[LARTC] Re: 2 ISP Routing Problem

[LARTC] Re: 2 ISP Routing Problem

[lartc]

I read carefully "Guide to IP Layer Networking", but this don't give idea 
how to make this simple ( I think ) route. My logic is: 

If packet coming from source adress 1.0.1.0/24 AND destination is NOT localy 
connected host ( 1.0.1.0/24 OR 2.0.1.0/24 OR 127.0.0.0/8 ), send it to ISP1 
gateway 1.0.0.1.
If packet coming from source adress 2.0.1.0/24 AND destination is NOT localy 
connected host ( 1.0.1.0/24 OR 2.0.1.0/24 OR 127.0.0.0/8 ), send it to ISP2 
gateway 2.0.0.1.
If packet coming ( from ISP1 or ISP2 ) have destination adress 1.0.1.0/24 OR 
2.0.1.0/24 send it to coresponding eth interface. 

As see, there is NOT default route, all other source/destination combination 
will be droped ( with ICMP host unreachable may be? ). 

I can't believe, that no one use single Linux router like this.... 

 

lartc@pro-technica.com writes: 

> Hello,I have single linux router ( fedora core 1 ), 2 ISP, 1 internal 
> network,1 IP space from every ISP
> My scenario:
> eth0 1.0.0.2 netmask 255.255.255.252 -> ISP 1
> eth1 2.0.0.2 netmask 255.255.255.252 -> ISP 2
> eth2 1.0.1.1 netmask 255.255.255.0 -> IP space from ISP1
> eth3 2.0.1.1 netmask 255.255.255.0 -> IP space from ISP2  
> 
> Config I try:
> /etc/iproute2/rt_tables:
> 10 isp1
> 20 isp2  
> 
> ip add rule from 1.0.1.0/24 table isp1
> ip add rule from 2.0.1.0/24 table isp2
> route del default
> ip route add default via 1.0.0.1 table isp1
> ip route add default via 2.0.0.1 table isp2  
> 
> At this point workstations connected to eth2 and eth3 connect to internet 
> fine.
> BUT: with this config I can't communicate with workstations. If I try 
> 'ping 1.0.1.2' I can see thah all packets with source IP1.0.1.1 are sent 
> to eth0, and packets with source IP 2.0.1.1 are sent to eth1.  
> 
> #ip route get from 1.0.1.1 to 1.0.1.2
> 1.0.1.2 from 1.0.1.1 via 1.0.0.1  
> 
> So, question is: How to setup iproute2, so kernel first consult internal 
> routing table:
> 1.0.1.0/24 dev eth2  proto kernel  scope link  src 1.0.1.1
> 2.0.1.0/24 dev eth3  proto kernel  scope link  src 2.0.1.1  
> 
> and AFTER THIS default routes I create with 'ip route default via ...'  
> 
> PS: All IP's are real, I don't use 10.x.x.x...
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Re: 2 ISP Routing Problem

[Martin A. Brown]

Hello,

 : I read carefully "Guide to IP Layer Networking", but this don't give
 : idea how to make this simple ( I think ) route. My logic is:

Perhaps I should rewrite that section.....

Here are my assumptions before the below.

A main routing table with routes to all of the local networks, but no
default route.

  { echo 10 ISP1
    echo 20 ISP2 ; } >> /etc/iproute2/rt_tables

 : If packet coming from source adress 1.0.1.0/24 AND destination is NOT localy
 : connected host ( 1.0.1.0/24 OR 2.0.1.0/24 OR 127.0.0.0/8 ), send it to ISP1
 : gateway 1.0.0.1.

   ip rule add prio 979 from 1.0.1.0/24 table main
   ip rule add prio 980 from 1.0.1.0/24 table ISP1
   ip route add default via 1.0.0.1 table ISP1

This will allow packets with a source address of 1.0.1.0/24 to reach
locally connect networks and the Internet via ISP1.  By selecting the main
routing table first, you'll be sure to allow access to the locally
connected networks to and from each of the other locally connected
networks.

 : If packet coming from source adress 2.0.1.0/24 AND destination is NOT localy
 : connected host ( 1.0.1.0/24 OR 2.0.1.0/24 OR 127.0.0.0/8 ), send it to ISP2
 : gateway 2.0.0.1.

   ip rule add prio 969 from 2.0.1.0/24 table main
   ip rule add prio 970 from 2.0.1.0/24 table ISP2
   ip route add default via 2.0.0.1 table ISP2

 : If packet coming ( from ISP1 or ISP2 ) have destination adress
 : 1.0.1.0/24 OR 2.0.1.0/24 send it to coresponding eth interface.

Quite!

 : As see, there is NOT default route, all other source/destination
 : combination will be droped ( with ICMP host unreachable may be? ).

This should happen naturally with the above configuration, but you may
wish to consider the following as well:

   ip rule del prio 32766 table main
   ip rule add prio 32766 unreachable

This should force your box to send ICMP unreachables for any host not
found in any of the routing table lookups.  If you decide to do remove
the final rule which refers to the main routing table, don't forget about
loopback traffic:

   ip rule add prio 990 from 127.0.0.0/8 table main

 : I can't believe, that no one use single Linux router like this....

Nor can I.  It's possible that the 38 people who have done this remain
silent.

In your earlier mail.....

 : ip add rule from 1.0.1.0/24 table isp1
 : ip add rule from 2.0.1.0/24 table isp2
 : route del default
 : ip route add default via 1.0.0.1 table isp1
 : ip route add default via 2.0.0.1 table isp2

The problem is that tables isp1 and isp2 do not contain routes for
networks 2.0.1.0/24 and 1.0.1.0/24 respectively.  Inverting the lookup
logic (as I do above), so that the default route is selected after the
local routes prevents this from being a problem.

 : BUT: with this config I can't communicate with workstations. If I try
 : 'ping 1.0.1.2' I can see thah all packets with source IP1.0.1.1 are
 : sent to eth0, and packets with source IP 2.0.1.1 are sent to eth1.
 :
 : #ip route get from 1.0.1.1 to 1.0.1.2
 : 1.0.1.2 from 1.0.1.1 via 1.0.0.1

Exactly as I expected, given your config.  Let us know if you have
success!

Good luck!

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/