[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Routing with 2 ISP

David Hláčik wrote:
Hello guys,

Sorry to bothering you.

I had a small network with one ISP and firewall.

eth1 -> Is connected to my ISP
eth0 + eth0.1 , eth0.2 and etc are my local networks.

All my network accesses internet via eth1.

My routing table looks like the following :   U     0      0        0 eth1   U     0      0        0 eth0   U     0      0        0 eth0   U     0      0        0 eth0.8   U     0      0        0 eth0.5   U     0      0        0 eth0.7   U     0      0        0 eth0.4   U     0      0        0 eth0   U     0      0        0 eth0.6     U     0      0        0 eth0.8         UG    0      0        0 eth1

Recently I have added secon provider via ADSL.

ADSL modem is connected via eth0.8 . Using adsl-setup I have created
ppp interface ppp0.

Now I want to achieve the following :

Computers from local network range (eth0.7) should
access internet using my second internet provider via ppp0.

I believe that for that I need to use advanced networking and iproute package.

I will add the second routing table named "adsl" and configure routing
via ppp0 there. Together with that i need to set in iptables , nat
table to masquerade all ips going out via ppp0.  I believe I need to
use ip command for this.

And the finally my questions are :

1) Is there a good tutorial / howto for using iproute on the internet,
except of the LARTC.org

Let us know if you find it.

2) Can i utilize by tools of Fedora, to have my configuration (with
second routing table, using ip ) somehow stored - to be permanent when
I will do machine restart? I mean there are networking-scripts
/etc/sysconfing/network-scripts which can handle, IP assigment,
virtual LANS, aliases even static routes. Can they handle advanced
routing as well?

The easiest way to do this is to put all the commands in a shell script you run out of the run levels you want. Not that you can't hack scripts and save iptables, and do wonderful stuff, but a shell script has a nice provision for comments so you can see what you are doing, it does one thing at a time so it's easier to figure out what didn't work, and you can use your favorite version control system to track what you do.

I used the MARK action in iptables to allow me to force packets out a given interface. You then need only a very few rules to make routing work.

Also, unless you have nothing but machines and people you trust on all these little subnets, have the external ISP connections on NICs not reachable from the private machines without going through your firewall. Having had a 12 years old tell me "Oh I read the man page and changed the netmask" was a revelation. Unless people are totally trusted and really competent, assume they will (maybe by accident) do something you don't want. Also, packets from the ISP in eth0.8 can physically reach the subnets (unless you have VLAN switches or similar).

Finally, be sure packets can't come in one NIC and out the other from one ISP to the other. The NIC is looking at MAC address, packets will come in with foreign IPs. I see a few thousand of these a week.

Sounds like you are going to have some learning experiences. You want to look at the 'recent' match in iptables, it may be useful in blocking some evil, depending on your policy.

Bill Davidsen <davidsen tmr com>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]