Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Routing Advice needed

[JasonF]

I am quickly running out of hair..plesk help!

I have a linux router with 2 external and 2 internal ports.

Each port needs to route traffic to one of the internal ports,
and the internal traffic between the 2 internal ports
should not go out the external ports.

The IPS on the internal networks are global. ie. no NAT required.

I think what I need is this..

$ext_net1 = external nework IP/MASK 1
$EXT_IP1 = ip of external interface 1
$ext_net2 = external nework IP/MASK 2
$EXT_IP2 = ip of external interface 2
$int_net1 = internal network IP/MASK 1
$int_net2 = internal network IP/MASK 2

ip route add $ext_net1 dev eth0 src $EXT_IP1 table 1
ip route add default via $ext1_gw table 1
ip route add $int_net1 dev eth1

ip route add $ext_net2 dev eth2 src $EXT_IP2 table 2
ip route add default via $ext2_gw table 2
ip route add $int_net1 dev eth3

ip rule add from $int_net1 table 1
ip rule add from $int_net2 table 2


Am I missing something?

Thanks.

[dkitchen]

I'm not familiar with Linux routing, only Cisco/Juniper but what you're doing does seem overly complicated.

All you should require is:

ip route 0.0.0.0 0.0.0.0 1.1.1.1 (where 1.1.1.1 is your gateway on the internet side NIC)
ip route 1.1.2.0 255.255.255.0 eth1 (where 1.1.2.0/24 is your first block on 2nd nic)
ip route 1.1.3.0 255.255.255.0 eth2 (where 1.1.3.0/24 is your second block on third nic).

(The syntax may be different).

Dan

[flaggg]

If you're going to use tables, I believe you are required to use iptables to flag the packets you want to send to the correct table. I say this because I have a similar configuration (2 WAN, 1 LAN) at home and I use iptables to flag packets to the correct table for the WAN.

Are you bonding/balancing/failing over your external links? If so, you might as well pull up http://lartc.org/howto/ and memorize it. If you're not, you should be able to route all your traffic out the external link with a default route and set up normal routes like Dan said for each subnet and specify each NIC it goes to.

You might also need to disable rp_filter (not sure on this) and make sure you've enabled routing in sysctl.

[JasonF]

Actually I already looked at the advanced routing page...
4.2 Routing for multiple uplinks/providers

But I believe this is changing the source address for outgoing traffic.
The main issue is that traffic MUST go out the same interface it came in on.

RazorBlue - Dan's suggestion is only inbound as all outgoing traffic will go out the default gateway. The gateway needs to be defined according to the source IP. I don't believe we need to flag the packets for this. Just some sort of tables/rules. However, I do know it is possible with iptables but would like to avoid the overhead of mangle.