Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all, I am trying to figure out how to solve a "problem" I have which involves two sites and routing external traffic based upon its destination. The two sites ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2012
    Posts
    6

    Multiple gateways and routing


    Hi all,

    I am trying to figure out how to solve a "problem" I have which involves two sites and routing external traffic based upon its destination. The two sites are not based in the same country.

    On the main site where most of the clients are physically located and connected has a Debian based router. This router has three physical ethernet connections.
    - eth0 is connected to the internet
    - eth1 is connected to the internal switch. This connection is bridged with a wireless NIC, wlan0 and a virtual interface for OpenVPN, tap0. The internal IP is assigned to this bridge, br0.
    - eth2 is currently unused but available if required.

    This router is the gateway for the local network (10.1.1.0/24) and has the IP address 10.1.1.1. Clients at this site get their IP addresses via DHCP from the router and are somewhere in that network range. The DHCP server sets the default gateway as 10.1.1.1 for everything but 10.1.1.0/24. User outbound connections from the site are routed out and have the external IP of eth0. For this configuration, everything is working as expected.

    Site two has an off the shelf router and assigns local clients with addresses in the 192.168.0.0/24 range and the router itself has the IP of 192.168.0.1. There is a machine on that network that creates a persistent VPN connection to main site. This machine has eth0 connected to the local LAN with 192.168.0.24 and tap0 is the VPN connection to the main site and always receives 10.1.1.254. Only data bound for the 10.1.1.0/24 network is routed over the VPN connection, everything else goes over eth0 via the local ISP.

    Now what I want to be able to do. I want to be able to direct certain external bound traffic from the main site through the ISP of site two rather than through the local ISP in cases where it is deemed relevant. The first question is how best to solve this problem? Would it be better to use iptables on the router at the main site or would it be better to write different routing rules to the individual clients routing tables via dhcp? I have also seen the mention of policy based routing but I have only seen this used based on a router connected to multiple ISPs.

    Can someone point me in the right direction, your help would be greatly appreciated.

  2. #2
    Just Joined!
    Join Date
    Dec 2009
    Posts
    3
    Here is a high level outline of what you need to do:
    * Create multiple routing tables using ip route. Set appropriate default gateway for each routing table.
    * Use iptables marking facility to mark packets based upon your needs - mark one set of packets with a given mark to be sent through one routing table and other set with a different mark to send them through the other routing table.
    * Use ip rule add fwmark to route packets with different marks through different routing tables.

    Quote Originally Posted by user7743 View Post
    Hi all,

    I am trying to figure out how to solve a "problem" I have which involves two sites and routing external traffic based upon its destination. The two sites are not based in the same country.

    On the main site where most of the clients are physically located and connected has a Debian based router. This router has three physical ethernet connections.
    - eth0 is connected to the internet
    - eth1 is connected to the internal switch. This connection is bridged with a wireless NIC, wlan0 and a virtual interface for OpenVPN, tap0. The internal IP is assigned to this bridge, br0.
    - eth2 is currently unused but available if required.

    This router is the gateway for the local network (10.1.1.0/24) and has the IP address 10.1.1.1. Clients at this site get their IP addresses via DHCP from the router and are somewhere in that network range. The DHCP server sets the default gateway as 10.1.1.1 for everything but 10.1.1.0/24. User outbound connections from the site are routed out and have the external IP of eth0. For this configuration, everything is working as expected.

    Site two has an off the shelf router and assigns local clients with addresses in the 192.168.0.0/24 range and the router itself has the IP of 192.168.0.1. There is a machine on that network that creates a persistent VPN connection to main site. This machine has eth0 connected to the local LAN with 192.168.0.24 and tap0 is the VPN connection to the main site and always receives 10.1.1.254. Only data bound for the 10.1.1.0/24 network is routed over the VPN connection, everything else goes over eth0 via the local ISP.

    Now what I want to be able to do. I want to be able to direct certain external bound traffic from the main site through the ISP of site two rather than through the local ISP in cases where it is deemed relevant. The first question is how best to solve this problem? Would it be better to use iptables on the router at the main site or would it be better to write different routing rules to the individual clients routing tables via dhcp? I have also seen the mention of policy based routing but I have only seen this used based on a router connected to multiple ISPs.

    Can someone point me in the right direction, your help would be greatly appreciated.

  3. #3
    Linux Newbie
    Join Date
    Jun 2012
    Location
    SF Bay area
    Posts
    121
    Setting up the routing logic in the router or in all the systems on the main site should both work. I'd probably go with the router personally just because it seems easier to manage the configuration since it's one device. Also when you make a change to the router config it will go into effect immediately and globally. If you push routing config's with DHCP there will be a delay as each system's lease times out.

    When you start treating your second site as a preferred egress point for certain destination IP's you're essentially using it like an ISP, just with static routes. You are in effect managing your network like someone who has multiple ISP's per router.

  4. #4
    Linux Newbie
    Join Date
    Aug 2006
    Posts
    122
    Hi.

    If it's only for WEB + FTP traffic, a solution could be to install a proxy on one site.

  5. #5
    Just Joined!
    Join Date
    Sep 2012
    Posts
    6
    Thanks all, I will take a closer look at policy based routing. I agree with cnamejj, I think I prefer to solve the problem on the "server" side rather than setting routes with dhcp. I cannot guarantee that someone wont set a static IP on a client and the changes are faster to take effect when set on the server side.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •