Replying to my own post to correct teh typo's :)
On Tue, 2009-03-17 at 17:30 -0400, Rubin Bennett wrote:
> We've actually done this very trick for a number of clients, where they
> have a single (usually fractional) T-1 that they use for incoming
> traffic (Web/ Intranet server, mailserver, etc. etc.) and a second
> Internet connection (usually Cable or DSL) for web surfing, windows
> updates, etc..
>
> We subnet the network using DHCP and send traffic from the clients out
> the 'commodity' internet connection (read: faster and cheaper but
> theoretically less reliable). Taht was we know how to route the
(That way)
> outbound traffic from the servers etc. and the firewall doesn't get all
> cornfused as to what interface to send traffic out on, and it also
> (perhaps more importantly) knows how to route the inbound packets as
> they return from the 'Net.
>
> Hope that helps, and if it just served to confuse the issue I
> apologize :)
>
> Rubin
>
>
> On Tue, 2009-03-17 at 17:21 -0400, sth wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > I was actually going to offer "Stupid Tricks With iptables, iproute2,
> > and Friends" as a preso for tonight's meeting, before realizing I
> > couldn't be there.
> >
> > Here's what I'd do ("policy routing for Linux"):
> >
> > 1) if you're using a cable modem for "bulk bandwidth", you'll want to
> > make that your router's "real" default route, since it'll probably be
> > getting its config via DHCP, and that'll populate into the kernel's
> > default routing table
> >
> > 2) hook the T1 to a separate NIC on the router
> >
> > 3) create an alternative routing table with the T1 as its default route
> > 3.1) add something like "201 t1.out" to /etc/iproute2/rt_tables
> > 3.2) 'ip route add default via [w.x.y.z] dev [ethX] table t1.out'
> > 3.3) [populate your other LAN routes in here, too]
> >
> > 4) use iptables' mangle table to tattoo packets sourced from-/bound for
> > your servers with some special MARK, like "1"
> > 4.1) 'iptables -A PREROUTING -s [se.rv.er.ip] -j MARK --set-mark 0x1'
> > 4.2) 'iptables -A PREROUTING -d [se.rv.er.ip] -j MARK --set-mark 0x1'
> >
> > 5) use an ip rule to jam these packets into the alternate routing table
> > 5.1) 'ip rule add fwmark 1 table t1.out'
> >
> > 6) IIRC, if you're masquerading outbound packets, you'll need to move to
> > SNAT (on each of the cable modem and T1 interfaces), though I can't
> > remember why at the moment
> >
> >
> > Good luck, and let fly if you have questions.
> >
> >
> > Cheers,
> >
> > - -sth
> >
> > sam hooker|[email protected]|http://www.noiseplant.com
> >
> > I have received the love Internet dispatch.
> >
> > -spam
> >
> > On 2009/03/17 4:52 PM, Rene Churchill wrote:
> > >
> > > Hey gang,
> > >
> > > I'm looking for some pointers/recommendations on how to setup a
> > > router for an office to split/share bandwidth between two sources.
> > > I know enough about networking to keep my internal network up
> > > but I'm getting into deeper waters here.
> > >
> > > Here's the scenario. I'm in an office with a split T1 currently. Half
> > > phone, half data. The office is growing, so the number of times the
> > > pipe gets clogged during the day is increasing and it's getting annoying.
> > > I've got to keep the static IP as we've got email, ftp and a couple of
> > > minor web servers running. The current firewall is a SmoothWall
> > > Express v2 that Stan setup several years ago for us.
> > >
> > > What I'd like to go is get a cable modem tied into the office to provide
> > > some cheap bandwidth for the majority of our data needs during the day.
> > > The servers have static internal IPs, the desktop PCs have dynamic IPs,
> > > so they're easy to tell apart.
> > >
> > > So, any suggestions on how to setup a firewall/router that will send the
> > > traffic from the desktops out over the cable modem while letting the
> > > servers
> > > have the T1 bandwidth?
> > >
> > > Many thanks,
> > > Rene
> > >
> > > --
> > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > > René Churchill [email protected]
> > > Geek Two 802-244-7880 x527
> > > Your Source for Local Information http://www.wherezit.com
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.8 (Darwin)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iEYEARECAAYFAknAFEkACgkQX8KByLv3aQ16xQCfeZlaptsNpQtqWIbU32x4VP22
> > 8SQAn2v/EBkyFrEkz51ML/y/rFpxLfMl
> > =MqBy
> > -----END PGP SIGNATURE-----
--
Rubin Bennett
rbTechnologies, LLC
80 Carleton Boulevard
East Montpelier, VT 05651
(802)223-4448
http://thatitguy.com
"Think for yourselves and let others enjoy the privilege to do so too."
Voltaire, Essay on Tolerance
French author, humanist, rationalist, & satirist (1694 - 1778)
