Re: two router one host

To: "Leonardo Boselli" <leo@dicea.unifi.it>, debian-isp@lists.debian.org, debian-firewall@lists.debian.org
Subject: Re: two router one host
From: Fraser Campbell <fraser@wehave.net>
Date: Wed, 14 Jan 2004 13:41:25 -0500
Message-id: <[🔎] 200401141341.25849.fraser@wehave.net>
In-reply-to: <[🔎] 4006DEAC.7565.1DC89B2@localhost>
References: <[🔎] 4006DEAC.7565.1DC89B2@localhost>

On Thursday 15 January 2004 12:40, Leonardo Boselli wrote:

> I have got a second connection.
> My server is in one class C subnet, say a.b.c.d with a default gateway
> a.b.c.1
> I have added a second connection eth1 g.f.e.246/30 (whose router, you
> can guess, is g.f.e.245) .
> Of course with this setup i can only access the router via the second NIC.
> If i add a second default route it end always using the second nic, it
> works for some addresses, but not for most: it looks that some host use the
> "other" route and the packet are not answered .

If a.b.c.1 is your default gateway and someone on the Internet connects to 
g.f.e.246 then there is a problem.  Your firewall will respond by sending the 
reply packets to it's default route, this will not work well (or at all 
depending on your ISP).

You need to use the iproute utility to create multiple routing tables and a 
few routing rules.  There are probably many ways to arrange your rules but 
here is the style that I stick to:

First create a routing table for each connection (5 and 10 are randomly chosen 
table numbers):

    ip route add default via a.b.c.1 table 5
    ip route add default via g.f.e.245 table 10

Next create some rules to ensure that local traffic stays local:

    ip rule add to a.b.c.0/24 lookup main pri 100
    ip rule add to g.f.e.246/30 lookup main pri 100

Now create some rules based on source address so that you're outgoing packets 
get sent to the correct router:

    ip rule add from a.b.c.0/24 lookup 5 pri 200
    ip rule add from g.f.e.246/30 lookup 10 pri 200

Flush routing cache so that rules take immediate effect:

    ip route flush cache

> I fear that it sends packets via eth1 with a.b.c.d address.

Yes it does.  If you find out the MAC address of your routers you can use 
tcpdump in conjunction with a filter (by MAC address) to confirm that.

> What is the setup i have to add to have it working correctly.
> Also is there a script to change default route from one NIC to the Other if
> the connection is broken ?

Depends on what you're doing but you probably won't need a script once ip 
routing is setup correctly.  Documents are at http://www.lartc.org/ IIRC.

-- 
Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                         Debian GNU/Linux

Reply to:

Follow-Ups:
- Still no success: two router one host
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

References:
- two router one host
  - From: "Leonardo Boselli" <leo@dicea.unifi.it>

Prev by Date: two router one host
Next by Date: What easy firewall front end for woody/bonzai?
Previous by thread: two router one host
Next by thread: Still no success: two router one host
Index(es):
- Date
- Thread