Routing with 2 ISP
Bill Davidsen
davidsen at tmr.com
Mon Dec 21 02:32:40 UTC 2009
David Hláčik wrote:
> Hello guys,
>
> Sorry to bothering you.
>
> I had a small network with one ISP and firewall.
>
> eth1 -> Is connected to my ISP
> eth0 + eth0.1 , eth0.2 and etc are my local networks.
>
> All my network accesses internet via eth1.
>
> My routing table looks like the following :
>
> 213.194.242.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 10.123.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.123.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.123.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.8
> 10.123.42.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.5
> 10.123.123.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.7
> 10.123.40.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.4
> 10.123.30.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 10.123.44.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.6
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0.8
> 0.0.0.0 213.194.242.1 0.0.0.0 UG 0 0 0 eth1
>
> Recently I have added secon provider via ADSL.
>
> ADSL modem is connected via eth0.8 . Using adsl-setup I have created
> ppp interface ppp0.
>
> Now I want to achieve the following :
>
> Computers from local network range 10.123.123.0/24 (eth0.7) should
> access internet using my second internet provider via ppp0.
>
> I believe that for that I need to use advanced networking and iproute package.
>
> I will add the second routing table named "adsl" and configure routing
> via ppp0 there. Together with that i need to set in iptables , nat
> table to masquerade all ips going out via ppp0. I believe I need to
> use ip command for this.
>
> And the finally my questions are :
>
> 1) Is there a good tutorial / howto for using iproute on the internet,
> except of the LARTC.org
Let us know if you find it.
> 2) Can i utilize by tools of Fedora, to have my configuration (with
> second routing table, using ip ) somehow stored - to be permanent when
> I will do machine restart? I mean there are networking-scripts
> /etc/sysconfing/network-scripts which can handle, IP assigment,
> virtual LANS, aliases even static routes. Can they handle advanced
> routing as well?
>
The easiest way to do this is to put all the commands in a shell script you run
out of the run levels you want. Not that you can't hack scripts and save
iptables, and do wonderful stuff, but a shell script has a nice provision for
comments so you can see what you are doing, it does one thing at a time so it's
easier to figure out what didn't work, and you can use your favorite version
control system to track what you do.
I used the MARK action in iptables to allow me to force packets out a given
interface. You then need only a very few rules to make routing work.
Also, unless you have nothing but machines and people you trust on all these
little subnets, have the external ISP connections on NICs not reachable from the
private machines without going through your firewall. Having had a 12 years
old tell me "Oh I read the man page and changed the netmask" was a revelation.
Unless people are totally trusted and really competent, assume they will (maybe
by accident) do something you don't want. Also, packets from the ISP in eth0.8
can physically reach the subnets (unless you have VLAN switches or similar).
Finally, be sure packets can't come in one NIC and out the other from one ISP to
the other. The NIC is looking at MAC address, packets will come in with foreign
IPs. I see a few thousand of these a week.
Sounds like you are going to have some learning experiences. You want to look at
the 'recent' match in iptables, it may be useful in blocking some evil,
depending on your policy.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list