Re: Multiple gateways problem

[Alexander Samad <alex@samad.com.au>]

[-- Attachment #1: Type: text/plain, Size: 2718 bytes --]

On Thu, Mar 31, 2005 at 06:37:50PM +0200, Rub?n Cardenal wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
>   I have a quite simple setup in ony of my servers but I can't make
> the conditional routing using iptables to work.
> 
>   The server has:
> 
>   eth0: 192.168.2.0/23
>   eth1/eth2: reserved for future use
>   eth3: 10.10.100.0/24
> 
>   The eth3 is connected to a separate switch where 30 AP's are
> connected to and a dhcp server running on the server gives IP's to
> clients connected to the wireless lan. In the same way, eth0 is
> connected to another set of switchs (isolated from the switch where
> eth3 is connected to) where all LAN clients (192.168.2.0/23) are
> connected to.
> 
>   I can use two gateways, both of them are accessed via eth0:
> 192.168.3.250 and 192.16.3.254. The default gateway for all the LAN
> clients (192.168.2.0/23) is (and must be) 192.168.3.254 and just a
> few people is allowed to use the other gateway.
> 
>   The desired configuration is that I want to be able to route
> certain clients from eth3 (10.10.100.0/24) via 192.168.3.250 instead
> of the default gw of the server (192.168.3.254).
> 
>   All the configurations I've tried, doesn't work or make LAN clients
> loose connectivity with the server. How should I setup routes/rules?
if you can group your users to specific networks then you can use

ip ru for something like this

0:      from all lookup local 
200:    from 10.10.100.0/24 lookup wireless 
201:    from 192.168.2.0/24 lookup plana 
201:    from 192.168.3.0/24 lookup planb 
32766:  from all lookup main 
32767:  from all lookup default 

or in using iptables -t mangle and PREROUTING you can mark your packets
with -m mark --set-mark 0x01

iptables -t mangle -I PREROUTING -s 10.100.100.0/24 -m mark --set-mark
0x01
iptables -t mangle -I PREROUTING -s 192.168.2.0/24 -m mark --set-mark
0x02
iptables -t mangle -I PREROUTING -s 192.168.3.0/24 -m mark --set-mark
0x03

and then use ip ru sort of like

0:      from all lookup local 
200:    fwmark 0x01 lookup wireless 
200:    fwmark 0x02 lookup plana
200:    fwmark 0x03 lookup planb 
32766:  from all lookup main 
32767:  from all lookup default 



and then fill the tables with the appropiate routing rules

note - I split your 192.168.2.0/23 back into 2 /24 just for example, you
might need to check the syntax of the -m mark target as well.

Alex

> 
>   Regards,
> 
> - - Ruben.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.1
> 
> iQA/AwUBQkwnXQcpyqBKAkY5EQLdOwCg/rIS18MM5mKYfXjEhvSiCPgOV1QAmwZ7
> TG3o6vj9sH7NQXoVkgUsBcvS
> =BTkL
> -----END PGP SIGNATURE-----
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]