From: Dashamir Hoxha <dasho@ma-isp.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Two outbound internet links, using one network interface
Date: Fri, 13 Oct 2006 06:49:19 +0000 [thread overview]
Message-ID: <452F36EF.2050107@ma-isp.com> (raw)
In-Reply-To: <45266C57.4010106@ma-isp.com>
Pio Mendez wrote:
> PREROUTING chain is not traversed by local traffic, but OUTPUT chain
> does.
I think that OUTPUT is traversed after routing decision is taken, so it
is still the same problem.
Alexandru Dragoi wrote:
> You need a switch with 802.1q vlan support (cisco for example). The
> network card need to be pluged in a switch port in "trunk" mode, and
> the providers each in its access switch port in specified vlan (like 2).
Since I don't have a switch like that, then I guess I should go back to
the first solution,
adding two IP-s to the same network interface. The problem of localhost
traffic not being
categorized, still exists, but this is not so important, since the box
is going to serve like
a router.
So, the solution, up to now looks like this:
-------------8<----------------------------------
ip link set eth0 up
ip address flush eth0
ip address add $IP1 dev eth0
ip address add $IP2 dev eth0
route add to default via $GATEWAY1
ip route flush table 2
ip route show table main | grep -Ev ^default \
| while read ROUTE ; do ip route add table 2 $ROUTE ; done
ip route add table 2 default via $GATEWAY2
ip rule del fwmark 2 table 2 2>/dev/null
ip rule add fwmark 2 table 2
PORT_LIST="22 53"
for PORT in $PORT_LIST
do
iptables -t mangle -A PREROUTING -m tcp -p tcp -dport $PORT -j MARK
--set-mark 0x2
done
iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT
--to-source $IP2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
------------8<---------------------------------
Thanks to Radu Oprisan for the SNAT rules suggestion, because in general
they are better than -j MASQUERADE.
What remains to be done now is:
1 - What are the (security) problems related to this solution (two IPs
in one interface)
and how to avoid them.
2 - How to do backup connection, i.e. when one of the lines goes down,
the other one
is used automaticly. One way may be to use ping, in order to
discover when
a gateway is down, and then to switch to the other.
Has anybody any idea on these topics?
Thanks.
Dashamir
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2006-10-13 6:49 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-06 14:46 [LARTC] Two outbound internet links, using one network interface Dashamir Hoxha
2006-10-08 10:14 ` Zoilo Gomez
2006-10-11 6:37 ` Dashamir Hoxha
2006-10-11 11:05 ` Radu Oprisan
2006-10-11 11:17 ` Radu Oprisan
2006-10-11 12:29 ` Dashamir Hoxha
2006-10-11 12:38 ` Dashamir Hoxha
2006-10-11 13:36 ` Alexandru Dragoi
2006-10-11 16:31 ` Pio Mendez
2006-10-12 13:02 ` Pio Mendez
2006-10-13 6:49 ` Dashamir Hoxha [this message]
2006-10-13 7:01 ` Dashamir Hoxha
2006-10-14 9:29 ` Dashamir Hoxha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=452F36EF.2050107@ma-isp.com \
--to=dasho@ma-isp.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.