On Thu, 15 Nov 2001, Charles Steinkuehler wrote: > > In other news, I'm just about to give up with my year-long attempt to > > get forward-by-port with multiple Internet pipes working. It's turning > > out to be a serious PITA to handle when MASQ'ing is involved, and when > > I've gotten it to work (partially) it's been too complicated to > > document in a nice and easy HOWTO. > > ??? Can you explain a bit more about exactly what you're trying to do? > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) >
Situation: (1) Sprint broadband wireless w/fixed IP. (1) mom-n-pop ISP w/fixed IP, Tsoft. (2) ES2B systems, one for each circuit. (1) small NAT'd LAN. Tsoft lets me have a reverse DNS statement, so that's where I want mail to go, but Tsoft is also just a dedicated 56K modem until DSL is available next year -- so I don't want any web services going that way. I serve mail, DNS, web, and the occasional IRC from here, using two machines. Goal: One router handles both connections. Outbound mail and DNS use the Tsoft modem route, outbound web service and client activities use the Sprint wireless route. Problem 1: The servers are also workstations, so it would be a big pain to make one of them use the modem line as its default gateway. For the same reason, I can't route by source IP. Problem 2: Mail, DNS, and web are being served to the entire Internet, so I can't route based on destination IP. Problem 3: Mail really needs to go out of the tsoft line in order to take advantage of the RDNS assignment there. So I've gotten it to route _inbound_ from either pipe or both at the same time; but the return traffic of course always follows the default route. Setting up forward by port seems to work, but doesn't do anything. Here's what I've done: edit /etc/iproute2/rt_tables and add a table for each of your two external ISPs: 100 isp-a 101 isp-b now create the fwmark rules which will tag each matched packet with a number: ip rule add fwmark 100 table isp-a ip rule add fwmark 101 table isp-b now add the rules to do the tagging (look in /etc/ipfilter.conf for examples). Here are some rules I wrote: ipchains -A output -p tcp -d 0/0 6667 --mark 100 ipchains -A output -p tcp -d 0/0 25 --mark 100 ipchains -A output -p tcp -d 0/0 53 --mark 100 ipchains -A output -p udp -d 0/0 53 --mark 100 ipchains -A output -p tcp -d 0/0 80 --mark 101 finally, add the routes which will handle the tagged packets: ip route add default via 1.2.3.4 dev eth1 table isp-a ip route add default via 5.6.7.8 dev ppp0 table isp-b Now, I'm currently thinking that the output chain must be the wrong place to put things, because the weblet status page has an area named fwmark, which remains empty. I'm thinking such a thing exists because someone more knowledgeable thought it oughta be there. Any ideas? -- Jack Coates Monkeynoodle: A Scientific Venture... _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
