Re: Routing with 2 ISP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Hláčik wrote:
Hello guys,

Sorry to bothering you.

I had a small network with one ISP and firewall.

eth1 -> Is connected to my ISP
eth0 + eth0.1 , eth0.2 and etc are my local networks.

All my network accesses internet via eth1.

My routing table looks like the following :

213.194.242.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.123.20.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.123.10.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.123.11.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.8
10.123.42.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.5
10.123.123.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0.7
10.123.40.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.4
10.123.30.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.123.44.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.6
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0.8
0.0.0.0         213.194.242.1   0.0.0.0         UG    0      0        0 eth1

Recently I have added secon provider via ADSL.

ADSL modem is connected via eth0.8 . Using adsl-setup I have created
ppp interface ppp0.

Now I want to achieve the following :

Computers from local network range 10.123.123.0/24 (eth0.7) should
access internet using my second internet provider via ppp0.

I believe that for that I need to use advanced networking and iproute package.

I will add the second routing table named "adsl" and configure routing
via ppp0 there. Together with that i need to set in iptables , nat
table to masquerade all ips going out via ppp0.  I believe I need to
use ip command for this.

And the finally my questions are :

1) Is there a good tutorial / howto for using iproute on the internet,
except of the LARTC.org

Let us know if you find it.

2) Can i utilize by tools of Fedora, to have my configuration (with
second routing table, using ip ) somehow stored - to be permanent when
I will do machine restart? I mean there are networking-scripts
/etc/sysconfing/network-scripts which can handle, IP assigment,
virtual LANS, aliases even static routes. Can they handle advanced
routing as well?

The easiest way to do this is to put all the commands in a shell script you run out of the run levels you want. Not that you can't hack scripts and save iptables, and do wonderful stuff, but a shell script has a nice provision for comments so you can see what you are doing, it does one thing at a time so it's easier to figure out what didn't work, and you can use your favorite version control system to track what you do.

I used the MARK action in iptables to allow me to force packets out a given interface. You then need only a very few rules to make routing work.

Also, unless you have nothing but machines and people you trust on all these little subnets, have the external ISP connections on NICs not reachable from the private machines without going through your firewall. Having had a 12 years old tell me "Oh I read the man page and changed the netmask" was a revelation. Unless people are totally trusted and really competent, assume they will (maybe by accident) do something you don't want. Also, packets from the ISP in eth0.8 can physically reach the subnets (unless you have VLAN switches or similar).

Finally, be sure packets can't come in one NIC and out the other from one ISP to the other. The NIC is looking at MAC address, packets will come in with foreign IPs. I see a few thousand of these a week.

Sounds like you are going to have some learning experiences. You want to look at the 'recent' match in iptables, it may be useful in blocking some evil, depending on your policy.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux