RE: [LARTC] 4 nic advanced routing question update
This line gave me an errors I substituted $GW_ON_ETH1 for the ip of the interface gateway 209.141.2.195: ip route add table public-link-1 default via $GW_ON_ETH1 dev eth1 I am still unable to ping beyond the internal interface hon the firewall. Ie from the firewall I can ping 209.141.2.192, 66.92.114.33 but not the next hop from 192.168.119.101 which is 192.168.119.100. here are the rules and routes: ip ru 0: from all lookup local 32762: from all iif eth3 lookup public-link-1 32763: from all iif eth1 lookup public-link-1 32764: from all iif eth0 lookup public-link-0 32765: from all iif eth2 lookup public-link-0 32766: from all lookup main 32767: from all lookup 253 ip ro 66.92.114.32/28 dev eth0 scope link 209.141.2.192/27 dev eth1 scope link 192.168.119.0/24 dev eth2 scope link 192.168.120.0/24 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 66.92.114.33 dev eth0 ip ad 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:04:75:9f:07:79 brd ff:ff:ff:ff:ff:ff inet 66.92.114.46/28 brd 66.92.114.47 scope global eth0 3: eth1: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:a2:75:0d brd ff:ff:ff:ff:ff:ff inet 209.141.2.194/27 brd 209.141.2.223 scope global eth1 4: eth2: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:10:5a:a2:74:2f brd ff:ff:ff:ff:ff:ff inet 192.168.119.101/24 brd 192.168.119.255 scope global eth2 5: eth3: mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:bf:1c:c2 brd ff:ff:ff:ff:ff:ff inet 192.168.120.101/24 brd 192.168.120.255 scope global eth3 Thanks again for the help! -Original Message- From: Martin A. Brown [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 5:50 PM To: Thad Marsh Cc: [EMAIL PROTECTED] Subject: RE: [LARTC] 4 nic advanced routing question update Thad, Preface: - - - - - - I'm not certain that I understand your ultimate goal, though I'm sure I do not understand what you mean by a failover appliance (I know what such devices do, but I don't see how you are integrating it into this solution, but that's your problem.) : ok i will do it in text: : : 66.92.114.46 eth0 : 209.141.2.194 eth1 : 192.168.119.101 eth2 : 192.168.120.101 eth3 : : What i have is a linux box RH7.3 which will eventually run Shorewall : Firewall. On this box there is eth0 66.92.114.46 conneted to isp1 and : eth1 209.141.2.194 connected to isp2 It also has eth2 192.168.119.101 : and eth3 192.168.120.101 which will connect to a failover appliance : which has 2 wan interface and one lan interface. : : What i need is to have traffic going to eth0 be routed to eth2 and : traffic going to eth1 routed to eth3, and vice versa. This appears to be the rub! I assume for the purposes of my answer that you don't want either of these pairs of networks knowing about the others. This is essentially turning your linux box into two separate routersif this is not what you intend, at least it might get you started. You'll need to take the following steps: - create routing tables for each of the sets of networks between which you want to pass traffic - modify the RPDB to select traffic based on the interface on which a packet arrives # -- numbers chosen here are arbitrary, but between 1 and 253 #labels are also completely arbitary # echo 4 public-link-0 >> /etc/iproute2/rt_tables # -- table identifiers below are looked up in the above file #(/etc/iproute2/rt_tables) # ip route add table public-link-0 192.168.119.0/24 dev eth2 ip route add table public-link-0 66.92.114.32/28 dev eth0 ip route add table public-link-0 default via 66.92.114.33 dev eth0 # -- numbers here are equally as arbitrary--use alabel #that makes sense to you # echo 5 public-link-1 >> /etc/iproute2/rt_tables ip route add table public-link-1 192.168.120.0/24 dev eth3 ip route add table public-link-1 209.141.2.192/27 dev eth1 ip route add table public-link-1 default via $GW_ON_ETH1 dev eth1 # Notice that this simply sets up the routing tables. # Now you need to use the RPDB to ask for lookups to the routing table you # wish to use. # -- here we'll configure the policy routing to force packets #coming to and from the separate networks through the right interfaces # ip rule add iif eth2 table public-link-0 ip rule add iif eth0 table public-link-0 ip rule add iif eth1 table public-link-1 ip rule add iif eth3 table public-link-1 # -- now flush the routing cache # ip route flush cache Notes: - - - - - - - I can't simulate your setupthis may not work, and may not do what you want - locally generated traffic is a problem I don't deal with - this will only allow packets to and from eth0 <--> eth2 and eth1 <--> eth3 - you'll need to do masquer
RE: [LARTC] 4 nic advanced routing question update
I just wanted to clarify the failover appliance piece. The failover appliance was purchased to allow incoming and outgoing traffic when one of the two isps went down quite a while ago. The host piece was handled by a variety of commercial firewalls which have since failed, leaving us searching for an alternative. The firewall appliance is just nat and only had the ability to deal with one ip per interface, limiting our ability to host multiple servers without changing a lot of ports to non-standard ones. That is why we are putting the Linux box in front of the appliance to provide security and handle multiple ips (phase two after we get the basics down). This way the area between the Linux/firewall and the failover appliance creates a dmz for external servers accessible while the internal clients have the benefit of outgoing failover. Not sure if this is the best way but it seemed to make sense, thoughts? Martin in answer to this below, I guess since the two internal eth2 and eth3 are really a dmz I suppose it wouldn't matter if they know just so long as when a request comes from the outside they know how to route it back out properly even when one isp is down. This appears to be the rub! I assume for the purposes of my answer that you don't want either of these pairs of networks knowing about the others. This is essentially turning your linux box into two separate routersif this is not what you intend, at least it might get you started. Again thanks to all and look forward to your input. -Original Message- From: Martin A. Brown [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 10, 2002 5:50 PM To: Thad Marsh Cc: [EMAIL PROTECTED] Subject: RE: [LARTC] 4 nic advanced routing question update Thad, Preface: - - - - - - I'm not certain that I understand your ultimate goal, though I'm sure I do not understand what you mean by a failover appliance (I know what such devices do, but I don't see how you are integrating it into this solution, but that's your problem.) : ok i will do it in text: : : 66.92.114.46 eth0 : 209.141.2.194 eth1 : 192.168.119.101 eth2 : 192.168.120.101 eth3 : : What i have is a linux box RH7.3 which will eventually run Shorewall : Firewall. On this box there is eth0 66.92.114.46 conneted to isp1 and : eth1 209.141.2.194 connected to isp2 It also has eth2 192.168.119.101 : and eth3 192.168.120.101 which will connect to a failover appliance : which has 2 wan interface and one lan interface. : : What i need is to have traffic going to eth0 be routed to eth2 and : traffic going to eth1 routed to eth3, and vice versa. This appears to be the rub! I assume for the purposes of my answer that you don't want either of these pairs of networks knowing about the others. This is essentially turning your linux box into two separate routersif this is not what you intend, at least it might get you started. You'll need to take the following steps: - create routing tables for each of the sets of networks between which you want to pass traffic - modify the RPDB to select traffic based on the interface on which a packet arrives # -- numbers chosen here are arbitrary, but between 1 and 253 #labels are also completely arbitary # echo 4 public-link-0 >> /etc/iproute2/rt_tables # -- table identifiers below are looked up in the above file #(/etc/iproute2/rt_tables) # ip route add table public-link-0 192.168.119.0/24 dev eth2 ip route add table public-link-0 66.92.114.32/28 dev eth0 ip route add table public-link-0 default via 66.92.114.33 dev eth0 # -- numbers here are equally as arbitrary--use alabel #that makes sense to you # echo 5 public-link-1 >> /etc/iproute2/rt_tables ip route add table public-link-1 192.168.120.0/24 dev eth3 ip route add table public-link-1 209.141.2.192/27 dev eth1 ip route add table public-link-1 default via $GW_ON_ETH1 dev eth1 # Notice that this simply sets up the routing tables. # Now you need to use the RPDB to ask for lookups to the routing table you # wish to use. # -- here we'll configure the policy routing to force packets #coming to and from the separate networks through the right interfaces # ip rule add iif eth2 table public-link-0 ip rule add iif eth0 table public-link-0 ip rule add iif eth1 table public-link-1 ip rule add iif eth3 table public-link-1 # -- now flush the routing cache # ip route flush cache Notes: - - - - - - - I can't simulate your setupthis may not work, and may not do what you want - locally generated traffic is a problem I don't deal with - this will only allow packets to and from eth0 <--> eth2 and eth1 <--> eth3 - you'll need to do masquerading with your packet filtering engine if you want any of the rfc1918 networks to reach the internet Oh, yesby the way, Julian just responded to this. Read his documentation and the iproute2
RE: [LARTC] 4 nic advanced routing question update
Thad, Preface: - - - - - - I'm not certain that I understand your ultimate goal, though I'm sure I do not understand what you mean by a failover appliance (I know what such devices do, but I don't see how you are integrating it into this solution, but that's your problem.) : ok i will do it in text: : : 66.92.114.46 eth0 : 209.141.2.194 eth1 : 192.168.119.101 eth2 : 192.168.120.101 eth3 : : What i have is a linux box RH7.3 which will eventually run Shorewall : Firewall. On this box there is eth0 66.92.114.46 conneted to isp1 and : eth1 209.141.2.194 connected to isp2 It also has eth2 192.168.119.101 : and eth3 192.168.120.101 which will connect to a failover appliance : which has 2 wan interface and one lan interface. : : What i need is to have traffic going to eth0 be routed to eth2 and : traffic going to eth1 routed to eth3, and vice versa. This appears to be the rub! I assume for the purposes of my answer that you don't want either of these pairs of networks knowing about the others. This is essentially turning your linux box into two separate routersif this is not what you intend, at least it might get you started. You'll need to take the following steps: - create routing tables for each of the sets of networks between which you want to pass traffic - modify the RPDB to select traffic based on the interface on which a packet arrives # -- numbers chosen here are arbitrary, but between 1 and 253 #labels are also completely arbitary # echo 4 public-link-0 >> /etc/iproute2/rt_tables # -- table identifiers below are looked up in the above file #(/etc/iproute2/rt_tables) # ip route add table public-link-0 192.168.119.0/24 dev eth2 ip route add table public-link-0 66.92.114.32/28 dev eth0 ip route add table public-link-0 default via 66.92.114.33 dev eth0 # -- numbers here are equally as arbitrary--use alabel #that makes sense to you # echo 5 public-link-1 >> /etc/iproute2/rt_tables ip route add table public-link-1 192.168.120.0/24 dev eth3 ip route add table public-link-1 209.141.2.192/27 dev eth1 ip route add table public-link-1 default via $GW_ON_ETH1 dev eth1 # Notice that this simply sets up the routing tables. # Now you need to use the RPDB to ask for lookups to the routing table you # wish to use. # -- here we'll configure the policy routing to force packets #coming to and from the separate networks through the right interfaces # ip rule add iif eth2 table public-link-0 ip rule add iif eth0 table public-link-0 ip rule add iif eth1 table public-link-1 ip rule add iif eth3 table public-link-1 # -- now flush the routing cache # ip route flush cache Notes: - - - - - - - I can't simulate your setupthis may not work, and may not do what you want - locally generated traffic is a problem I don't deal with - this will only allow packets to and from eth0 <--> eth2 and eth1 <--> eth3 - you'll need to do masquerading with your packet filtering engine if you want any of the rfc1918 networks to reach the internet Oh, yesby the way, Julian just responded to this. Read his documentation and the iproute2 manual thoroughly and carefully. There is more than enough to get you to where you want to go. If you need an online iproute2 manual there are a few--try this one: http://defiant.coinet.com/iproute2/ip-cref/node1.html Good luck and bon voyage! -Martin : Right now i can ping eth0, eth1, eth2, eth3 on the box. I also can : ping beyond eth0 and eth1. what i can not do is ping beyond eth2 and : eth3. : : I have tried several table statements and played with pref to no avail. : : any insight would be helpful! : : : : -Original Message- : From: Jose Luis Domingo Lopez [mailto:[EMAIL PROTECTED]] : Sent: Tue 9/10/2002 2:39 PM : To: [EMAIL PROTECTED] : Cc: : Subject: Re: [LARTC] 4 nic advanced routing question : : On Tuesday, 10 September 2002, at 12:34:10 -0400, : Michael T. Babcock wrote: : : > I'm not sure why you're having a problem: : > His document was encoded properly ... : > : Yes, multipart/alternative, but I think what the reader was trying to : say us that the ASCII version of the email seems to include some kind of : ASCII-art that depicts the sender's network. But at least in my email : client the drawing seems broken and gives no clues about topology. : : -- Martin A. Brown --- SecurePipe, Inc. --- [EMAIL PROTECTED] ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] 4 nic advanced routing question
Hello, On Tue, 10 Sep 2002, Thad Marsh wrote: > Can some one point me to a reference for how to route two wan nics and > two internal nics on the same box. Here you can find some documents and patches on this issue: http://www.ssi.bg/~ja/#routes Regards -- Julian Anastasov <[EMAIL PROTECTED]> ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
RE: [LARTC] 4 nic advanced routing question update
Title: RE: [LARTC] 4 nic advanced routing question update ok i will do it in text: 66.92.114.46 eth0 209.141.2.194 eth1 192.168.119.101 eth2 192.168.120.101 eth3 What i have is a linux box RH7.3 which will eventually run Shorewall Firewall. On this box there is eth0 66.92.114.46 conneted to isp1 and eth1 209.141.2.194 connected to isp2 It also has eth2 192.168.119.101 and eth3 192.168.120.101 which will connect to a failover appliance which has 2 wan interface and one lan interface. What i need is to have traffic going to eth0 be routed to eth2 and traffic going to eth1 routed to eth3, and vice versa. Right now i can ping eth0, eth1, eth2, eth3 on the box. I also can ping beyond eth0 and eth1. what i can not do is ping beyond eth2 and eth3. I have tried several table statements and played with pref to no avail. any insight would be helpful! -Original Message- From: Jose Luis Domingo Lopez [mailto:[EMAIL PROTECTED]] Sent: Tue 9/10/2002 2:39 PM To: [EMAIL PROTECTED] Cc: Subject: Re: [LARTC] 4 nic advanced routing question On Tuesday, 10 September 2002, at 12:34:10 -0400, Michael T. Babcock wrote: > I'm not sure why you're having a problem: > His document was encoded properly ... > Yes, multipart/alternative, but I think what the reader was trying to say us that the ASCII version of the email seems to include some kind of ASCII-art that depicts the sender's network. But at least in my email client the drawing seems broken and gives no clues about topology. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] 4 nic advanced routing question
On Tuesday, 10 September 2002, at 12:34:10 -0400, Michael T. Babcock wrote: > I'm not sure why you're having a problem: > His document was encoded properly ... > Yes, multipart/alternative, but I think what the reader was trying to say us that the ASCII version of the email seems to include some kind of ASCII-art that depicts the sender's network. But at least in my email client the drawing seems broken and gives no clues about topology. -- Jose Luis Domingo Lopez Linux Registered User #189436 Debian Linux Woody (Linux 2.4.19-pre6aa1) ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] 4 nic advanced routing question repost txt
I have scoured the net, gotten a few pointers from several people and looked at several books and still have not come up with a satisfactory solution. I know someone has done it! Can some one point me to a reference for how to route two wan nics and two internal nics on the same box. I have tried using ip add to setup two separate lookup tables and route tables but to know avail. Any help greatly appreciated! This is what I have 66.92.114.46 209.141.2.194 | | Nated RedHat 7.3 will run ShoreWall 192.168.119.101 192.168.120.101 | | each network will have servers running here 192.168.119.100 192.168.120.100 x Nated failover box x 192.168.121.101 internal mail server ip ru 0: from all lookup local 32766: from all lookup main 32767: from all lookup 253 ip ro 66.92.114.32/28 dev eth0 scope link 209.141.2.192/27 dev eth1 scope link 192.168.119.0/24 dev eth2 scope link 192.168.120.0/24 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 66.92.114.33 dev eth0
Re: [LARTC] 4 nic advanced routing question
Juan Antonio Morillas Cerezo wrote: >Perhaps it's because of my mail reader not properly >opening html documents, but I'd ask you to make a diagram or >even a drawing, with arrows included, that would help a lot. >Please take into account possible NATings between networks too. > I'm not sure why you're having a problem: --_=_NextPart_001_01C258E3.801CD380 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable His document was encoded properly ... -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Re: [LARTC] 4 nic advanced routing question
A fecha Tue, Sep 10, 2002 at 12:02:44PM -0400, Thad Marsh dijo: > > I have scoured the net, gotten a few pointers from several people and looked at > several books and still have not come up with a satisfactory solution. > Perhaps it's because of my mail reader not properly opening html documents, but I'd ask you to make a diagram or even a drawing, with arrows included, that would help a lot. Please take into account possible NATings between networks too. ___ LARTC mailing list / [EMAIL PROTECTED] http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[LARTC] 4 nic advanced routing question
I have scoured the net, gotten a few pointers from several people and looked at several books and still have not come up with a satisfactory solution. I know someone has done it! Can some one point me to a reference for how to route two wan nics and two internal nics on the same box. I have tried using ip add to setup two separate lookup tables and route tables but to know avail. Any help greatly appreciated! This is what I have 66.92.114.46 66.92.114.46 209.141.2.194 | | RedHat 7.3 will run ShoreWall 192.168.119.101 192.168.120.101 | | each network will have servers running here 192.168.119.100 192.168.119.100 192.168.120.100 x failover box x 192.168.121.101 internal mail server ip ru 0: from all lookup local 32766: from all lookup main 32767: from all lookup 253 ip ro 66.92.114.32/28 dev eth0 scope link 209.141.2.192/27 dev eth1 scope link 192.168.119.0/24 dev eth2 scope link 192.168.120.0/24 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 66.92.114.33 dev eth0