in my case, this is 165.146.128.1), but not further. > 2) From the Linux router, I can ping to the 165.146.128.1 and beyond. > 3) I know the firewall rules are not blocking traffic since I am logging > any traffic that is blocked by the firewall and nothing is showing up in > the logs. > > My NAT firewall rules are as follows: > > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source > 196.xx.xx.xx > > So, what''s so hard about that! And yet, the minute I add a default route > to the adsl table, things go pear shaped. Take that out, and the people > on the LAN (192 net) can talk to everything on the Internet. > > So, what am I doing wrong here? I hope this is sufficient information to > assist me in my routing woes. > Any help.....yadda yadda. > Cheers > H > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hamish Whittal
2005-May-24 06:11 UTC
Re: Multiple Internet links - routing traffic to the correct one.
Thanks Alexander for this. On Thu, 2005-05-12 at 08:12, Alexander Samad wrote:> On Wed, May 11, 2005 at 08:00:30AM +0200, Hamish Whittal wrote: > > Hi all, > > I have the following configuration: > > _______ > > +------------+ / > > diginet link | | | > > +-------------+ Provider 1 +------- > > __ | | | / > > ___/ \_ +------+-------+ +------------+ | > > _/ \__(eth0)| eth1 (stat) | / > > / \ 254| | | > > | Local network -----+ Linux router | | Internet > > \192.168.1.x __/ | | | > > \__ __/ | eth2 (dyn) | \ > > \___/ +------+-------+ +------------+ | > > 254| |ppp0 | | \ > > (eth3)| +-------------+ Telecomms +------- > > | adsl link | ADSL | | > > ___ | +------------+ \________ > > _/ \__ | > > __/ \___ | > > / \----+ > > | Local Network | > > \__172.16.1.x__/ > > \__ ___/ > > \_/ > > > > So, with some assistance, I have set up the following: > > Table main: > > 165.146.128.1 dev ppp0 proto kernel scope link src 165.146.yy.yy > > 196.xx.xx.xx/nn dev eth1 proto kernel scope link src 196.xx.xx.xx > > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254 > > 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254 > > default via 196.xx.xx.xx dev eth1 > > (the default route here is going out through the diginet link - > > 196.xx.xx.xx in this table) > > > > table adsl: > > 10.0.0.0/24 dev eth2 scope link > > 192.168.1.0/24 dev eth0 scope link > > 127.0.0.0/8 dev lo scope link > > default via 165.146.yy.yy dev ppp0 > > > > the rules: > > 0: from all lookup local > > 90: from all to 192.168.1.0/24 lookup main > > 100: from 192.168.1.0/24 lookup adsl > > 32766: from all lookup main > > 32767: from all lookup default > > You need to have another rule > > 100: from {adsladdress}/32 lookup adsl > > because your packets is getting MASQ and then rehitting the routing > table, which says roue out the default link which is actually the digi > link, most isp don;t allow asym routing of packets (ie will not allow > you to send a packet with a source address not in their address space), > it will probably still have the 172 address on it (not sure) > > You should be able to confirm this by tcpdump''ing on eth1 >I tried what you said, but got a message along the lines of "Route sent us somewhere else" I did a bit of googling and now see that it seems this is a known problem and requires a kernel patch..... So, I am continuing to search. I currently run Debian with stock 2.6.7-1 kernel. Seems like a recompile is imminent. Cheers Hamish ------------------------------------------------------------------- | Hamish Whittal | Mobile: +27 82 803 5533 | | QED Technologies cc | landline: +27 21 671 7710 | | 21 Marne Avenue, Claremont, Cape Town | fax: +27 21 674 9184 | |________________fortune cookie below autogenerated_________________| You will have a long and boring life.