[ale] Advanced Routing for Dummies
Joseph A. Knapka
jknapka at earthlink.net
Sat Apr 14 15:08:16 EDT 2001
"Joseph A. Knapka" wrote:
>
> Leonard Thornton wrote:
> >
> > OK sports fans...I'm in over my head and need help.
> >
> > I have an internal private network and two public networks.
> >
> > Local Network "A"
> > Public Network "B" (T1 connection, 16 static IP addresses)
> > Public Network "C" (iDSL, 13 static IP addresses)
> >
> > I have a Linux / RH7.0 / ipchains firewall with three (3) NICs (3C509)
> > which connects the three networks.
> > "A" = eth0 (NAT)
> > "B" = eth1
> > "C" = eth2
> >
> > My internal network uses the firewall NIC eth0 as it's default gateway. No
> > problems.
> >
[snip]
> > Additionally, is there a way to set up the
> > routing so that my T1 is the preferred path for my internal network, and
> > yet have traffic automatically go out the iDSL side if the T1 fails?
>
> [Wild speculation; beware...]
>
> On A:
>
> route add default gw <T1.gateway> metric 1
> route add default gw <iDSL.gateway> metric 2
>
> Then tell EVERY machine on all nets, EXCEPT the T1 and iDSL gateway
> machines, that A is their default gateway. In this case you can skip
> the explicit routes between B and C through A given above, since if
> A is the default gateway they're unnecessary. The iDSL gateway
> and the T1 gateway machines will, however, still need explicit
> routes to reach the "other" network through A, since their
> default gateways must be the machines on the other end of
> the iDSL and T1 links. The idea is that all packets will go through
> A, and then be sent out via whichever gateway (a) works, and (b) has
> the lowest metric.
>
> Actually I think ICMP redirects might throw a wrench into this
> scheme, but I'm not sure I fully understand how ICMP redirects
> work in a situation like this. It's worth a try if no one else
> can tell you for sure how to do it right :-)
>
> Also, this won't be entirely transparent: connections established
> through the T1 gateway will be lost if the T1 goes down, even though
> future connections will (should) succeed via the iDSL link. The reason
> is that the machine on the other end of the connection will still be
> trying to return packets via a route that goes across the T1; it
> has no idea that you have switched to a default gateway on a
> totally different network.
Good news/bad news; bad news first:
Upon further thought, I don't think this will work at all, because
all routes -to- your networks from outside would have to change in
order for the switch-over to work. For example, if the "B" network
is the iDSL and the "C" network is the T1 link, then your "B"
boxen are perfectly free to send packets out via a gateway on
"C" and thence over the T1, but replies will still arrive via
the iDSL gateway, because that's the one by which routers on the
Internet know to reach network "B". So when your iDSL link fails,
the B machines are out of luck. Your iDSL and T1 providers
would have to cooperate with you in order to make something like
this work.
It may make sense to set things up so that the firewall
machine "A" does NAT for the network (B or C) whose gateway fails.
I think the most straightforward way to do it would be to let
A be the "secondary default gateway" (eg with metric >= 2) for
each machine on B and C, and install the proper NAT rules on
A to map C addresses outgoing on the B interface to B addresses
if they're destined for non-B addresses (since you still want
B <--> C packets to pass through the firewall unmolested), and
vice-versa. I don't know, sounds pretty dodgy. But iptables might
be able to handle it.
Now the good news:
All the above only applies to machines on the B and
C networks; the machines on your NATted A network -- which
I now realize is all you were concerned about -- should not
be bothered (much) if either external link fails, provided
they're both default routes on the NAT firewall, as I described
in my earlier message.
-- Joe
-- Joe Knapka
"If I ever get reincarnated... let me make certain I don't come back
as a paperclip." -- protagonist, H Murakami's "Hard-boiled Wonderland"
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list