Dual WAN setup redux

Dual WAN setup redux

[Dimitri Yioulos]

Hi, folks.

Well, here I am, again, asking for help setting up a dual WAN.  With a kind nod 
to Lloyd and Andy, I'm simply not getting this to work.  And, my deadline for 
getting to good is now.  So, even though this is a bit off-topic, I'm 
appealing, once again, for your help.

Let me see if I can provide all of the information you might need to assist me:

LAN: 192.168.100.0/24
DMZ: 192.168.1.0/24
WAN1 (up and working for a long time): 65.x.x.160/27, gw 65.x.x.161
WAN2 (new connection): 75.x.x.24/29, gw 75.x.x.30

eth0 - WAN1: 65.x.x.162
eth0:0-eth0:6: 65.x.x.163, 164, etc.
eth1 - LAN: 192.168.100.1
eth2 - DMZ: 192.168.1.1
eth3 - WAN2: 75.x.x.25
eth3:0-eth3:1: 75.x.x.26, 27

SNAT current DMZ hosts WAN1 addresses

I want to use WAN2 for a new Web server and test server living in the DMZ.

I created a new routing table called WAN2.  Here's the output of "ip route show 
table WAN2":

75.x.x.24/29 dev eth3  scope link  src 75.x.x.25
default via 75.x.x.30 dev eth3

Netstat -ar produces the following ourput:

75.x.x.24   *               255.255.255.248 U         0 0          0 eth3
65.x.x.160  *               255.255.255.224 U         0 0          0 eth0
10.8.0.0        vpn.mydomain.c 255.255.255.0   UG        0 0          0 eth2
192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
192.168.100.0   *               255.255.252.0   U         0 0          0 eth1
default         65.x.x.161. 0.0.0.0                UG        0 0          0 eth0

The following are probably stupid noob questions, but here goes:

I can ping the WAN2 gateway address from our firewall/router, but not from any 
other network device (I can ping the gateway address of WAN1 just fine).  Don't 
I have to be able to do that first?

I'm not sure what internal ip addresses to give the new Web server and test 
server (192.100.1.x, or 75.x.x.26-29.

I'm thinking that once I can get the above straight, iptables rules will be 
relatively simple to set up(I'll probably regret having said that :-) ).

Thanks.

Dimitri


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN setup redux

[Lloyd Standish]

On Fri, 27 Jan 2012 17:03:18 -0600, Dimitri Yioulos <dyioulos@onpointfc.com> wrote:

>Let me see if I can provide all of the information you might need to assist me:
>LAN: 192.168.100.0/24
> DMZ: 192.168.1.0/24
> WAN1 (up and working for a long time): 65.x.x.160/27, gw 65.x.x.161
> WAN2 (new connection): 75.x.x.24/29, gw 75.x.x.30
>eth0 - WAN1: 65.x.x.162
> eth0:0-eth0:6: 65.x.x.163, 164, etc.
> eth1 - LAN: 192.168.100.1
> eth2 - DMZ: 192.168.1.1
> eth3 - WAN2: 75.x.x.25
> eth3:0-eth3:1: 75.x.x.26, 27
>SNAT current DMZ hosts WAN1 addresses
>I want to use WAN2 for a new Web server and test server living in the DMZ.
>I created a new routing table called WAN2.  Here's the output of "ip route show
> table WAN2":
>75.x.x.24/29 dev eth3  scope link  src 75.x.x.25
> default via 75.x.x.30 dev eth3
>Netstat -ar produces the following ourput:
>75.x.x.24   *               255.255.255.248 U         0 0          0 eth3
> 65.x.x.160  *               255.255.255.224 U         0 0          0 eth0
> 10.8.0.0        vpn.mydomain.c 255.255.255.0   UG        0 0          0 eth2
> 192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
> 192.168.100.0   *               255.255.252.0   U         0 0          0 eth1
> default         65.x.x.161. 0.0.0.0                UG        0 0          0 eth0
>The following are probably stupid noob questions, but here goes:
>I can ping the WAN2 gateway address from our firewall/router, but not from any
> other network device (I can ping the gateway address of WAN1 just fine).  Don't
> I have to be able to do that first?
>

I don't see why you can't ping the eth3 interface address from other points in your network.  Your routing table looks OK to me.  Are you sure there are not firewall rules interfering?  And yes, I think that until you get that to work, it's useless to try to go forward.

> I'm not sure what internal ip addresses to give the new Web server and test
> server (192.100.1.x, or 75.x.x.26-29.

I'm not experienced at this, but I expected a DMZ to have public IP addresses, not to be natted just like your internal LAN.  But anyway, of course you will need to assign some address in the 192.100.1.0/24 network to your web server in the DMZ, and use DNAT to allow it to respond to queries from the Internet.  If you assign 192.168.1.3 to your web server, I think you would do something like this:

iptables -A PREROUTING -i eth3 -p tcp -dport 80 -j dnat --to-destination 192.168.1.3

For the test server, I assume you don't need for it to be accessible from outside your LANs, so no DNAT necessary.  Just assign a LAN address to it like 192.168.1.5.

Others here will be much more able to help you, I think.

-- 
Lloyd

Re: Dual WAN setup redux

[Andrew Beverley]

On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> Well, here I am, again, asking for help setting up a dual WAN.

Any chance of an ascii diagram? It's a bit difficult to understand what
you have and what you are trying to achieve without it.

Andy

Re: Dual WAN setup redux

[Dimitri Yioulos]

On Tuesday 31 January 2012 12:15:00 pm Andrew Beverley wrote:
> On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> > Well, here I am, again, asking for help setting up a dual WAN.
>
> Any chance of an ascii diagram? It's a bit difficult to understand what
> you have and what you are trying to achieve without it.
>
> Andy
>
>

Lloyd, Andy, and others,

Let me see what I can do here:


                                                                WAN2                       
                                ___________   75.x.x.24/29, gw 75.x.x.30
                                |              |---------eth3 (75.x.x.25) 
                                |              |      (eth0:0=75.x.x.26, ...)
Local network           |              |                   
192.168.100.0/22 ----|fw/router|                 WAN1
eth1 (192.168.100.1) |              |   65.x.x.160/27, gw 65.x.x.161
                                |__________|--------eth0 (65.x.x.162)
                                       |             (eth0:0=65.x.x.163, ... )
                                       |                     
                                    DMZ  
                           192.168.1.0/24             
                         eth1 (192.168.1.1)    
                                       |                                       |               
                                       |                      
                                       |
          ___________________|_____________________               
          |                   |                   |                   |
        box1            box2             box3            box4
   192.168.1.2  192.168.1.3   192.168.1.4   192.168.1.5
   (65.x.x.163    (65.x.x.164   
      eth0:0)          eth0:1)

I'd like for boxes 3 and 4 to use WAN2.

The above probably looks like an unholy mess (and it may be; a discussion for 
another day, though), but hope it helps clarify things.  That's what I'm after.

Thanks.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN setup redux

[Andrew Beverley]

On Wed, 2012-02-01 at 11:51 -0500, Dimitri Yioulos wrote:
> On Tuesday 31 January 2012 12:15:00 pm Andrew Beverley wrote:
> > On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> > > Well, here I am, again, asking for help setting up a dual WAN.
> >
> > Any chance of an ascii diagram? It's a bit difficult to understand what
> > you have and what you are trying to achieve without it.
>
> Lloyd, Andy, and others,
> 
> Let me see what I can do here:

<snip>

Hmmm, did you *compose* that in a fixed-width font? When *viewed* in a
fixed-width font it's unreadable. It's slightly more readable when
viewed in another font, but it would be worth sending again
better-formatted if you can.

Andy

Re: Dual WAN setup redux

[Dimitri Yioulos]

[-- Attachment #1: Type: text/plain, Size: 1260 bytes --]

On Wednesday 01 February 2012 1:49:43 pm Andrew Beverley wrote:
> On Wed, 2012-02-01 at 11:51 -0500, Dimitri Yioulos wrote:
> > On Tuesday 31 January 2012 12:15:00 pm Andrew Beverley wrote:
> > > On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> > > > Well, here I am, again, asking for help setting up a dual WAN.
> > >
> > > Any chance of an ascii diagram? It's a bit difficult to understand what
> > > you have and what you are trying to achieve without it.
> >
> > Lloyd, Andy, and others,
> >
> > Let me see what I can do here:
>
> <snip>
>
> Hmmm, did you *compose* that in a fixed-width font? When *viewed* in a
> fixed-width font it's unreadable. It's slightly more readable when
> viewed in another font, but it would be worth sending again
> better-formatted if you can.
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Sorry, I'm apparently not a very good ascii artist. :-)

At the risk of ticking the list off, I've attached the scheme as a png.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


[-- Attachment #2: Network scheme.png --]
[-- Type: image/png, Size: 6039 bytes --]

Re: Dual WAN setup redux

[Andrew Beverley]

On Wed, 2012-02-01 at 14:46 -0500, Dimitri Yioulos wrote:
> Sorry, I'm apparently not a very good ascii artist. :-)

Nope, you're artistic skills are fine. If your attachment is anything to
go by, then you didn't compose in a fixed-width font. If you're
writing/reading plain text, it's best to use Courier or similar.

> At the risk of ticking the list off, I've attached the scheme as a png.

Oh well, doesn't bother me, and that makes a lot more sense now.

Stand by for a reply to your original email.

Andy

Re: Dual WAN setup redux

[Andrew Beverley]

On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> I want to use WAN2 for a new Web server and test server living in the
> DMZ.
> 
> I created a new routing table called WAN2.  Here's the output of "ip route show 
> table WAN2":
> 
> 75.x.x.24/29 dev eth3  scope link  src 75.x.x.25
> default via 75.x.x.30 dev eth3

In which case you need to force traffic from/to your new webserver to
use the routing table above.

> 75.x.x.24   *               255.255.255.248 U         0 0          0 eth3

This is saying any traffic for 75... should go via eth3.

> 65.x.x.160  *               255.255.255.224 U         0 0          0 eth0
> 10.8.0.0        vpn.mydomain.c 255.255.255.0   UG        0 0          0 eth2
> 192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
> 192.168.100.0   *               255.255.252.0   U         0 0          0 eth1

Likewise for these.

> default         65.x.x.161. 0.0.0.0                UG        0 0          0 eth0

And anything else should go via 65...

So, at the moment, there's nothing making traffic use eth3, unless it
happens to be on that same subnet.

> The following are probably stupid noob questions, but here goes:
> 
> I can ping the WAN2 gateway address from our firewall/router, but not from any 
> other network device (I can ping the gateway address of WAN1 just fine).

See point above.

>   Don't 
> I have to be able to do that first?

Yes.

> I'm not sure what internal ip addresses to give the new Web server and test 
> server (192.100.1.x, or 75.x.x.26-29.

You could do either. If you've been issued with a 'spare' public IP
address, then you might as well use that, as it saves SNAT.

If you're not using 75.x.x.26-29 then you could use one of these. But
you should not be assigning them all to eth3 as aliases (as per your
diagram). You only need one there.

In summary, if I understand your setup correctly, you should be able to
assign *one* of your public IP addresses to eth3, and then assign
another one to the web server, assuming they're all in the same subnet
and you get the subnets correct.

Once you've done that, as long as IP forwarding is enabled and you
ACCEPT the packets in iptables then it should work.

Andy

Re: Dual WAN setup redux

[Dimitri Yioulos]

On Wednesday 01 February 2012 3:35:04 pm Andrew Beverley wrote:
> On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> > I want to use WAN2 for a new Web server and test server living in the
> > DMZ.
> >
> > I created a new routing table called WAN2.  Here's the output of "ip
> > route show table WAN2":
> >
> > 75.x.x.24/29 dev eth3  scope link  src 75.x.x.25
> > default via 75.x.x.30 dev eth3
>
> In which case you need to force traffic from/to your new webserver to
> use the routing table above.
>
> > 75.x.x.24   *               255.255.255.248 U         0 0          0 eth3
>
> This is saying any traffic for 75... should go via eth3.
>
> > 65.x.x.160  *               255.255.255.224 U         0 0          0 eth0
> > 10.8.0.0        vpn.mydomain.c 255.255.255.0   UG        0 0          0
> > eth2 192.168.1.0     *               255.255.255.0   U         0 0       
> >   0 eth2 192.168.100.0   *               255.255.252.0   U         0 0   
> >       0 eth1
>
> Likewise for these.
>
> > default         65.x.x.161. 0.0.0.0                UG        0 0         
> > 0 eth0
>
> And anything else should go via 65...
>
> So, at the moment, there's nothing making traffic use eth3, unless it
> happens to be on that same subnet.
>
> > The following are probably stupid noob questions, but here goes:
> >
> > I can ping the WAN2 gateway address from our firewall/router, but not
> > from any other network device (I can ping the gateway address of WAN1
> > just fine).
>
> See point above.
>
> >   Don't
> > I have to be able to do that first?
>
> Yes.
>
> > I'm not sure what internal ip addresses to give the new Web server and
> > test server (192.100.1.x, or 75.x.x.26-29.
>
> You could do either. If you've been issued with a 'spare' public IP
> address, then you might as well use that, as it saves SNAT.
>
> If you're not using 75.x.x.26-29 then you could use one of these. But
> you should not be assigning them all to eth3 as aliases (as per your
> diagram). You only need one there.
>
> In summary, if I understand your setup correctly, you should be able to
> assign *one* of your public IP addresses to eth3, and then assign
> another one to the web server, assuming they're all in the same subnet
> and you get the subnets correct.
>
> Once you've done that, as long as IP forwarding is enabled and you
> ACCEPT the packets in iptables then it should work.
>
> Andy
>
>
Andy,

Thanks for your efforts, especially as you're dealing with someone as dense as 
me.

On the test machine (call it box 3 in the diagram), I changed the ip to be 
75.x.x.28, netmask 255.255.255.248, network 75.x.x.24.  I set the gateway to be 
75.x.x.25 (eth3 address on the firewall/router).  I can't ping anything.

At this point, is it a firewall rule issue?  If so, what is/are the rule(s) I 
need to add?

If I had my choice, though, I'd rather assign an address of 192.168.1.x to the 
test machine (as with the rest of the devices in the DMZ), and make it use the 
WAN2 connection instead of WAN1 that the other devices are using.

Hope I'm not being too much of a pita here.

Dimitri





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN setup redux

[Andrew Beverley]

On Wed, 2012-02-01 at 17:08 -0500, Dimitri Yioulos wrote:
> > In summary, if I understand your setup correctly, you should be able to
> > assign *one* of your public IP addresses to eth3, and then assign
> > another one to the web server, assuming they're all in the same subnet
> > and you get the subnets correct.
>
> Thanks for your efforts, especially as you're dealing with someone as dense as 
> me.
> 
> On the test machine (call it box 3 in the diagram), I changed the ip to be 
> 75.x.x.28, netmask 255.255.255.248, network 75.x.x.24.  I set the gateway to be 
> 75.x.x.25 (eth3 address on the firewall/router).  I can't ping anything.

What are your actual IP addresses?

> At this point, is it a firewall rule issue?  If so, what is/are the rule(s) I 
> need to add?

You'll need something like "iptables -A FORWARD -o eth3 -j ACCEPT",
assuming that your default policy is DROP. Plus the associated inbound
connection ("iptables -A FORWARD -i eth3 -j ACCEPT"). Of course, you
should tighten these up, but I'd get it working first.

> If I had my choice, though, I'd rather assign an address of 192.168.1.x to the 
> test machine (as with the rest of the devices in the DMZ),

I suggest you get it working with the public IP address first, as it's
less things to configure.

Andy

Re: Dual WAN setup redux

[Andrew Beverley]

On Wed, 2012-02-01 at 17:08 -0500, Dimitri Yioulos wrote:
> On the test machine (call it box 3 in the diagram), I changed the ip to be 
> 75.x.x.28, netmask 255.255.255.248, network 75.x.x.24.  I set the gateway to be 
> 75.x.x.25 (eth3 address on the firewall/router).  I can't ping anything.

I wasn't very clear in my last post. You'll need to separate out that
small block into different subnets, as they're on different interfaces.

> If I had my choice, though, I'd rather assign an address of 192.168.1.x to the 
> test machine (as with the rest of the devices in the DMZ), and make it use the 
> WAN2 connection instead of WAN1 that the other devices are using.

Actually, it's probably as easy to do this. Set the 192.168.1.x IP
address on the test machine, then try pinging eth3's IP address from the
test machine. That should work. Then try the gateway on the same subnet.
That should also work.

Once that's working, then you should be able to do a DNAT on the
firewall to send packets coming in on eth3 to the test machine
(192.168.1.x).

Andy

Re: Dual WAN setup redux

[Dimitri Yioulos]

[-- Attachment #1: Type: text/plain, Size: 1982 bytes --]

On Thursday 02 February 2012 2:35:20 am Andrew Beverley wrote:
> On Wed, 2012-02-01 at 17:08 -0500, Dimitri Yioulos wrote:
> > On the test machine (call it box 3 in the diagram), I changed the ip to
> > be 75.x.x.28, netmask 255.255.255.248, network 75.x.x.24.  I set the
> > gateway to be 75.x.x.25 (eth3 address on the firewall/router).  I can't
> > ping anything.
>
> I wasn't very clear in my last post. You'll need to separate out that
> small block into different subnets, as they're on different interfaces.
>
> > If I had my choice, though, I'd rather assign an address of 192.168.1.x
> > to the test machine (as with the rest of the devices in the DMZ), and
> > make it use the WAN2 connection instead of WAN1 that the other devices
> > are using.
>
> Actually, it's probably as easy to do this. Set the 192.168.1.x IP
> address on the test machine, then try pinging eth3's IP address from the
> test machine. That should work. Then try the gateway on the same subnet.
> That should also work.
>
> Once that's working, then you should be able to do a DNAT on the
> firewall to send packets coming in on eth3 to the test machine
> (192.168.1.x).
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


I changed the ip addy of the test server to 192.168.1.11, back on the 
DMZ subnet.  I now have partial success, as I can ping the gateway 
(75.x.x.30).  I think I have the correct SNAT and DNAT rules to reach this 
on port 80, but I can't reach it via 75.x.x.27, which is its external 
address.  Nor can I ping it.  And, I can ping anything outbound from that host.  
Arrgh.

I don't know if it's helpful, but I've attached what I hope is a new, better 
network map.

Thanks and regards,

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


[-- Attachment #2: Network Diagram_01302012_A.png --]
[-- Type: image/png, Size: 11836 bytes --]

Re: Dual WAN setup redux

[Andrew Beverley]

On Thu, 2012-02-02 at 12:52 -0500, Dimitri Yioulos wrote:
> I changed the ip addy of the test server to 192.168.1.11, back on the 
> DMZ subnet.  I now have partial success, as I can ping the gateway 
> (75.x.x.30).

So can I :)

>   I think I have the correct SNAT and DNAT rules to reach this 
> on port 80, but I can't reach it via 75.x.x.27, which is its external 
> address.  Nor can I ping it.

You need to add the .27 address to the interface that is connected to
the 75.144.186.30 Cisco router (eth3?).

You should then be able to ping 75.144.186.27 from the internet. Once
that is working, it should just be a matter of adding the DNAT rule for
192.168.1.11 to forward from eth3.

> I don't know if it's helpful, but I've attached what I hope is a new, better 
> network map.

That's pretty good, but missing a few helpful things such as the
interface names, which I think you had on previous diagrams.

Andy