> > I have a dual-homed firewall. It has 2 Internet connections, provided by > > different ISPs (each with an associated IP address). The 2 Internet > > connections are connected to the same physical interface. The 2 Internet > > connections do NOT have equal bandwidth > > How do I configure the SNAT/MASQ and ensure sharing of the gateways with > > the correct ratio of usage and with the correct source IP address? > > > ip route add default nexthop via $CONN1_IP dev $ETHX weight $X \ > nexthop via $CONN2_IP dev $ETHX weight $Y Note that this only shapes outgoing traffic and also relies on your ISPs to NOT do the ingress filtering that they're really supposed to do. If most of the traffic at your site is going out this might be reasonable. For most people, most of the traffic is coming in, e.g., behind your firewall are clients who want to download data. The bandwidth going out is mostly acks, which is very small compared to that coming in. Which interface traffic comes in on depends on which IP address it's sent to, which depends on which address the original request came from. That's related to the nat decision but there's no way to make the "right" decision. You can divide the original requests in some given proportion, but you don't know when you do that how much traffic each one will generate. So, for instance, the clients behind your firewall make 10 http requests. You nat 8 to the fast interface and 2 to the slow one. But then it turns out that the 8 you send to the fast one all result in small amounts of data while one of the two sent to the slow interface results in a large amount. You might be better off just using the fast one, or perhaps using the slow one only for stuff that you can be sure will fit comfortably in its bandwidth. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
