[LARTC] Double gateway - aliased ip routing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

oli,

Nice ASCII map.  (Your mailer didn't line break it, and it's clear.)

 : My problem is how to route the packages from the localnet to either
 : ADSL or T3, depending on wether they were received by the ip
 : 192.168.10.8 or 192.168.10.9. I tried to mark the packages in the
 : postrouting chain of iptables and send them to different routing
 : tables. but iptables can't handle aliased interfaces like eth0:1 as
 : source devices.

The problem is that the gateway information (client's chosen destination
IP address) is lost the moment the packet is encapsulated by the client
and transmitted onto the ethernet.

Packet arrives on your firewall looking something like this:

  Frame source: client MAC
    Frame dest: firewall eth0 MAC
     IP source: client IP
       IP dest: real destination IP

The address 192.168.10.8 and 192.168.10.9 are logical IP addresses which
share the same MAC, so you can't even select on the destination MAC
address, because you can't assign two hardware addresses to the same
interface simultaneously.

If I had to allow the client to select its default gateway, I'd be
inclined to add another interface.  But since I'm a control freak and
BOFH, I'd simply use "ip rule" on the firewall to determine which client
IP (or outbound service) gets to use bandwidth on my two connections.

I have some documentation available on

  http://plorf.net/linux-ip/html/adv-multi-internet.htm

which may be helpful to you in selecting different outbound routes based
on source IP or destination port.

If anybody else has a clever solution about how to accomplish his original
goal, I'd be interested in hearing the idea.

-Martin

 :                        INTERNET
 :          =======================================
 :                |                       |
 :                |                       |
 :              DynIP                212.x.x.195
 :          /------------\        /---------------\
 :          | DSL-ROUTER |        |   T3-ROUTER   |
 :          \------------/        \---------------/
 :           192.168.11.1             62.x.x.89
 :          192.168.11.0/24          62.x.x.88/29
 :                |                       |
 :                |                       |
 :           192.168.11.8             62.x.x7.90
 :          192.168.11.0/24          62.x.x.88/29
 :              eth3                    eth1   w/ ProxyARP
 :                    /---------------\
 :                    |   FIREWALL    |
 :                    \---------------/
 :       eth0:1         eth0             eth2  w/ ProxyARP
 :   192.168.10.8   192.168.10.9      62.x.x.90
 :         192.168.10.0/24           62.x.x.88/29
 :                |                                 \
 :                |                                  \
 :   ===========================                    eth0
 :            LOCALNET                            62.x.x.93
 :                                               62.x.x.88/29
 :                                                 /-----\
 :                                                 | DMZ |
 :                                                 \-----/



-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux