From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Double gateway - aliased ip routing
Date: Tue, 28 Jan 2003 19:12:24 +0000 [thread overview]
Message-ID: <marc-lartc-104378122016531@msgid-missing> (raw)
In-Reply-To: <marc-lartc-104377445704545@msgid-missing>
oli,
Nice ASCII map. (Your mailer didn't line break it, and it's clear.)
: My problem is how to route the packages from the localnet to either
: ADSL or T3, depending on wether they were received by the ip
: 192.168.10.8 or 192.168.10.9. I tried to mark the packages in the
: postrouting chain of iptables and send them to different routing
: tables. but iptables can't handle aliased interfaces like eth0:1 as
: source devices.
The problem is that the gateway information (client's chosen destination
IP address) is lost the moment the packet is encapsulated by the client
and transmitted onto the ethernet.
Packet arrives on your firewall looking something like this:
Frame source: client MAC
Frame dest: firewall eth0 MAC
IP source: client IP
IP dest: real destination IP
The address 192.168.10.8 and 192.168.10.9 are logical IP addresses which
share the same MAC, so you can't even select on the destination MAC
address, because you can't assign two hardware addresses to the same
interface simultaneously.
If I had to allow the client to select its default gateway, I'd be
inclined to add another interface. But since I'm a control freak and
BOFH, I'd simply use "ip rule" on the firewall to determine which client
IP (or outbound service) gets to use bandwidth on my two connections.
I have some documentation available on
http://plorf.net/linux-ip/html/adv-multi-internet.htm
which may be helpful to you in selecting different outbound routes based
on source IP or destination port.
If anybody else has a clever solution about how to accomplish his original
goal, I'd be interested in hearing the idea.
-Martin
: INTERNET
: =================== : | |
: | |
: DynIP 212.x.x.195
: /------------\ /---------------\
: | DSL-ROUTER | | T3-ROUTER |
: \------------/ \---------------/
: 192.168.11.1 62.x.x.89
: 192.168.11.0/24 62.x.x.88/29
: | |
: | |
: 192.168.11.8 62.x.x7.90
: 192.168.11.0/24 62.x.x.88/29
: eth3 eth1 w/ ProxyARP
: /---------------\
: | FIREWALL |
: \---------------/
: eth0:1 eth0 eth2 w/ ProxyARP
: 192.168.10.8 192.168.10.9 62.x.x.90
: 192.168.10.0/24 62.x.x.88/29
: | \
: | \
: ============== eth0
: LOCALNET 62.x.x.93
: 62.x.x.88/29
: /-----\
: | DMZ |
: \-----/
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2003-01-28 19:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-28 17:19 [LARTC] Double gateway - aliased ip routing lartc
2003-01-28 19:12 ` Martin A. Brown [this message]
2003-01-28 20:38 ` Oliver Geisler
2003-01-29 4:58 ` Martin A. Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-104378122016531@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.