We've actually done this very trick for a number of clients, where they
have a single (usually fractional) T-1 that they use for incoming
traffic (Web/ Intranet server, mailserver, etc. etc.) and a second
Internet connection (usually Cable or DSL) for web surfing, windows
updates, etc..
We subnet the network using DHCP and send traffic from the clients out
the 'commodity' internet connection (read: faster and cheaper but
theoretically less reliable). Taht was we know how to route the
outbound traffic from the servers etc. and the firewall doesn't get all
cornfused as to what interface to send traffic out on, and it also
(perhaps more importantly) knows how to route the inbound packets as
they return from the 'Net.
Hope that helps, and if it just served to confuse the issue I
apologize :)
Rubin
On Tue, 2009-03-17 at 17:21 -0400, sth wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I was actually going to offer "Stupid Tricks With iptables, iproute2,
> and Friends" as a preso for tonight's meeting, before realizing I
> couldn't be there.
>
> Here's what I'd do ("policy routing for Linux"):
>
> 1) if you're using a cable modem for "bulk bandwidth", you'll want to
> make that your router's "real" default route, since it'll probably be
> getting its config via DHCP, and that'll populate into the kernel's
> default routing table
>
> 2) hook the T1 to a separate NIC on the router
>
> 3) create an alternative routing table with the T1 as its default route
> 3.1) add something like "201 t1.out" to /etc/iproute2/rt_tables
> 3.2) 'ip route add default via [w.x.y.z] dev [ethX] table t1.out'
> 3.3) [populate your other LAN routes in here, too]
>
> 4) use iptables' mangle table to tattoo packets sourced from-/bound for
> your servers with some special MARK, like "1"
> 4.1) 'iptables -A PREROUTING -s [se.rv.er.ip] -j MARK --set-mark 0x1'
> 4.2) 'iptables -A PREROUTING -d [se.rv.er.ip] -j MARK --set-mark 0x1'
>
> 5) use an ip rule to jam these packets into the alternate routing table
> 5.1) 'ip rule add fwmark 1 table t1.out'
>
> 6) IIRC, if you're masquerading outbound packets, you'll need to move to
> SNAT (on each of the cable modem and T1 interfaces), though I can't
> remember why at the moment
>
>
> Good luck, and let fly if you have questions.
>
>
> Cheers,
>
> - -sth
>
> sam hooker|[email protected]|http://www.noiseplant.com
>
> I have received the love Internet dispatch.
>
> -spam
>
> On 2009/03/17 4:52 PM, Rene Churchill wrote:
> >
> > Hey gang,
> >
> > I'm looking for some pointers/recommendations on how to setup a
> > router for an office to split/share bandwidth between two sources.
> > I know enough about networking to keep my internal network up
> > but I'm getting into deeper waters here.
> >
> > Here's the scenario. I'm in an office with a split T1 currently. Half
> > phone, half data. The office is growing, so the number of times the
> > pipe gets clogged during the day is increasing and it's getting annoying.
> > I've got to keep the static IP as we've got email, ftp and a couple of
> > minor web servers running. The current firewall is a SmoothWall
> > Express v2 that Stan setup several years ago for us.
> >
> > What I'd like to go is get a cable modem tied into the office to provide
> > some cheap bandwidth for the majority of our data needs during the day.
> > The servers have static internal IPs, the desktop PCs have dynamic IPs,
> > so they're easy to tell apart.
> >
> > So, any suggestions on how to setup a firewall/router that will send the
> > traffic from the desktops out over the cable modem while letting the servers
> > have the T1 bandwidth?
> >
> > Many thanks,
> > Rene
> >
> > --
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > René Churchill [email protected]
> > Geek Two 802-244-7880 x527
> > Your Source for Local Information http://www.wherezit.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAknAFEkACgkQX8KByLv3aQ16xQCfeZlaptsNpQtqWIbU32x4VP22
> 8SQAn2v/EBkyFrEkz51ML/y/rFpxLfMl
> =MqBy
> -----END PGP SIGNATURE-----
--
Rubin Bennett
rbTechnologies, LLC
80 Carleton Boulevard
East Montpelier, VT 05651
(802)223-4448
http://thatitguy.com
"Think for yourselves and let others enjoy the privilege to do so too."
Voltaire, Essay on Tolerance
French author, humanist, rationalist, & satirist (1694 - 1778)
