by Dan Smit » Sat, 27 Oct 2001 06:55:03
Thanks!
--Dan
by Karl Heye » Sat, 27 Oct 2001 08:05:16
karl.
by Dan Smit » Sat, 27 Oct 2001 08:10:37
Right, but explain more.
I have a default route for both right now. You're saying I need to
nix the default for the slow interface, right? BUT, there are a lot
of subnets on the other interface: 1.2.x.x. Can I set up a route that
will only route to 1.2/16? What about ipchains to block traffic out
the slow one to anything but 1.2/16? Will that cause the box to try
the fast interface before giving up on a request?
See, I can't nix the route for the slow interface and have traffic
return to those people through the fast one because of port blocking.
The whole point is that the people on the slow interface cannot send
packets on certain ports to the outside world. So, to be able to
participate with them on ports that are blocked, I have to be able to
use that interface.
So, can you clear up my confusion?
Thanks!
--Dan
> > OK, I have two interfaces, one slow, one fast. I want to use the fast one
> > as the default (obviously), but I need to have the other one available for
> > some people that can only reach me through that one. How can I tell the
> > machine to use the fast one by default. Am I correct in saying that if I
> > nix the default route for the slow connection that people from the slow net
> > that are not on the same subnet would not be able to contact me?
> the default route is the catch-all route which is fine as in your case will
> be routed down the fast link. What you need is a route to net for the people
> on your slower interface.
> karl.
by Karl Heye » Sat, 27 Oct 2001 10:04:28
Having two default routes in a simple routing table won't work. you need moreQuote:> I have a default route for both right now. You're saying I need to nix the
> default for the slow interface, right? BUT, there are a lot of subnets on
> the other interface: 1.2.x.x. Can I set up a route that will only route to
> 1.2/16? What about ipchains to block traffic out the slow one to anything
> but 1.2/16? Will that cause the box to try the fast interface before giving
> up on a request?
It is perfectly valid for all 1.2.x.x traffic to go down your slow interface
and have the rest down the faster one. route add -net 1.2.0.0 netmask
255.255.0.0 gateway x.x.x.x
ipchains won't be needed to block packets as routing won't send anything down
there. Adding it in won't do any harm though.
I don't see what your problem is. if 1.2.x.x connection come from the slowQuote:> See, I can't nix the route for the slow interface and have traffic return to
> those people through the fast one because of port blocking. The whole point
> is that the people on the slow interface cannot send packets on certain
> ports to the outside world. So, to be able to participate with them on
> ports that are blocked, I have to be able to use that interface.
karl.
by Dan Smit » Sat, 27 Oct 2001 10:55:33
Are you saying here that a connection that comes in one link will goQuote:> ipchains won't be needed to block packets as routing won't send anything down
> there. Adding it in won't do any harm though.
> > See, I can't nix the route for the slow interface and have traffic return to
> > those people through the fast one because of port blocking. The whole point
> > is that the people on the slow interface cannot send packets on certain
> > ports to the outside world. So, to be able to participate with them on
> > ports that are blocked, I have to be able to use that interface.
> I don't see what your problem is. if 1.2.x.x connection come from the slow
> link then either it will go down the fast link or it will be addressed
> locally. replies to the opposite. Note here that I'm assuming you have
> different subnets.
--Dan
by Eric P. McC » Sat, 27 Oct 2001 11:04:14
You can get the effects of weird routing by using iptables and, for
example, filtering based on QoS or other factors. Or even really
funky things like rerouting packets based on the controlling user or
group (so root's data goes out over link A, regular users over link B;
useful if you have to guarantee your services have bandwidth).
I think all those features are highly experimental. And that's
assuming that I'm not just dreaming about them.
--
"I woke up this morning and realized what the game needed: pirates,
pimps, and gay furries." - Rich "Lowtax" Kyanka
by Chris Friese » Sat, 27 Oct 2001 13:48:56
> OK, I have two interfaces, one slow, one fast. I want to use the fast
> one as the default (obviously), but I need to have the other one
> available for some people that can only reach me through that one.
> How can I tell the machine to use the fast one by default. Am I
> correct in saying that if I nix the default route for the slow
> connection that people from the slow net that are not on the same
> subnet would not be able to contact me?
You need to enable advanced routing and policy routing in the kernel. You also
need the iproute2 tools. If the command "ip rule" shows three rules, you're
set.
Then, assuming that a.a.a.a/x is the fast route on ethA and b.b.b.b/y is the
slow one on ethB with a gateway of c.c.c.c, you want to do something like the
following:
1) ensure that all normal traffic will go out the fast route
run "ip route" and make sure the default one is going via the fast gateway.
2) any traffic coming from the slow route gets sent back on it
ip rule add to b.b.b.b/y lookup 100
ip route add default via c.c.c.c dev ethB table 100
This says that any traffic going to the b.b.b.b/y subnet should look up routing
table number 100 (you've got 1-255, but three of them are already used by
default). Then in table 100 we've added a route for them to use, specified
which interface to use, and specified the next hop that they should take.
Chris
by Karl Heye » Sat, 27 Oct 2001 21:19:49
and any one of the 32000 routing tables you can have.Quote:> You can get the effects of weird routing by using iptables and, for example,
> filtering based on QoS or other factors. Or even really funky things like
> rerouting packets based on the controlling user or group (so root's data
> goes out over link A, regular users over link B; useful if you have to
> guarantee your services have bandwidth).
There not experimental now. multipath routing and even packet classificationQuote:> I think all those features are highly experimental. And that's assuming
> that I'm not just dreaming about them.
karl.
by Karl Heye » Sat, 27 Oct 2001 21:26:44
>> It is perfectly valid for all 1.2.x.x traffic to go down your slow
>> interface and have the rest down the faster one. route add -net 1.2.0.0
>> netmask 255.255.0.0 gateway x.x.x.x
> OK, so by default, I have 1.2.3.0/24 as the route to the slow net. This is
> because I am on a /24 subnet, but there are /16 subnets on that net. So if
> I add a route of 1.2.0.0/16 gw my_current_slownet_gw it will also redirect
> traffic for the other subnets down that link? Then I just give a default
> route for the fast link? Makes sense to me. Does it make sense to you or
> did I mess it up? :)
Maybe more info on subnets to be accessed will be more useful for clarity.
...
it's possible, in that situation someone else has said we are a gateway andQuote:>> I don't see what your problem is. if 1.2.x.x connection come from the slow
>> link then either it will go down the fast link or it will be addressed
>> locally. replies to the opposite. Note here that I'm assuming you have
>> different subnets.
> Are you saying here that a connection that comes in one link will go out
> that same link by default? Cool.
karl.
by Chris Friese » Sun, 28 Oct 2001 14:23:07
> This says that any traffic going to the b.b.b.b/y subnet should look up routing
> table number 100
Sorry, my bad.
Chris
by Erik Saart » Mon, 29 Oct 2001 06:40:11
>>2) any traffic coming from the slow route gets sent back on it
>>ip rule add to b.b.b.b/y lookup 100
>>ip route add default via c.c.c.c dev ethB table 100
>>This says that any traffic going to the b.b.b.b/y subnet should look up routing
>>table number 100
> Correction. Destination-based addressing can be done using the usual 'route'
> command. This should have been "ip rule from b.b.b.b lookup 100. Thus, any
> traffic coming from your address on that subnet will go out that subnet. This
> would be any program specifically bound to that port, as well as any responses
> to other people that connected in to that IP address.
> Sorry, my bad.
> Chris
by Dan Smit » Mon, 29 Oct 2001 01:02:39
Can I not just nix the default route for the slow one and add a route
of b.b.0.0/16 gw slow_net_gw?
I'm going to have a chance to try it in a bit, so we'll see.
--Dan
> >>2) any traffic coming from the slow route gets sent back on it
> >>ip rule add to b.b.b.b/y lookup 100
> >>ip route add default via c.c.c.c dev ethB table 100
> >>This says that any traffic going to the b.b.b.b/y subnet should look up routing
> >>table number 100
> > Correction. Destination-based addressing can be done using the
> > usual 'route'
> > command. This should have been "ip rule from b.b.b.b lookup 100. Thus, any
> > traffic coming from your address on that subnet will go out that subnet. This
> > would be any program specifically bound to that port, as well as any responses
> > to other people that connected in to that IP address.
> > Sorry, my bad.
> > Chris
> Small typo you have there, should be "ip rule add from b.b.b.b lookup
> 100" i guess. Also, that wouldnt work if you are using nat, you'd need
> to mark packets originating from b.b.b.b using iptables and then
> "/sbin/ip rule add fwmark X table 100", where X is the mark you set.
1. Default Route always sets default interface
Hello,
I'm trying to connect my network through a Debian Linux firewall to the
outside world. The Linux firewall has two NIC's of which one is connected to
a cisco router (crosslink-cable) and the other to the internal network.
The router has a /29 or .248 subnet so that I have 8 fixed IP-adresses.
To save this valuable resource I decided to use private IP-adresses between
cisco and firewall (otherwise I have to split the subnet and there's nothing
effectively left to use).
The cisco has 192.168.0.1 und the firewall has 192.168.0.2.
The standard gateway on the cisco is 192.168.0.2 and the default gateway on
the firewall is 192.168.0.1.
The second NIC of the firewall gets a real public IP and - via ip-alias - a
192.168.31.3 (for some clients to surf the internet via ipmasq).
IP forward is set to yes and so with the connected clients having a public
IP everything works fine.
But the Linux box itself can't connect to the internet and it can't do IP
masquerading because it sends packets with it's source address of
192.168.0.2 to the cisco so that no internet host can answer.
Is there any way besides patching the kernel to change this behavior? If I
could set the IP address for outgoing connections to the public one I think
the problem is solved.
Ciao
Christian
4. Errors with loopback interface
5. is it possible to have two different interface to have the same default route?
6. RS6000
7. Routed, default routes and ppp0 interfaces ?
9. ipnat/routing question: Two default routes?
10. Routing to two ISP's instead of one: what replaces default route?
11. Two NIC cards => Possible to Configure Two Default Routes?
12. pppd not setting up default route in routing table
13. IP routing - Default + non-default GWs Crashing!?