Rubin: Thanks for the follow-up to my ?'s Rion
On Thursday 26 March 2009, Rubin Bennett wrote: > On Thu, 2009-03-26 at 16:22 -0400, Rion D'Luz wrote: > > Congrats pard! Nothing beats the sound of happy packets.! Sounds like.... > > victory > > > > More ?'s below: > > > > > > On Thursday 26 March 2009, Rubin Bennett wrote: > > > So in a follow up to the thread of last week about dual Internet > > > connections, I managed to do that which I though impossible over teh > > > weekend for a client. > > > > > > The layout: > > > > > > > > > |---------------| |---------------| /-----\ > > > |192.168.1.0/24 | | |----ISP1---| | > > > | LAN |------| Firewall | | 0/0 | > > > | | | |----ISP2---| | > > > |---------------| |---------------| \-----/ > > > > > > The outbound side is reasonably easy to deal with using iproute2 and > > > weighting/ equalizing the routes. > > Is there a switch somewhere; is fw also THE router? > > > The firewall is the router, there's a switch internal. This is an > extremely simplified diagram of the network: the real deal has a 48 > port switch, with 6 servers behind it. > > The Firewall has 3 network cards: one LAN, one to ISP1 and another to > ISP2. > > The firewall is configured with 2 subnets: > LAN: 192.168.1.0/24 > ISP1: 1.2.3.4/28 > ISP2: 5.6.7.8/28 > > I have a stupid long set of IPTables that does NAT and PAT for both > inbound connections and the outbound Masquerading. I generate those > using FWBuilder because when you have a complicated network, it's > really, really nice to have a graphical representation of it somewhere. > I also like it because it looks and feels a LOT like SecureRemote from > CheckPoint, which I used in a past life, and because it can manage BSD > (pf), ipfwadm, iptables, Cisco ACLs, etc. all from the same XML file. > > > > > > > > However, the difficult (and therefore rewarding part) was getting the > > > firewall to track and properly forward connections to an internal system > > > *regardless of which connection it came in on*. The goal was to have 2 > > > MX records in public DNS, one weighted higher than the other, so that if > > > the connection to ISP1 goes down, inbound e-mail will simply come in > > > over the other line. > > > > So, the LAN (or an analog DMZ) is hosting an smtp server and the fw > > greenlights port traffic on either IF? > > Cool so far. > > > Greenlights and more importantly tracks which interface the traffic came > in on so that return traffic is sent out the appropriate interface. > > > > > > In my looking around for systems or appliances that perform this magic, > > > I came up basically empty (short of $10k NetScreen/ Barracuda/ Cisco > > > gear) and was under the impression that it's simply not possible under > > > Linux > > Did you perchance, look into a Vayatta router? > > For about 10 seconds, but then I got distracted... what was I just > doing? > Seriously they look interesting and I should find out more. > > > > > > without employing some sort of source routing, which would then > > > require either separate IP addresses and routing tables on the internal > > > server, or dual NICs on the server. > > So the fw is just a linux box acting as a hub/router? > > And has two NICS not one 2-port NIC? Correct? > > Is it capable of port-bonding, does it need that? > > > It can but unless we do BGP (not realistic or feasible for a small > network) bonding would effectively make both connections not work at > all. > > > > Then connections to the server from > > > ISP1 could be forwarded to NIC1 on the server, and connections via ISP2 > > > would be forwarded to NIC2. > > So, what you wanted to do was possible under Linux using two NICS, though > > I don't understand why you couldn't have done that w/IP aliasing; not that > > you'd want to. > > > 3 NICs. And unless I put a switch in front of the router (thereby > losing the physical separation of the 2 incoming connections) it's again > messier than I like. And you would still have the issue of tracking > which IP address traffic came from and then sending it back out stamped > with the correct source IP. > > > > However, that's messy and inelegant, and flies in the face of how I like > > > to do things :) > > > > > > Enter my OCD, and a couple days worth of Googling, and I stumbled across > > > fwmark and --ctorigdst in the iptables stack [1] > > > > > > > > > An afternoon of pfutzing with iproute2 and iptables, and voila!!! It > > > Works! > > Care to share your source code, scripts, params, etc..? > > > > I would be happy to once I get it into a sanitized form :) > > Rubin >
signature.asc
Description: This is a digitally signed message part.
