From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dashamir Hoxha <dasho@ma-isp.com>
Date: Fri, 13 Oct 2006 06:49:19 +0000
Subject: Re: [LARTC] Two outbound internet links, using one network interface
Message-Id: <452F36EF.2050107@ma-isp.com>
List-Id: <lartc.vger.kernel.org>
References: <45266C57.4010106@ma-isp.com>
In-Reply-To: <45266C57.4010106@ma-isp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lartc@vger.kernel.org

Pio Mendez wrote:
> PREROUTING chain is not traversed by local traffic, but OUTPUT chain 
> does. 

I think that OUTPUT is traversed after routing decision is taken, so it 
is still the same problem.

Alexandru Dragoi wrote:
> You need a switch with 802.1q vlan support (cisco for example). The 
> network card need to be pluged in a switch port in "trunk" mode, and 
> the providers each in its access switch port in specified vlan (like 2).

Since I don't have a switch like that, then I guess I should go back to 
the first solution,
adding two IP-s to the same network interface. The problem of localhost 
traffic not being
categorized, still exists, but this is not so important, since the box 
is going to serve like
a router.

So, the solution, up to now looks like this:

-------------8<----------------------------------
ip link set eth0 up
ip address flush eth0
ip address add $IP1 dev eth0
ip address add $IP2 dev eth0

route add to default via $GATEWAY1

ip route flush table 2
ip route show table main | grep -Ev ^default \
 | while read ROUTE ; do ip route add table 2 $ROUTE ; done
ip route add table 2 default via $GATEWAY2

ip rule del fwmark 2 table 2   2>/dev/null
ip rule add fwmark 2 table 2

PORT_LIST="22 53"
for PORT in $PORT_LIST
do
 iptables -t mangle -A PREROUTING -m tcp -p tcp -dport $PORT -j MARK 
--set-mark 0x2
done

iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
--to-source $IP2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
------------8<---------------------------------

Thanks to Radu Oprisan for the SNAT rules suggestion, because in general
they are better than -j MASQUERADE.

What remains to be done now is:

1 - What are the (security) problems related to this solution (two IPs 
in one interface)
    and how to avoid them.

2 - How to do backup connection, i.e. when one of the lines goes down, 
the other one
    is used automaticly. One way may be to use ping, in order to 
discover when
    a gateway is down, and then to switch to the other.

Has anybody any idea on these topics?

Thanks.
Dashamir

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc