--- "Aaron S. Joyner" <[EMAIL PROTECTED]> wrote:
> Chris Bullock wrote: > > >We have a fairly static network with about 8 subnets and roughly 5 > >different points of access to the outside world. We are using a Linux > PC > >full of nics and doing strictly static routing. We have an application > >that the university needs access to at fiber speed, the hospital has > >access to the university and we have access to the hospital, so > therefore > >we are routing to the university through the hospital (university <--> > >hospital <--> our office. Long story short we have asked the hospital > to > >somewhat protect us from the university by implementing ACLs on their > PIX, > >this gives the university access to our services but blocks my users > from > >hitting the university's services since my router points all university > >traffic through the hospital. Now my question, I have tried to > understand > >the policy routing built into Linux but keep beating my head against > the > >wall due to my lack of brains. Here is what I have, I have a macro I > run > >that has all my static routes listed, what I want to do is via command > >line, not a table, tell my traffic that to go to 150.216/16 go out our > >broadband connection not our hospital gateway. > > > > > Three observations here: > - What you're asking for means the traffic doesn't go fast... > The university is 150.216.0.0/16, and if you "tell my traffic that to go > > to 150.216/16 go out our broadband connection not our hospital gateway", This is from network B, which the university can not get to anyway. Network A is allowed to the university, and the university is routing to Network A > > then of course things won't be very fast when talking back to those > users from the university who are connecting through the hospital. > Somehow I think you're asking for a sub-portion of your traffic to do > this, but you don't describe which portion, so I can't formulate a > confident answer. What I think I really want is: if src = network A then access 150.216/16 via the hospital connection, if src = network B then access it via broadband connection. [EMAIL PROTECTED] ~]$ cat routes | grep 150.216 BRODY="150.216.0.0/16" /sbin/ip r add 150.216.17.14 via $DEFAULTGW # added to allow www.ecu.edu [EMAIL PROTECTED] ~]$ cat routes | grep BRO BRODY="150.216.0.0/16" /sbin/ip r add $BRODY via $HOSPITALGW [EMAIL PROTECTED] ~]$ > > - A simple route is all you need > Disregarding the above point, to do what you're really asking, all you > need is a simple route like this: > route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254 > Although, if that's your default gateway, unless there some other > more-specific route that overrides it, that should be the default > behavior? I suspect though, as mentioned above, this isn't really what > you're asking. > > - What do you mean "what I want to do is via command line, not a table, > tell my traffic that" > Policy routing is enabled via "rules" created by the `ip` command which > shunt traffic to specific route "tables", also setup via `ip`. That's > simply how it's implemented. You build these alternate route tables > from the command line, with successive commands. You can optionally > attach particular text tags to them via config files, but that's not > particularly required if you'd prefer to stick to simple straight > commands. I'm going to go out on a limb here, and think you probably > want to route the traffic from Network A differently from how you route > the traffic from Network B. Generally, Network B is routed how you want > > to route most traffic, so I'll propose a config that just makes a small > change to the route taken by traffic flowing *from* A *to* University. > Something like this might serve your needs: > # ip rule add from 150.216.0.0/16 table 100 > # ip route add default gw 10.254.254.254 table 100 This is where I get confused, I have seen many references to table and the rt_tables but I have seen a clear cut answer to what I need to do, right now it seems to get this fixed asap is to ping my 2 networks at different routers and have different routing tables on each router, I know this is wrong but I can't seem to figure out how to say something like ip route src $networkA to 150.216/16 via $hospitalgw, all other network should access the university via the default gateway. > > This effectively says, for all traffic coming from 150.216.0.0/16, use > routing table 100, instead of the "main" routing table. And then > includes a single default route for that table, which shunts traffic to > 10.254.254.254. If this isn't what you had in mind, provide a little > more info and I'll see if I can point you in the right direction. I > should mention you need to have the appropriate advanced routing and > policy routing bits enabled in your kernel for this to work. Most > modern distros do have this enabled. > > Aaron S. Joyner > Policy-routing-wonk > > > >University = 150.216.x.x > >network A = 10.1.x.x > >network B = 10.2.x.x > >hospital gw = 10.254.254.254 > >office Internet gw = 10.2.x.254 > >The university needs access to network A, network A never needs to > access > >the internet only the university, > >network B needs to access the university but can not access it through > the > >hospital due to firewall rules, it can only access it though my office > >internet gateway. > >Regards, > >Chris > > > > > > > >____________________________________________________________________________________ > >Do you Yahoo!? > >Everyone is raving about the all-new Yahoo! Mail beta. > >http://new.mail.yahoo.com > > > > > > -- > TriLUG mailing list : > http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > ____________________________________________________________________________________ Cheap talk? Check out Yahoo! Messenger's low PC-to-Phone call rates. http://voice.yahoo.com -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
