* [LARTC] Double gateway - aliased ip routing
@ 2003-01-28 17:19 lartc
2003-01-28 19:12 ` Martin A. Brown
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: lartc @ 2003-01-28 17:19 UTC (permalink / raw)
To: lartc
Hi,
I've get a local network with several workstations attached through a
firewall to the internet by two types of connections: one is called
ADSL, which is cheaper, but with lower bandwidth. the other called T3,
faster but more expensive.
I want to enable each workstation from the localnet to choose it's
connection by setting it's default gateway to one of the firewall's ip
on eth0: 192.168.10.8 for ADSL and 192.168.10.9 for T3. additional each
workstation regardless its gateway ip should be able to access the dmz.
the topology of the net would be something like this:
INTERNET
=================== | |
| |
DynIP 212.x.x.195
/------------\ /---------------\
| DSL-ROUTER | | T3-ROUTER |
\------------/ \---------------/
192.168.11.1 62.x.x.89
192.168.11.0/24 62.x.x.88/29
| |
| |
192.168.11.8 62.x.x7.90
192.168.11.0/24 62.x.x.88/29
eth3 eth1 w/ ProxyARP
/---------------\
| FIREWALL |
\---------------/
eth0:1 eth0 eth2 w/ ProxyARP
192.168.10.8 192.168.10.9 62.x.x.90
192.168.10.0/24 62.x.x.88/29
| \
| \
============== eth0
LOCALNET 62.x.x.93
62.x.x.88/29
/-----\
| DMZ |
\-----/
My problem is how to route the packages from the localnet to either ADSL
or T3, depending on wether they were received by the ip 192.168.10.8 or
192.168.10.9.
I tried to mark the packages in the postrouting chain of iptables and
send them to different routing tables. but iptables can't handle aliased
interfaces like eth0:1 as source devices.
Next step was to set up routing depending on incoming interfaces, but
there was no effect in the actual routing.
my current configurations are:
# ip rule ls
0: from all lookup local
32765: from all iif eth0:1 lookup ADSL
32766: from all lookup main
32767: from all lookup default
# ip route show
62.x.x.89 dev eth1 scope link
62.x.x.88/29 dev eth2 scope link
192.168.11.0/24 dev eth3 proto kernel scope link src 192.168.11.8
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.9
default via 62.x.x.89 dev eth1
# ip route show table ADSL
62.153.117.88/29 dev eth2 scope link
default via 192.168.11.92 dev eth3
Has anyone ideas of solving the problem?
Thanks,
oli
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Double gateway - aliased ip routing
2003-01-28 17:19 [LARTC] Double gateway - aliased ip routing lartc
@ 2003-01-28 19:12 ` Martin A. Brown
2003-01-28 20:38 ` Oliver Geisler
2003-01-29 4:58 ` Martin A. Brown
2 siblings, 0 replies; 4+ messages in thread
From: Martin A. Brown @ 2003-01-28 19:12 UTC (permalink / raw)
To: lartc
oli,
Nice ASCII map. (Your mailer didn't line break it, and it's clear.)
: My problem is how to route the packages from the localnet to either
: ADSL or T3, depending on wether they were received by the ip
: 192.168.10.8 or 192.168.10.9. I tried to mark the packages in the
: postrouting chain of iptables and send them to different routing
: tables. but iptables can't handle aliased interfaces like eth0:1 as
: source devices.
The problem is that the gateway information (client's chosen destination
IP address) is lost the moment the packet is encapsulated by the client
and transmitted onto the ethernet.
Packet arrives on your firewall looking something like this:
Frame source: client MAC
Frame dest: firewall eth0 MAC
IP source: client IP
IP dest: real destination IP
The address 192.168.10.8 and 192.168.10.9 are logical IP addresses which
share the same MAC, so you can't even select on the destination MAC
address, because you can't assign two hardware addresses to the same
interface simultaneously.
If I had to allow the client to select its default gateway, I'd be
inclined to add another interface. But since I'm a control freak and
BOFH, I'd simply use "ip rule" on the firewall to determine which client
IP (or outbound service) gets to use bandwidth on my two connections.
I have some documentation available on
http://plorf.net/linux-ip/html/adv-multi-internet.htm
which may be helpful to you in selecting different outbound routes based
on source IP or destination port.
If anybody else has a clever solution about how to accomplish his original
goal, I'd be interested in hearing the idea.
-Martin
: INTERNET
: =================== : | |
: | |
: DynIP 212.x.x.195
: /------------\ /---------------\
: | DSL-ROUTER | | T3-ROUTER |
: \------------/ \---------------/
: 192.168.11.1 62.x.x.89
: 192.168.11.0/24 62.x.x.88/29
: | |
: | |
: 192.168.11.8 62.x.x7.90
: 192.168.11.0/24 62.x.x.88/29
: eth3 eth1 w/ ProxyARP
: /---------------\
: | FIREWALL |
: \---------------/
: eth0:1 eth0 eth2 w/ ProxyARP
: 192.168.10.8 192.168.10.9 62.x.x.90
: 192.168.10.0/24 62.x.x.88/29
: | \
: | \
: ============== eth0
: LOCALNET 62.x.x.93
: 62.x.x.88/29
: /-----\
: | DMZ |
: \-----/
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Double gateway - aliased ip routing
2003-01-28 17:19 [LARTC] Double gateway - aliased ip routing lartc
2003-01-28 19:12 ` Martin A. Brown
@ 2003-01-28 20:38 ` Oliver Geisler
2003-01-29 4:58 ` Martin A. Brown
2 siblings, 0 replies; 4+ messages in thread
From: Oliver Geisler @ 2003-01-28 20:38 UTC (permalink / raw)
To: lartc
Hi Martin.
>If I had to allow the client to select its default gateway, I'd be
>inclined to add another interface.
>
I've already tried this out, but the kernel gets really confused with
this configuration. Incoming packets were abriatly answered by one or
the other interface. I learned from the net that it's just not possible
to to manage, if both interfaces are connected to the same section (eg.
switch) of the subnet. The config of eth1 and eth2 just works, because
both parts of the subnet are phsically seperated and packets to
62.x.x.90 only arrive on one of the two interfaces. If someone's got a
solution to the problem 'two interfaces on the same subnet', let me know.
>But since I'm a control freak and
>BOFH, I'd simply use "ip rule" on the firewall to determine which client
>IP (or outbound service) gets to use bandwidth on my two connections.
>
>I have some documentation available on
>
> http://plorf.net/linux-ip/html/adv-multi-internet.htm
>
>which may be helpful to you in selecting different outbound routes based
>on source IP or destination port.
>
>
Source based routing would only be a second best solution. My task is to
let the user choose the outbound route. In this case I would have to
built a kind of user-interface to the firewall-script. I think that
would be a bad idea. On the other hand I want prevent people asking me
to switch theirs connection.
But thanks so far. More hints are welcome.
oli
> : INTERNET
> : ===================> : | |
> : | |
> : DynIP 212.x.x.195
> : /------------\ /---------------\
> : | DSL-ROUTER | | T3-ROUTER |
> : \------------/ \---------------/
> : 192.168.11.1 62.x.x.89
> : 192.168.11.0/24 62.x.x.88/29
> : | |
> : | |
> : 192.168.11.8 62.x.x7.90
> : 192.168.11.0/24 62.x.x.88/29
> : eth3 eth1 w/ ProxyARP
> : /---------------\
> : | FIREWALL |
> : \---------------/
> : eth0:1 eth0 eth2 w/ ProxyARP
> : 192.168.10.8 192.168.10.9 62.x.x.90
> : 192.168.10.0/24 62.x.x.88/29
> : | \
> : | \
> : ============== eth0
> : LOCALNET 62.x.x.93
> : 62.x.x.88/29
> : /-----\
> : | DMZ |
> : \-----/
>
>
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Double gateway - aliased ip routing
2003-01-28 17:19 [LARTC] Double gateway - aliased ip routing lartc
2003-01-28 19:12 ` Martin A. Brown
2003-01-28 20:38 ` Oliver Geisler
@ 2003-01-29 4:58 ` Martin A. Brown
2 siblings, 0 replies; 4+ messages in thread
From: Martin A. Brown @ 2003-01-29 4:58 UTC (permalink / raw)
To: lartc
Hi there Oliver,
OK, so you're definitely up to snuff on the issues implied by your config.
I may be able to help you out on the "two interfaces on the same subnet"
problem. At least for outbound packets.
: If someone's got a solution to the problem 'two interfaces on the same
: subnet', let me know.
I've written a little bit about the ARP flux problem here:
http://plorf.net/linux-ip/html/ch-ether.htm#ETHER-ARP-FLUX
Basically there are four solutions:
/proc/sys/net/ipv4/conf/*/rp_filter # kernel 2.4 only
/proc/sys/net/ipv4/conf/*/hidden # patch to 2.4; in 2.2.14+
ip arp # patch to 2.4 and iproute2
ip route add <route> noarp # patch to 2.4 and iproute2
For description of the rp_filter solution see the IP sysctl tutorial:
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616
For a description of the other three, see Julian's site:
http://www.linuxvirtualserver.org/~julian/
Once you've solved the ARP flux problem (two NICs on one segment), you'll
be able to do something like this:
# ip rule add iif eth0 table main
# ip rule add iif eth4 table t3
Then the main routing table would have a route out the ADSL line, and you
could create table t3 with a route out your main connection.
With all of that said, your firewall may send the inbound packets back to
the clients via the "wrong" interface, but this should not matter, as the
client machines will continue to cache the IP/MAC mapping for outbound
packets--and these are the important ones for your configuration.
I haven't ever tried this so I don't know what wrinkles you should expect,
but....it should work (famous last words).
: Source based routing would only be a second best solution. My task is to
: let the user choose the outbound route. In this case I would have to
: built a kind of user-interface to the firewall-script. I think that
: would be a bad idea. On the other hand I want prevent people asking me
: to switch theirs connection.
What!? You are trying to lighten your workload? Sacrilege! :)
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-29 4:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-28 17:19 [LARTC] Double gateway - aliased ip routing lartc
2003-01-28 19:12 ` Martin A. Brown
2003-01-28 20:38 ` Oliver Geisler
2003-01-29 4:58 ` Martin A. Brown
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.