-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I know this thread is long-dead, but literally woke up this morning and thought, "Speaking of head-banging: I neglected to include "-t mangle" in those 'iptables' commands. (This is what I get for 'nice'-ing thought processes in my brain: they don't complete until days -- and a good glass of wine -- later.) My apologies to anyone who was masochistic enough to try this method and ran into trouble on account of that. I'll be quiet, now. :-) Cheers, - -sth sam hooker|[email protected]|http://www.noiseplant.com I have received the love Internet dispatch. -spam On 2009/03/17 5:34 PM, sth wrote: > > BTW, sorry for the terseness. I had meant to cap this off with, "Thus, > any communications bound for the Internet from LAN nodes whose packets > don't get MARKed will exit via the cable modem, while those that DO get > MARKed will use the T1." Additionally, upon reflection, 4.2 is unnecessary. > > This is all derived from (the out-of-date, but still applicable) Linux > Advanced Routing and Traffic Control HOWTO[1]. And hours of real-world > head-banging. ;-) > > > -sth > > [1] http://lartc.org > > sam hooker|[email protected]|http://www.noiseplant.com > > I have received the love Internet dispatch. > > -spam > > > On 2009/03/17 5:21 PM, sth wrote: >> I was actually going to offer "Stupid Tricks With iptables, iproute2, >> and Friends" as a preso for tonight's meeting, before realizing I >> couldn't be there. > >> Here's what I'd do ("policy routing for Linux"): > >> 1) if you're using a cable modem for "bulk bandwidth", you'll want to >> make that your router's "real" default route, since it'll probably be >> getting its config via DHCP, and that'll populate into the kernel's >> default routing table > >> 2) hook the T1 to a separate NIC on the router > >> 3) create an alternative routing table with the T1 as its default route >> 3.1) add something like "201 t1.out" to /etc/iproute2/rt_tables >> 3.2) 'ip route add default via [w.x.y.z] dev [ethX] table t1.out' >> 3.3) [populate your other LAN routes in here, too] > >> 4) use iptables' mangle table to tattoo packets sourced from-/bound for >> your servers with some special MARK, like "1" >> 4.1) 'iptables -A PREROUTING -s [se.rv.er.ip] -j MARK --set-mark 0x1' >> 4.2) 'iptables -A PREROUTING -d [se.rv.er.ip] -j MARK --set-mark 0x1' > >> 5) use an ip rule to jam these packets into the alternate routing table >> 5.1) 'ip rule add fwmark 1 table t1.out' > >> 6) IIRC, if you're masquerading outbound packets, you'll need to move to >> SNAT (on each of the cable modem and T1 interfaces), though I can't >> remember why at the moment > > >> Good luck, and let fly if you have questions. > > >> Cheers, > >> -sth > >> sam hooker|[email protected]|http://www.noiseplant.com > >> I have received the love Internet dispatch. > >> -spam > >> On 2009/03/17 4:52 PM, Rene Churchill wrote: >>> Hey gang, >>> I'm looking for some pointers/recommendations on how to setup a >>> router for an office to split/share bandwidth between two sources. >>> I know enough about networking to keep my internal network up >>> but I'm getting into deeper waters here. >>> Here's the scenario. I'm in an office with a split T1 currently. Half >>> phone, half data. The office is growing, so the number of times the >>> pipe gets clogged during the day is increasing and it's getting annoying. >>> I've got to keep the static IP as we've got email, ftp and a couple of >>> minor web servers running. The current firewall is a SmoothWall >>> Express v2 that Stan setup several years ago for us. >>> What I'd like to go is get a cable modem tied into the office to provide >>> some cheap bandwidth for the majority of our data needs during the day. >>> The servers have static internal IPs, the desktop PCs have dynamic IPs, >>> so they're easy to tell apart. >>> So, any suggestions on how to setup a firewall/router that will send the >>> traffic from the desktops out over the cable modem while letting the servers >>> have the T1 bandwidth? >>> Many thanks, >>> Rene >>> -- >>> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= >>> René Churchill [email protected] >>> Geek Two 802-244-7880 x527 >>> Your Source for Local Information http://www.wherezit.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAknDkvsACgkQX8KByLv3aQ1UhwCcD3WJtbQ8++ppBSfEatbtygFH Ky0AoNXQwQ0sr5hgAHpkhQ10K1yyZKTP =Y9UI -----END PGP SIGNATURE-----
