Re: Two gateways on same network

To: "Debian User List" <debian-user@lists.debian.org>
Cc: koffiejunkielistlurker@koffiejunkie.za.net
Subject: Re: Two gateways on same network
From: "srg krn" <srgqwerty@gmail.com>
Date: Thu, 7 Dec 2006 20:50:19 +0100
Message-id: <[🔎] 9fe1ccf10612071150l432f170cheed027a2be90183@mail.gmail.com>
In-reply-to: <[🔎] 1165503597.4467.21.camel@theluggage.hansdp.za.net>
References: <[🔎] 1165503597.4467.21.camel@theluggage.hansdp.za.net>

It is normal that if I connect to your public IP (say IPa) from the
128k line my connection times out.

THE REASON IS:
It is normal because I am in Internet and my machine sends the SYN
packet to your IPa, then SYN packet arrives to your linux machine, but
the routing table in your linux machine says that the response
(SYN/ACK packet) must go via the 4Mb ADSL gateway (192.168.1.6).
The SYN/ACK traverses the 4Mb gateway and the gateway NATs this packet
(the source IP) with it's public IP address (say IPb).
So, from the point of view of my machine, I send the SYN packet to IPa
but the response (SYN/ACK packet) arrives from IPb (my machine knows
NOTHING about IPb).
Of course the connection can NOT be established.
In summary:
Of course, ip routes are system wide (not per interface routes).

HOW YOU CAN ACOMPLISH YOUR DESIGN:
There are a lot of ways, following is my proposal:
1. Your linux machine has only one network card. In this card you will
use two ip addresses, one primary and one virtual, in other words:
ifconfig eth0 192.168.1.10 netmask 255.255.255.0 up
ifconfig eth0:1 192.168.1.11 netmask 255.255.255.0 up
2. Configure NAT of your routers in the following way:
Router 4Mb will forward port 25 of their public ip to 192.168.1.10.
Router 128k will forward port 25 of their public ip to 192.168.1.11.
3. Here comes the "trick".
Linux kernel allows you to have multiple routing tables at the same
time (don't panic, it is very easy ti use :-) ).
Install iproute2 package.
The idea is to have two routing tables.
One table (table_isp4M) says that the default route is 192.168.1.6.
The other one (table_isp128k) says that the default route is 192.168.1.1.
Then, add ip rules (NOT ip routes) for using table_isp4M is the
traffic comes from 192.168.1.10 and table_isp128k if the traffic comes
from 192.168.1.11
Note that, it is mandatory that if a machine have multiple interfaces
that can reach the client ip, a TCP response must use the IP address
that have received the SYN packet from the client.
4. Create the two routing tables (see Linux Advanced Routing HOWTO)
but this is very simple, it is only to put two lines (one for each
routing table) at /etc/iproute2/rt_tables
5. Add the static routes to one of each tables.
ip route add default via 192.168.1.1 table isp_128k
ip route add default via 192.168.1.6 table isp_4M
6. Add ip rules
First, see the output from "ip rules show"
ip rule add from 192.168.1.10 lookup table table_isp4M
ip rule add from 192.168.1.11 lookup table table_128k

At this point, you will answer port 25 tcp connections via the 4M link
if the SYN packet  from internet arrives to IPa or 128k link if the
syn packet from internet arrives from IPb.

Of course, linux kernel allows you to do more cool things like this,
for example, keep in mind that it is possible to use iptables to
"mark" (no packet alteration at all, only a mark while the packet
traverses the kernel code) packets using almost ANY criteria and then
use one table or another in function of that mark.

Hope this helps.

Regards

On 12/7/06, Hans du Plooy <koffiejunkielistlurker@koffiejunkie.za.net> wrote:

Hi guys,

I'm setting up a Debian antispam mail relay.  I have two gateways on the
network (two separate internet connections):

4mbit ADSL = 192.168.1.6
128k line = 192.168.1.1

Both have NAT firewalls, both forward port 25 to the Debian box.  I'm
trying to do the following:

Always use 192.168.1.6 as the default gateway, except when:

1.  Connections are received via 192.168.1.1.  Because if it doesn't
reply via the same gateway, the connection just times out.

2.  192.168.1.6's connection goes down, for whatever reason.

So basically the leased line would be a backup MX.

I have put two network cards in, both with IPs on the same network, but
with different gateways specified in /etc/network/interfaces.  But for
some reason both try to use 192.168.1.1 as the gateway, regardless.

If the second network card is not necessary, that would be OK too.

Thanks
Hans


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Two gateways on same network
  - From: Hans du Plooy <koffiejunkielistlurker@koffiejunkie.za.net>

References:
- Two gateways on same network
  - From: Hans du Plooy <koffiejunkielistlurker@koffiejunkie.za.net>

Prev by Date: Re: Bash script question
Next by Date: sarge->etch upgrade hits dependency hell
Previous by thread: Two gateways on same network
Next by thread: Re: Two gateways on same network
Index(es):
- Date
- Thread