[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable
I was given direction from Charles Steinkuehler on my question, but I am still not clear on how to implement the routing rules in /etc/network/interfaces, or what specific rules to set since my case is slightly different from what is recommended at the documentation site. I am looking at the following URL from what was suggested: http://lartc.org/howto/lartc.rpdb.multiple-links.html Going from their model, I have something more like this that I not only need to set up, but test and verify it works on the wire before we down production equipment and move it to a new location: ___ +-+ / |Provider 1 | | ++ 66.114.33.64/30 + || gw 66.114.34.65 | / +-+ ++ +-+ | | DMZ via Prov.1 +-|eth2 eth0 | / | 66.114.34.92/30 | || | +-+ | Linux Router | |Internet || | +-+ || \ | Lcl NAT via Prv2| || | | 192.168.2.0/24 +-+eth1 eth3 | \ +-+ +-+--+ +-+\ ||Provider 2 | | ++ 192.168.1.0/24 +--\ | gw 192.168.1.254| \___ +-+ I note /etc/iproute2/rt_tables which on my machine has the following as a default on my existing router: # # reserved values # 255 local 254 main 253 default 0 unspec # # local # 1 inr.ruhep The only 'inbound' traffic from the net comes from Provider 1.to the DMZ. I suspect I need to add tables to rt_tables, for which the following names would be useful to match my shorewall names: Eth0net Eth1lcl Eth2dmz Eth3cbl So am I correct to comment out 'inr.ruhep' and append the following to rt_tables? 1 net 2 lcl 3 dmz 4 cbl It then looks like I need to do the 'ip route add default via ' commands, and they should be in ifup. I have /etc/network/if-up.d with no example scripts inside it. Their example also has commands for me to see what the route tables look like. However I need the routes added as part of LEAF on startup, and the 'show' commands are a separate issue of debugging what I'm trying to accomplish. For all their instructions, and my reading of http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and *how* to set up a script that will automatically send all traffic coming over eth1 out eth3, excluding traffic directed at eth2's network. Their example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I can put the route mapping in /etc/network/interfaces or /etc/network/if-up.d, and how to format it. What would you suggest for this case? I feel like my brain is trying to climb up the down escalator. It appears I do not need to change Shorewall unless I want special behavior, such as 'outbound port 80 always goes out cbl interface'. I want no special behavior until I am completely confident about this general behavior. Thank you. --Romaq --- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable
I was given direction from Charles Steinkuehler on my question, but I am still not clear on how to implement the routing rules in /etc/network/interfaces, or what specific rules to set since my case is slightly different from what is recommended at the documentation site. I am looking at the following URL from what was suggested: http://lartc.org/howto/lartc.rpdb.multiple-links.html Going from their model, I have something more like this that I not only need to set up, but test and verify it works on the wire before we down production equipment and move it to a new location: ___ +-+ / |Provider 1 | | ++ 66.114.33.64/30 + || gw 66.114.34.65 | / +-+ ++ +-+ | | DMZ via Prov.1 +-|eth2 eth0 | / | 66.114.34.92/30 | || | +-+ | Linux Router | |Internet || | +-+ || \ | Lcl NAT via Prv2| || | | 192.168.2.0/24 +-+eth1 eth3 | \ +-+ +-+--+ +-+\ ||Provider 2 | | ++ 192.168.1.0/24 +--\ | gw 192.168.1.254| \___ +-+ I note /etc/iproute2/rt_tables which on my machine has the following as a default on my existing router: # # reserved values # 255 local 254 main 253 default 0 unspec # # local # 1 inr.ruhep The only 'inbound' traffic from the net comes from Provider 1.to the DMZ. I suspect I need to add tables to rt_tables, for which the following names would be useful to match my shorewall names: Eth0net Eth1lcl Eth2dmz Eth3cbl So am I correct to comment out 'inr.ruhep' and append the following to rt_tables? 1 net 2 lcl 3 dmz 4 cbl It then looks like I need to do the 'ip route add default via ' commands, and they should be in ifup. I have /etc/network/if-up.d with no example scripts inside it. Their example also has commands for me to see what the route tables look like. However I need the routes added as part of LEAF on startup, and the 'show' commands are a separate issue of debugging what I'm trying to accomplish. For all their instructions, and my reading of http://www.linuxhorizon.ro/iproute2.html I am still not clear *where* and *how* to set up a script that will automatically send all traffic coming over eth1 out eth3, excluding traffic directed at eth2's network. Their example doesn't appear to refer to a 'dmz' situation, and I'm not clear if I can put the route mapping in /etc/network/interfaces or /etc/network/if-up.d, and how to format it. What would you suggest for this case? I feel like my brain is trying to climb up the down escalator. It appears I do not need to change Shorewall unless I want special behavior, such as 'outbound port 80 always goes out cbl interface'. I want no special behavior until I am completely confident about this general behavior. Thank you. --Romaq --- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable
On Mon, 2005-06-06 at 10:06 -0700, William (Andy) Smith wrote: I was given direction from Charles Steinkuehler on my question, but I am still not clear on how to implement the routing rules in /etc/network/interfaces, or what specific rules to set since my case is slightly different from what is recommended at the documentation site. I am looking at the following URL from what was suggested: http://lartc.org/howto/lartc.rpdb.multiple-links.html Going from their model, I have something more like this that I not only need to set up, but test and verify it works on the wire before we down production equipment and move it to a new location: ___ +-+ / |Provider 1 | | ++ 66.114.33.64/30 + || gw 66.114.34.65 | / +-+ ++ +-+ | | DMZ via Prov.1 +-|eth2 eth0 | / | 66.114.34.92/30 | || | +-+ | Linux Router | |Internet || | +-+ || \ | Lcl NAT via Prv2| || | | 192.168.2.0/24 +-+eth1 eth3 | \ +-+ +-+--+ +-+\ ||Provider 2 | | ++ 192.168.1.0/24 +--\ | gw 192.168.1.254| \___ +-+ I note /etc/iproute2/rt_tables which on my machine has the following as a default on my existing router: # # reserved values # 255 local 254 main 253 default 0 unspec # # local # 1 inr.ruhep The only 'inbound' traffic from the net comes from Provider 1.to the DMZ. I suspect I need to add tables to rt_tables, for which the following names would be useful to match my shorewall names: Eth0 net Eth1 lcl Eth2 dmz Eth3 cbl So am I correct to comment out 'inr.ruhep' and append the following to rt_tables? 1 net 2 lcl 3 dmz 4 cbl if i understand correctly what you wish to do, you need to add a masquerade/SNAT rule for the traffic coming from eth1 to eth3 (and add an exclude for the network on eth2 in shorewall). As the machine has a local route to the dmz network it should route the traffic there without needing any changes. All traffic coming in via provider 1 (eth0) will be automatically routed to the dmz, too. So the only thing you need to change, is that all traffic coming from the dmz will go out on eth0 again. So, just add one table to rt_tables (you need only to do this once and backup the package). echo 1 dmz /etc/iproute2/rt_tables (i am not sure about the 1, normally numbers starting at 200 are used). You now create an appropiate rule: # ip rule add from 66.114.34.92/30 table dmz # ip route add default via 66.114.34.65 dev eth0 table dmz # ip route flush cache this should basically do it. As the normal traffic will take the default table... You can add this to /etc/network/interfaces to the eth0 section like this: up ip rule add from 66.114.34.92/30 table dmz up ip route add default via 66.114.34.65 dev eth0 table dmz up ip route flush cache and (if you want ), a corresponding down section... Or you can put this in a script (for example /usr/local/sbin/addiprules and use it like: up /usr/local/sbin/addiprules or put it in /etc/network/if-up.d. All scripts in there are called with some environment variables (and example follows): MODE=stop IF_NETMASK=255.255.255.0 ADDRFAM=inet METHOD=static PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin _=/usr/bin/env PWD=/root IF_NETWORK=192.168.5.0 SHLVL=2 IF_BROADCAST=192.168.5.255 IF_GATEWAY=192.168.5.254 IFACE=eth0 IF_ADDRESS=192.168.5.3 (i used ifdown , so mode is stop not start). But you could use something like: #! /bin/sh if [ $IFACE = eth0 ] ; then rules stuff from above fi all 3 possiblities should work, i think the first one (directly in /etc/network/interfaces) is the easiest... --arne -- Arne Bernin [EMAIL PROTECTED] http://www.ucBering.de --- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20 leaf-user
[leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable
I have successfully made a three interface setup with Bering uClibc consisting of eth0 to Net, eth1 for our internal network and eth2 for the DMZ. We are now moving from the office we had to a home-office where eth0 is connected to our existing ISP by DSL plus we are adding Cable internet connection to eth3. 1) I have verified that Comast and DSL work as links to the outside and as expected. 2) The rules I had under the three card network will continue to apply. Because we are using the same IP, we even get to keep our old IP addresses for the DMZ. 3) Comcast is needed as bursty, high-speed outbound access where DSL supplies fixed IP metered bandwidth. 4) I want the DMZ's default gateway to continue to be eth0. 5) I want eth1's default gateway to become eth3. 6) If eth1 happens to want to hit the DMZ, I want it to go directly to eth2 rather than out through the cable Internet and back through the DSL. Would anyone be able to point me in the right direction? Thanks! --Romaq --- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61 plasma display: http://www.necitguy.com/?r=20 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Routing Question
Hi, I recently upgraded an old Dachstein firewall to ucBering 2.1 (I prepared it awhile ago, but only now had a change to put it in place). This firewall(router) is the default gateway for all the stations in the network (local). But it isn't the only router in the network, there are 2 or 3 more isdn-routers (zyxel prestige 200 serie) which are used to connect to customers sites which aren't on the net yet. In the past, all the stations on the local network only had a route to the default gateway, and this default gateway had a routing table to the other routers. This worked ok for what we needed it. (no dhcp) Now with the new ucBering this isn't working anymore. I added the routing on the ucBering, 192.168.155.0/24 via 192.168.70.251 dev eth1 , but I get this in the logs : May 11 09:45:34 firefly FORWARD REJECT eth1 eth1 192.168.70.17 192.168.155.4 UDP 1990 5632 (PcAnywhere) What do I need to chance to allow this ? Stefaan --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7393alloc_id=16281op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Routing Question
Joey, I personally only have experience with the 3Com 3CRDW696 PCI card. It's worked great so far with Bering-uClibc 2.1 but I've only had it running for a couple of weeks now in testing. I've also had it working on Pebble and RH9 in between my searches for info on how to setup Bering as an AP. You can look for some compatible cards at http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.802.11b.html#Prism2 There may be a more complete list of prism2+ cards elsewhere though. A quick google of prism2 card list turned up this one http://www.personaltelco.net/index.cgi/Prism2Card and several others that might be helpful. Good luck, Rob At 11:59 PM 05/04/04, Joey Officer wrote: I'm currently testing with a Belkin (read: barely working) 802.11b card. Based off of admtek 8211 chipset. Finally got a stable link tonight, however what my ultimate goal is to setup my leaf box as an access point. Can you recommend a specific prism card to use? I have no current investment, so anything I begin to purchase can be planned. Thanks for the links, I'll be sure to browse them tonight and research. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Asher Sent: Monday, May 03, 2004 8:37 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Routing Question At 10:23 AM 05/01/04, Ray Olszewski wrote: At 07:46 AM 5/1/2004 -0500, Joey Officer wrote: Forgive my ignorance, but I have what seems to be a very simple question. I have a wireless card that I'm still attempting to setup, and while I think I have the link issues corrected, I do have some questions about the routing itself. My configuration is as follows: eth0 : internet/dhcp eth1 : wired local network 192.168.1.254 eth2 : wireless network (current IP 10.10.55.254 - can be configured differently) What I want to do is to setup an open wireless gateway that will allow anyone in the area to use the wireless connection, but only after registerring. Basically I want to forward any requests to a site on my bering box that says something like, hey its free, just tell me who you are and I'll add you, after that they would be able to get through. Has anyone configured this type of setup? Is there anything I should be paying attention to. One thing that is important is that I don't want the eth2 traffic to be able to get to my local wired LAN, on eth1. The old hand Linux application for approximately this purpose is called NoCat; find it at NoCat.net . A Google search (wifi public access linux) just now found a custom distro called PublicIP (http://www.publicip.net/) that builds on NoCat. My hunch (based partly on some work I did about 2 years ago on a similar idea, but one involving charging usage fees) is that the required infrastructure is a bit large for LEAF, particularly the parts needed for reliable user authentication. But I haven't actually tried anything like this in quite some time, so I may be unaware of newer solutions to some of the problems. If you have a Prism2+ based card, the HostAP - http://hostap.epitest.fi/ driver has worked great for me on Bering-uClibc 2.1 as an access point. There are alot of other things that can be done with this card and driver that might be what you're looking for. While not based off LEAF/Bering, you might look into some alternative options like Pebble - http://www.nycwireless.net/pebble/ or hack this modified version of Pebble that runs off hard disk to suit your needs - http://www.burngreave.net/~aland/it/bcan/ . The stock Pebble includes NoCat and from the sound of what you're wanting, I'd agree that it might be exactly what you're looking for. And yet more info for options with the HostAP driver if that is the card that you have - http://trekweb.com/~jasonb/articles/hostap_20030727.shtml . HTH, Rob -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.240 / Virus Database: 262.9.15 - Release Date: 05/04/04 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] Routing Question
I'm currently testing with a Belkin (read: barely working) 802.11b card. Based off of admtek 8211 chipset. Finally got a stable link tonight, however what my ultimate goal is to setup my leaf box as an access point. Can you recommend a specific prism card to use? I have no current investment, so anything I begin to purchase can be planned. Thanks for the links, I'll be sure to browse them tonight and research. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Asher Sent: Monday, May 03, 2004 8:37 AM To: [EMAIL PROTECTED] Subject: Re: [leaf-user] Routing Question At 10:23 AM 05/01/04, Ray Olszewski wrote: At 07:46 AM 5/1/2004 -0500, Joey Officer wrote: Forgive my ignorance, but I have what seems to be a very simple question. I have a wireless card that I'm still attempting to setup, and while I think I have the link issues corrected, I do have some questions about the routing itself. My configuration is as follows: eth0 : internet/dhcp eth1 : wired local network 192.168.1.254 eth2 : wireless network (current IP 10.10.55.254 - can be configured differently) What I want to do is to setup an open wireless gateway that will allow anyone in the area to use the wireless connection, but only after registerring. Basically I want to forward any requests to a site on my bering box that says something like, hey its free, just tell me who you are and I'll add you, after that they would be able to get through. Has anyone configured this type of setup? Is there anything I should be paying attention to. One thing that is important is that I don't want the eth2 traffic to be able to get to my local wired LAN, on eth1. The old hand Linux application for approximately this purpose is called NoCat; find it at NoCat.net . A Google search (wifi public access linux) just now found a custom distro called PublicIP (http://www.publicip.net/) that builds on NoCat. My hunch (based partly on some work I did about 2 years ago on a similar idea, but one involving charging usage fees) is that the required infrastructure is a bit large for LEAF, particularly the parts needed for reliable user authentication. But I haven't actually tried anything like this in quite some time, so I may be unaware of newer solutions to some of the problems. If you have a Prism2+ based card, the HostAP - http://hostap.epitest.fi/ driver has worked great for me on Bering-uClibc 2.1 as an access point. There are alot of other things that can be done with this card and driver that might be what you're looking for. While not based off LEAF/Bering, you might look into some alternative options like Pebble - http://www.nycwireless.net/pebble/ or hack this modified version of Pebble that runs off hard disk to suit your needs - http://www.burngreave.net/~aland/it/bcan/ . The stock Pebble includes NoCat and from the sound of what you're wanting, I'd agree that it might be exactly what you're looking for. And yet more info for options with the HostAP driver if that is the card that you have - http://trekweb.com/~jasonb/articles/hostap_20030727.shtml . HTH, Rob -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.240 / Virus Database: 262.9.13 - Release Date: 05/02/04 --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Routing Question
Forgive my ignorance, but I have what seems to be a very simple question. I have a wireless card that I'm still attempting to setup, and while I think I have the link issues corrected, I do have some questions about the routing itself. My configuration is as follows: eth0 : internet/dhcp eth1 : wired local network 192.168.1.254 eth2 : wireless network (current IP 10.10.55.254 - can be configured differently) What I want to do is to setup an open wireless gateway that will allow anyone in the area to use the wireless connection, but only after registerring. Basically I want to forward any requests to a site on my bering box that says something like, hey its free, just tell me who you are and I'll add you, after that they would be able to get through. Has anyone configured this type of setup? Is there anything I should be paying attention to. One thing that is important is that I don't want the eth2 traffic to be able to get to my local wired LAN, on eth1. Joey --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Routing Question
At 07:46 AM 5/1/2004 -0500, Joey Officer wrote: Forgive my ignorance, but I have what seems to be a very simple question. I have a wireless card that I'm still attempting to setup, and while I think I have the link issues corrected, I do have some questions about the routing itself. My configuration is as follows: eth0 : internet/dhcp eth1 : wired local network 192.168.1.254 eth2 : wireless network (current IP 10.10.55.254 - can be configured differently) What I want to do is to setup an open wireless gateway that will allow anyone in the area to use the wireless connection, but only after registerring. Basically I want to forward any requests to a site on my bering box that says something like, hey its free, just tell me who you are and I'll add you, after that they would be able to get through. Has anyone configured this type of setup? Is there anything I should be paying attention to. One thing that is important is that I don't want the eth2 traffic to be able to get to my local wired LAN, on eth1. The old hand Linux application for approximately this purpose is called NoCat; find it at NoCat.net . A Google search (wifi public access linux) just now found a custom distro called PublicIP (http://www.publicip.net/) that builds on NoCat. My hunch (based partly on some work I did about 2 years ago on a similar idea, but one involving charging usage fees) is that the required infrastructure is a bit large for LEAF, particularly the parts needed for reliable user authentication. But I haven't actually tried anything like this in quite some time, so I may be unaware of newer solutions to some of the problems. --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Routing Question
Trying a different approach to my previous question (Routing/openVPN Question). Here's my setup: 10.1.0.2openVPN TUN interface 192.168.11.2Remote Client | | 192.168.11.1Remote LAN Gateway - Linksys router 192.168.1.33router external interface | | 192.168.1.0/24 Sprint's local DSL subnet 192.168.1.254 router's gateway ? ? 65.41.48.33 Sprint's public IP (DSL subnet is NAT'ed behind this) | | 66.216.159.82 Our T1 public interface (NAT'ing our LAN) 192.168.1.100 Our LAN's Gateway | | 192.168.1.0/24 Our LAN Given the above, is it possible to add a route on the remote client (winxp pro) so that all traffic to a single IP is routed through the openvpn interface to our LAN, in essence ignoring part of the 192.168.1.0/24 subnet on Sprint's DSL segment. For those unfamiliar with openVPN, on connection it would create a route on the remote client such as: route add 192.168.1.0 mask 255.255.255.0 10.1.0.2 10.1.0.2 being the interface that openVPN creates on the client. I was thinking changing that route to: route add 192.168.1.36 mask 255.255.255.252 10.1.0.2 My thoughts are by creating the route to 192.168.1.36/255.255.255.252, only traffic to 192.168.1.36 would hit the openVPN interface,and all other traffic to 192.168.1.0 would hit the DSL segment. Is this at all right? Is the mask correct? The bering box on our LAN would have a route such as: 192.168.11.0/24 via 10.1.0.1 dev tun1 I'm stretching my knowledge of routing here, so please set me straight. Thanks for any help, and to those who replied previously. Chris -- Chris Carbaugh Network Administrator [EMAIL PROTECTED] Leer Electric Inc. www.LeerElectric.com PHONE: (717) 432-9756 FAX: (717) 432-9758 --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [Leaf-user] routing question
hi pedro !!! thanks for your help. but this only solved my routing problems on the lrp2-side. actually the isdn-connection is always started by lrp2. can i add a second route to the lrp2 on the fw ? (ro add 192.168.1.0 via portmaster metric 2) how will fw know, if the ipsec-link on lrp1 is down ?? could this work ? thanks bye stefan Am 03.10.2001 12:28:14, schrieb Pedro Barreto [EMAIL PROTECTED]: hi Stefan, if you have some piece of software that will automatically connect the isdn line when traffic is received on the isdn device, you could add another default route with a higher metric, like: ip r add default dev $isdn_dev via $isdn_ip metric 2 (assuming the first default route has a metric of 1) but that might bring the isdn line when the internet link is too saturated. you can also try to create a script to ping LRP2 box trough LRP1 and should that ping fail bring on the isdn interface, that script could go to the cron.d (every 2 minutes */2 * * * *) the script might be like: #!/bin/bash /bin/ping -w 2 -n -q -I $INTERNET_DEV -c 1 $LRP2_IP 21 /dev/null if [ $? = 1 ]; then ip r del default bring_up_isdn() ip r add default dev $ISDN_DEV fi you could also add to this script functionality to bring down isdn when internet is up again. that might help you, pedro -Original Message- From: stefan [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: [Leaf-user] routing question hi !! it's not really a LEAF-specific problem, but maybe a routing-pro reads this also - hopefully. i've connected two locations with ipseced-LRP-boxes, now i plan a backup with isdn, but i have some routing problems. the network looks like this: 192.168.1.0LRP2-.-.-.-Internet-.-.-.-.-LRP1 | ipsec | |FW10.1.1.0 || | portmaster |__isdn__| the FW is running on solaris. portmaster is a RAS-server from lucent. i want the network to work on, if the internet connection fails, but i don't know which routing-protocols i can/should use to solve this. i'd be glad if there's an easy solution. i think the main problem is the firewall, which schould know, which route to the 192.168.1 network to use. thanks. stefan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user