-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
BTW, sorry for the terseness. I had meant to cap this off with, "Thus, any communications bound for the Internet from LAN nodes whose packets don't get MARKed will exit via the cable modem, while those that DO get MARKed will use the T1." Additionally, upon reflection, 4.2 is unnecessary. This is all derived from (the out-of-date, but still applicable) Linux Advanced Routing and Traffic Control HOWTO[1]. And hours of real-world head-banging. ;-) - -sth [1] http://lartc.org sam hooker|[email protected]|http://www.noiseplant.com I have received the love Internet dispatch. -spam On 2009/03/17 5:21 PM, sth wrote: > > I was actually going to offer "Stupid Tricks With iptables, iproute2, > and Friends" as a preso for tonight's meeting, before realizing I > couldn't be there. > > Here's what I'd do ("policy routing for Linux"): > > 1) if you're using a cable modem for "bulk bandwidth", you'll want to > make that your router's "real" default route, since it'll probably be > getting its config via DHCP, and that'll populate into the kernel's > default routing table > > 2) hook the T1 to a separate NIC on the router > > 3) create an alternative routing table with the T1 as its default route > 3.1) add something like "201 t1.out" to /etc/iproute2/rt_tables > 3.2) 'ip route add default via [w.x.y.z] dev [ethX] table t1.out' > 3.3) [populate your other LAN routes in here, too] > > 4) use iptables' mangle table to tattoo packets sourced from-/bound for > your servers with some special MARK, like "1" > 4.1) 'iptables -A PREROUTING -s [se.rv.er.ip] -j MARK --set-mark 0x1' > 4.2) 'iptables -A PREROUTING -d [se.rv.er.ip] -j MARK --set-mark 0x1' > > 5) use an ip rule to jam these packets into the alternate routing table > 5.1) 'ip rule add fwmark 1 table t1.out' > > 6) IIRC, if you're masquerading outbound packets, you'll need to move to > SNAT (on each of the cable modem and T1 interfaces), though I can't > remember why at the moment > > > Good luck, and let fly if you have questions. > > > Cheers, > > -sth > > sam hooker|[email protected]|http://www.noiseplant.com > > I have received the love Internet dispatch. > > -spam > > On 2009/03/17 4:52 PM, Rene Churchill wrote: >> Hey gang, > >> I'm looking for some pointers/recommendations on how to setup a >> router for an office to split/share bandwidth between two sources. >> I know enough about networking to keep my internal network up >> but I'm getting into deeper waters here. > >> Here's the scenario. I'm in an office with a split T1 currently. Half >> phone, half data. The office is growing, so the number of times the >> pipe gets clogged during the day is increasing and it's getting annoying. >> I've got to keep the static IP as we've got email, ftp and a couple of >> minor web servers running. The current firewall is a SmoothWall >> Express v2 that Stan setup several years ago for us. > >> What I'd like to go is get a cable modem tied into the office to provide >> some cheap bandwidth for the majority of our data needs during the day. >> The servers have static internal IPs, the desktop PCs have dynamic IPs, >> so they're easy to tell apart. > >> So, any suggestions on how to setup a firewall/router that will send the >> traffic from the desktops out over the cable modem while letting the servers >> have the T1 bandwidth? > >> Many thanks, >> Rene > >> -- >> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >> René Churchill [email protected] >> Geek Two 802-244-7880 x527 >> Your Source for Local Information http://www.wherezit.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknAF34ACgkQX8KByLv3aQ0SygCgmykraXe9oiBz+EPtvduu9Ky1 kU4An38lQ1t7hMoFy8jON8pJ9WwTSdau =Ly/B -----END PGP SIGNATURE-----
