Thanks, this was the path I was going to explore next but decided to ask the list first to check if I was just missing something in the documentation.
Best, -Chris On Fri, Feb 15, 2008 at 2:00 AM, Robert Bays <[EMAIL PROTECTED]> wrote: > Chris, > > If I correctly understand what you are trying to do, you can probably > accomplish this using a combination of iptables and policy routing. > Vyatta doesn't support the necessary parameters in the Vyatta CLI yet, > but you should be able to configure it from the Linux shell. > > The basic idea would be to do something like this... > > # setup two routing tables each with their own default like so... > # DSL router > ip route add default 192.1.1.1 table 1 > # cable modem > ip route add default CABLE-MODEM-IP table 2 > # Then route all traffic from your DMZ machines to the DSL router > ip rule add from 192.1.1.0/25 table 1 > # Setup iptables rules to mark web traffic from your other interface > iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport > 80 -j MARK --set-mark 2 > iptables -t mangle -A PREROUTING -p tcp -s 192.1.1.128/25 -d 0/0 --dport > 443 -j MARK --set-mark 2 > # route that marked web traffic out the cable modem > ip rule add fwmark 2 table 2 > # route other traffic from that subnet out DSL modem > ip rule add from 192.1.1.128/25 table 1 > > I haven't verified this exact config, so your mileage may vary. But > that's general idea. You will need to setup any NAT rules separately > and may need to adjust your ip rules above to match the new source > addresses depending on where you NAT. Let us know if you get it to work. > > Cheers, > Robert. > > > Christopher Johnson wrote: > > For the last few years I've used a FreeBSD box as my house net gateway. > > It has two NICs. The inside NIC has access to the Class-C house network > > and a DSL router (no firewall). The outside NIC is attached to a cable > > modem and uses a static IP from the cable company. > > > > Using the ipfw tool, I've added a rule that says that anything from the > > inside net that is destined for port 80 or 443 (http and https) shall be > > forwarded to the NAT daemon and from there routed out the cable modem. > > > > This moves most of the household traffic off the DSL and onto the Cable > > modem. > > > > I'm attempting to figure out how to do the same thing with Vyatta. > > > > The goal is to have two inside nets. 192.1.1.0/25 > > <http://192.1.1.0/25> with vyatta as the router at 192.1.1.3 > > <http://192.1.1.3> which then forwards firewall approved traffic to > > 192.1.1.1 <http://192.1.1.1>, the DSL router. This is for my DMZ > machines. > > > > The second inside net would be 192.1.1.128/25 <http://192.1.1.128/25> > > with vyatta as the router at 192.1.1.129 <http://192.1.1.129>. Here any > > traffic with destined for port 80 or 443 will be NATted and sent out the > > cable modem and all other traffic sent to 192.1.1.1 <http://192.1.1.1>, > > with firewall approval. > > > > Any suggestions or pointers will be appreciated > > > > Thank you, > > Chris Johnson > > PS I'm testing VC4 right now but if somebody can show me how VC3 is > > fine. Just trying to avoid an upgrade in the near future.. > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Vyatta-users mailing list > > Vyatta-users@mailman.vyatta.com > > http://mailman.vyatta.com/mailman/listinfo/vyatta-users >
_______________________________________________ Vyatta-users mailing list Vyatta-users@mailman.vyatta.com http://mailman.vyatta.com/mailman/listinfo/vyatta-users
