On Thu, 2009-03-26 at 16:22 -0400, Rion D'Luz wrote: > Congrats pard! Nothing beats the sound of happy packets.! Sounds like.... > victory > > More ?'s below: > > > On Thursday 26 March 2009, Rubin Bennett wrote: > > So in a follow up to the thread of last week about dual Internet > > connections, I managed to do that which I though impossible over teh > > weekend for a client. > > > > The layout: > > > > > > |---------------| |---------------| /-----\ > > |192.168.1.0/24 | | |----ISP1---| | > > | LAN |------| Firewall | | 0/0 | > > | | | |----ISP2---| | > > |---------------| |---------------| \-----/ > > > > The outbound side is reasonably easy to deal with using iproute2 and > > weighting/ equalizing the routes. > Is there a switch somewhere; is fw also THE router? > The firewall is the router, there's a switch internal. This is an extremely simplified diagram of the network: the real deal has a 48 port switch, with 6 servers behind it.
The Firewall has 3 network cards: one LAN, one to ISP1 and another to ISP2. The firewall is configured with 2 subnets: LAN: 192.168.1.0/24 ISP1: 1.2.3.4/28 ISP2: 5.6.7.8/28 I have a stupid long set of IPTables that does NAT and PAT for both inbound connections and the outbound Masquerading. I generate those using FWBuilder because when you have a complicated network, it's really, really nice to have a graphical representation of it somewhere. I also like it because it looks and feels a LOT like SecureRemote from CheckPoint, which I used in a past life, and because it can manage BSD (pf), ipfwadm, iptables, Cisco ACLs, etc. all from the same XML file. > > > > However, the difficult (and therefore rewarding part) was getting the > > firewall to track and properly forward connections to an internal system > > *regardless of which connection it came in on*. The goal was to have 2 > > MX records in public DNS, one weighted higher than the other, so that if > > the connection to ISP1 goes down, inbound e-mail will simply come in > > over the other line. > > So, the LAN (or an analog DMZ) is hosting an smtp server and the fw > greenlights port traffic on either IF? > Cool so far. > Greenlights and more importantly tracks which interface the traffic came in on so that return traffic is sent out the appropriate interface. > > > > In my looking around for systems or appliances that perform this magic, > > I came up basically empty (short of $10k NetScreen/ Barracuda/ Cisco > > gear) and was under the impression that it's simply not possible under > > Linux > Did you perchance, look into a Vayatta router? For about 10 seconds, but then I got distracted... what was I just doing? Seriously they look interesting and I should find out more. > > > without employing some sort of source routing, which would then > > require either separate IP addresses and routing tables on the internal > > server, or dual NICs on the server. > So the fw is just a linux box acting as a hub/router? > And has two NICS not one 2-port NIC? Correct? > Is it capable of port-bonding, does it need that? > It can but unless we do BGP (not realistic or feasible for a small network) bonding would effectively make both connections not work at all. > > Then connections to the server from > > ISP1 could be forwarded to NIC1 on the server, and connections via ISP2 > > would be forwarded to NIC2. > So, what you wanted to do was possible under Linux using two NICS, though > I don't understand why you couldn't have done that w/IP aliasing; not that > you'd want to. > 3 NICs. And unless I put a switch in front of the router (thereby losing the physical separation of the 2 incoming connections) it's again messier than I like. And you would still have the issue of tracking which IP address traffic came from and then sending it back out stamped with the correct source IP. > > However, that's messy and inelegant, and flies in the face of how I like > > to do things :) > > > > Enter my OCD, and a couple days worth of Googling, and I stumbled across > > fwmark and --ctorigdst in the iptables stack [1] > > > > > > An afternoon of pfutzing with iproute2 and iptables, and voila!!! It > > Works! > Care to share your source code, scripts, params, etc..? > > I would be happy to once I get it into a sanitized form :) Rubin -- Rubin Bennett rbTechnologies, LLC 80 Carleton Boulevard East Montpelier, VT 05651 (802)223-4448 http://thatitguy.com "Think for yourselves and let others enjoy the privilege to do so too." Voltaire, Essay on Tolerance French author, humanist, rationalist, & satirist (1694 - 1778)
