1) I want traffic coming from 192.168.20.x/24 to egress via the Bell PIX and Bell to the Internet, but I also want to connect from 192.168.20.x/24 to devices in the Cogent DMZ (including the DMZ interface of the Ubuntu LARTC router)... Which doesn't seem to want to work... WHY?? Traffic should go out Bell and route through the Internet to the Cogent DMZ LAN which has public address space.... but it does not... I can ping and traceroute to any other host on the Internet from 192.168.20.x/24 and traceroute shows the traffic going out Bell just fine... but traceroute to a device in the Cogent DMZ stops at the distribution router.... It must be because the Ubuntu LARTC router has an interface in the Cogent DMZ LAN.... How do I tell the Ubuntu box to ignore this local interface in routing decisions??
I take it that the Ubuntu Linux box is the ""Distribution Router that you are speaking of? I know you have provided a list of the rules / routes that you are populating your various routing tables with but I'd like a an output of your routing tables and your routing rules. Also can we get an example of a (scrubbed) trace route from a 192.168.20.x client computer. As I'm sitting here thinking about it I bet you can not send returning (outbound) traffic that came in the eth3 b/c your system is using Cogent as it's default route to the internet. To solve this you may need to mark the traffic that comes in eth3 so that you can test for the IP Mark to use the Management routing table.
2) What's the best way to monitor the traffic passing through the Ubuntu LARTC router? I am using jnettop and darkstat but maybe there are better tools?? Advice? I would like to monitor traffic volume by distribution LAN... Unfortunately, the distribution equipment (Cisco 4000) does not support SNMP so I cannot use MRTG to poll this equipment...
You could easily setup rules in your FORWARD table that are used soly as counters...
3) One objective of this setup is to be able to shift traffic between the two Cogent firewalls as a testbed to evaluate different firewall technology and proxy services using live traffic on a dynamic basis... Any advice from more knowledgable folks on doing this??
Rather than just changing the default route in your Cogent table I'd set up two Cogent tables, one with one router as the default and the other table with the other router. I think this would allow you to shift load from one router over to the other with out breaking existing streams. To do this you would have a couple of rules that would decide which Cogent routing table to use based on the marks in the packet / stream. If a packet / stream is not marked you would know that it is new and could just start going out the router that you want and thus be marked for said router on the way out. If packet / stream marked as Cogent_1 use table Cogent_1. If packet / stream marked as Cogent_2 use table Cogent_2. If packet / stream unmarked (new) use table Cogent_(what) and mark as such.
4) Any other thoughts about what I am tring to do? Any better way??
That depends on what you are ultimately trying to do. From the sounds of it you are still in a testing phase and don't have a final direction to go yet. (This may just be me misunderstanding you though.) Grant. . . . _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
