Chris Bullock wrote: >--- "Aaron S. Joyner" <[EMAIL PROTECTED]> wrote: > > > >>Chris Bullock wrote: >> >> >> >>>We have a fairly static network with about 8 subnets and roughly 5 >>>different points of access to the outside world. We are using a Linux >>> >>> >>PC >> >> >>>full of nics and doing strictly static routing. We have an application >>>that the university needs access to at fiber speed, the hospital has >>>access to the university and we have access to the hospital, so >>> >>> >>therefore >> >> >>>we are routing to the university through the hospital (university <--> >>>hospital <--> our office. Long story short we have asked the hospital >>> >>> >>to >> >> >>>somewhat protect us from the university by implementing ACLs on their >>> >>> >>PIX, >> >> >>>this gives the university access to our services but blocks my users >>> >>> >>from >> >> >>>hitting the university's services since my router points all university >>>traffic through the hospital. Now my question, I have tried to >>> >>> >>understand >> >> >>>the policy routing built into Linux but keep beating my head against >>> >>> >>the >> >> >>>wall due to my lack of brains. Here is what I have, I have a macro I >>> >>> >>run >> >> >>>that has all my static routes listed, what I want to do is via command >>>line, not a table, tell my traffic that to go to 150.216/16 go out our >>>broadband connection not our hospital gateway. >>> >>> >>> >>> >>Three observations here: >>- What you're asking for means the traffic doesn't go fast... >>The university is 150.216.0.0/16, and if you "tell my traffic that to go >> >>to 150.216/16 go out our broadband connection not our hospital gateway", >> >> >This is from network B, which the university can not get to anyway. >Network A is allowed to the university, and the university is routing to >Network A > > >>then of course things won't be very fast when talking back to those >>users from the university who are connecting through the hospital. >>Somehow I think you're asking for a sub-portion of your traffic to do >>this, but you don't describe which portion, so I can't formulate a >>confident answer. >> >> >What I think I really want is: if src = network A then access 150.216/16 >via the hospital connection, if src = network B then access it via >broadband connection. >[EMAIL PROTECTED] ~]$ cat routes | grep 150.216 >BRODY="150.216.0.0/16" >/sbin/ip r add 150.216.17.14 via $DEFAULTGW # added to allow www.ecu.edu >[EMAIL PROTECTED] ~]$ cat routes | grep BRO >BRODY="150.216.0.0/16" >/sbin/ip r add $BRODY via $HOSPITALGW >[EMAIL PROTECTED] ~]$ > > > >>- A simple route is all you need >>Disregarding the above point, to do what you're really asking, all you >>need is a simple route like this: >>route add -net 150.216.0.0 netmask 255.255.0.0 via 10.2.0.254 >>Although, if that's your default gateway, unless there some other >>more-specific route that overrides it, that should be the default >>behavior? I suspect though, as mentioned above, this isn't really what >>you're asking. >> >>- What do you mean "what I want to do is via command line, not a table, >>tell my traffic that" >>Policy routing is enabled via "rules" created by the `ip` command which >>shunt traffic to specific route "tables", also setup via `ip`. That's >>simply how it's implemented. You build these alternate route tables >>from the command line, with successive commands. You can optionally >>attach particular text tags to them via config files, but that's not >>particularly required if you'd prefer to stick to simple straight >>commands. I'm going to go out on a limb here, and think you probably >>want to route the traffic from Network A differently from how you route >>the traffic from Network B. Generally, Network B is routed how you want >> >>to route most traffic, so I'll propose a config that just makes a small >>change to the route taken by traffic flowing *from* A *to* University. >>Something like this might serve your needs: >># ip rule add from 150.216.0.0/16 table 100 >># ip route add default gw 10.254.254.254 table 100 >> >> >This is where I get confused, I have seen many references to table and the >rt_tables but I have seen a clear cut answer to what I need to do, right >now it seems to get this fixed asap is to ping my 2 networks at different >routers and have different routing tables on each router, I know this is >wrong but I can't seem to figure out how to say something like ip route >src $networkA to 150.216/16 via $hospitalgw, all other network should >access the university via the default gateway. > > >>This effectively says, for all traffic coming from 150.216.0.0/16, use >>routing table 100, instead of the "main" routing table. And then >>includes a single default route for that table, which shunts traffic to >>10.254.254.254. >> So upon re-reading my example this morning, I realized an error. It should have read like this, and now with your additional response I'll substitute in your variables for simplicity: # ip rule add from $NETWORKA table 100 # ip route add 15.216.0.0/16 via $HOSPITALGW table 100 # ip route add default gw $NORMALDEFAULTGW table 100
It now does what I described in the paragraph immediately preceding, and then some, which is what I think you want to have happen. Traffic from $NETWORKA has it's own routing table, which you can modify by appending 'table 100' to your 'ip route' commands. The packets from $NETWORKA are told to use table 100 for routing, instead of the typical 'main' routing table, by the first 'ip rule' command. Unfortunately, I don't know if I can make it more clear than the above, but let me know if it's still not clear and I'll see if I can explain it some other way. :) Aaron S. Joyner -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
