Chris, If I correctly understand what you are trying to do, you can probably accomplish this using a combination of iptables and policy routing. Vyatta doesn't support the necessary parameters in the Vyatta CLI yet, but you should be able to configure it from the Linux shell.
The basic idea would be to do something like this... # setup two routing tables each with their own default like so... # DSL router ip route add default 192.1.1.1 table 1 # cable modem ip route add default CABLE-MODEM-IP table 2 # Then route all traffic from your DMZ machines to the DSL router ip rule add from 192.1.1.0/25 table 1 # Setup iptables rules to mark web traffic from your other interface iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport 80 -j MARK --set-mark 2 iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport 443 -j MARK --set-mark 2 # route that marked web traffic out the cable modem ip rule add fwmark 2 table 2 # route other traffic from that subnet out DSL modem ip rule add from 192.1.1.128/25 table 1 I haven't verified this exact config, so your mileage may vary. But that's general idea. You will need to setup any NAT rules separately and may need to adjust your ip rules above to match the new source addresses depending on where you NAT. Let us know if you get it to work. Cheers, Robert. Christopher Johnson wrote: > For the last few years I've used a FreeBSD box as my house net gateway. > It has two NICs. The inside NIC has access to the Class-C house network > and a DSL router (no firewall). The outside NIC is attached to a cable > modem and uses a static IP from the cable company. > > Using the ipfw tool, I've added a rule that says that anything from the > inside net that is destined for port 80 or 443 (http and https) shall be > forwarded to the NAT daemon and from there routed out the cable modem. > > This moves most of the household traffic off the DSL and onto the Cable > modem. > > I'm attempting to figure out how to do the same thing with Vyatta. > > The goal is to have two inside nets. 192.1.1.0/25 > <http://192.1.1.0/25> with vyatta as the router at 192.1.1.3 > <http://192.1.1.3> which then forwards firewall approved traffic to > 192.1.1.1 <http://192.1.1.1>, the DSL router. This is for my DMZ machines. > > The second inside net would be 192.1.1.128/25 <http://192.1.1.128/25> > with vyatta as the router at 192.1.1.129 <http://192.1.1.129>. Here any > traffic with destined for port 80 or 443 will be NATted and sent out the > cable modem and all other traffic sent to 192.1.1.1 <http://192.1.1.1>, > with firewall approval. > > Any suggestions or pointers will be appreciated > > Thank you, > Chris Johnson > PS I'm testing VC4 right now but if somebody can show me how VC3 is > fine. Just trying to avoid an upgrade in the near future.. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Vyatta-users mailing list > Vyatta-users@mailman.vyatta.com > http://mailman.vyatta.com/mailman/listinfo/vyatta-users _______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
