[TriLUG] Routing...once again.

Greg Brown gwbrown1 at gmail.com
Tue Aug 8 09:26:36 EDT 2006 

No, not on the server configuration.  The server won't care if there is one
ISP or two as long as both subnets have separate gateways.  In face my
system started out this way with DSL for the office users and cable for the
public users.  Eventually the system was collapsed to one service, cable,
and I just applied the DSL internal gateway address to my secondary port on
the firewall (of course there was more configuration to the firewall to make
this work but the server and the clients on the former DSL subnet required
no configuration changes).

Just out of curiosity, do you have dynamic DNS on both ISP services or do
you have static addresses?  If you have static addresses do both have
different host names and domains?

Greg

On 8/8/06, Brian Henning <brian at strutmasters.com> wrote:
>
> Greg,
>    Sounds promising, but to answer your first question:  No.  Two
> separate firewalls, two separate internet connections, two separate
> ISPs, even two separate delivery technologies (DSL and cable).  So there
> are two (very) separate public IPs.
>
> Does that change anything?
>
> ~Brian
>
> Greg Brown wrote:
> > Brian:
> >
> > You should have a default gateway for each nic, not just one for the
> entire
> > machine.  I assume there is a dual port fireall with 1.1 and 10.1 and a
> > single Internet connection?
> >
> > I have the same kind of configuration at one of my beach networks.  It
> > looks
> > like this.  We'll call my machine bill:
> >
> > Internet -> Firewall -> 192.168.15.0/24 (15.1 is the router port) ->
> > 192.168.15.50 (eth1)
> >                            -> 192.168.17.0/24 (17.1 is the router port)
> ->
> > 192.168.17.50 (eth0)
> >
> >
> > No routing on server "bill" takes place.  It simply has two cards each
> with
> > thier own settings in /etc/network/interfaces.  For the record, squid,
> ssh
> > and www resides on 15.50 while a couple other services reside on 17.50
> .  My
> > firewall forwards services to one port or the other depending on the
> > service
> > (i.e. it knows to forward ssh, web, and so forth to 15.50, etc)
> >
> > The following is my /etc/network/interfaces:
> >
> > # The loopback network interface
> > auto lo
> > iface lo inet loopback
> >
> > # The primary network interface
> > auto eth0
> > iface eth0 inet static
> >        address 192.168.17.50
> >        netmask 255.255.255.0
> >        up flush-mail
> >        gateway 192.168.17.1
> >
> > auto eth1
> > iface eth1 inet static
> >        address 192.168.15.50
> >        netmask 255.255.255.0
> >        up flush-mail
> >        gateway 192.168.15.1
> >
> > I think I could do without the "up flush-mail" the system seems to be
> > working.
> >
> > Hope this helps.
> >
> > Greg
> >
> > On 8/8/06, Brian Henning <brian at strutmasters.com> wrote:
> >>
> >> Hi Gang,
> >>    I know y'all are probably tired of hearing me ask about this stuff,
> >> but for some reason it's just one thing I'm having a heck of a time
> >> really grasping.  I think it's because I'm missing some fundamental
> >> understanding, some important piece of info, which is leaving the rest
> >> of it shaky.  Anyway:
> >>
> >> I have a machine (let's call it "bob") with two NICs, on two subnets,
> >> for argument's sake 192.168.1.0/24 and 192.168.10.0/24.  eth0 is on
> >> .1.0, eth1 is on .10.0.  Both subnets have their own gateways, located
> >> at .1.1 and .10.1.
> >>
> >> Because of certain important services that come in through the gateway
> >> on the .1.0 subnet (such as SMTP, httpd, ssh, etc.), I need bob's
> >> default gateway to be .1.1.  However, I really really really want to
> run
> >> OpenVPN on bob and have it move traffic solely in and out through the
> >> .10.1 gateway.  That service on that machine never needs to move a
> >> single packet out of the default gateway.
> >>
> >> I know that that's impossible without some sort of fiddling; even if
> UDP
> >> packets come in to OpenVPN via the correct gateway (.10), the responses
> >> are routed out through the .1 gateway and dropped somewhere along the
> >> way (or ignored, if they make it all the way back to the client).
> >>
> >> I figure it must be doable, though, right?  I shouldn't have to have a
> >> separate box to provide the exact same services through two different
> >> gateways, should I?  So what's the magic incantation?  route tricks?
> >> iptables tricks?  Clever misuse of load-balancing software?  I'm open
> to
> >> all suggestions.
> >>
> >> Thanks!
> >>
> >> Cheers,
> >> ~Brian
> >>
> >>
> >> --
> >> ----------------
> >> Brian A. Henning
> >> strutmasters.com
> >> 336.597.2397x238
> >> ----------------
> >> --
> >> TriLUG mailing list        :
> >> http://www.trilug.org/mailman/listinfo/trilug
> >> TriLUG Organizational FAQ  : http://trilug.org/faq/
> >> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >>
>
> --
> ----------------
> Brian A. Henning
> strutmasters.com
> 336.597.2397x238
> ----------------
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list