Split 2 ISP connections

Hi,

I try to loadbalance my 2 ISP connection for my office,
but it wasn't a good idea (The line bandwith are too differents).

Now, I would like to simply "route" a part of my local network to
my first ISP and an other part to my second ISP.

Do you know a very simple way to this ?

For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
and my second ISP IP address is 5.6.7.8

I would like to send (SNAT) all my customer from 10.0.0.0 ->
10.0.0.128 to ISP 1
and all others to ISP2. I also would like to do some DNAT on ISP 1.

I try some configuration with iproute and iptables2 but it's not
working.
Is there a simple example of route (iproute) and NAT (iptable)
configuration for this somewhere ?

Thank you very much,
Guillaume

Depending on how your network is designed, you're probably making it more
complicated than it has to be. I'm guessing you have all computers on the
10.0.0.0 network set to a single default gateway. I would suggest having
two gateways, with one directing Internet traffic to one ISP and the other
to the other ISP, and having all the other routing table entries identical.
Then just change the default gateway on your computers to whichever gateway
that has the ISP you want that computer to use. If you use a DHCP network
instead of static IP addressing, then there should be configuration options
available in the DCHP setup to give certain computers certain settings. If
you wanted to go a little more complex, VLANs might also be an option.

"riviereg" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Hi,
>
> I try to loadbalance my 2 ISP connection for my office,
> but it wasn't a good idea (The line bandwith are too differents).
>
> Now, I would like to simply "route" a part of my local network to
> my first ISP and an other part to my second ISP.
>
> Do you know a very simple way to this ?
>
> For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
> and my second ISP IP address is 5.6.7.8
>
> I would like to send (SNAT) all my customer from 10.0.0.0 ->
> 10.0.0.128 to ISP 1
> and all others to ISP2. I also would like to do some DNAT on ISP 1.
>
> I try some configuration with iproute and iptables2 but it's not
> working.
> Is there a simple example of route (iproute) and NAT (iptable)
> configuration for this somewhere ?
>
> Thank you very much,
> Guillaume

Thank you for your reply,

your right, all my network is under 10.0.0.0
My problem is, I have only one pc for routing ...

But, I should use one of my modem router
for a second gateway, in a first time.

But I would really like to do this with routing rules (iproute) and
iptables
I try to do something like this, but it's not working, could some one
help me on this ? I think I am not so far a working solution ...


My configuration

My router is a GNU/Debian Sarge with 3 NIC (one for internal and 2 for
my 2 ISP)

External Network 1 (eth1) : Router External IP 1.2.3.4
GateWay 1.2.3.5
NetMask 255.255.255.0

External Network 2 (eth2): Router External IP 5.6.7.8
Gateway 5.6.7.9
Netmask 255.255.255.0

Internal Network (eth0) : Router Internal IP 10.117.71.1
NetMask 255.255.255.0

I try to slpit my connection in 2 parts:
ISP2 for 10.117.71.0/25 except for 2 servers
ISP1 for 10.117.71.128/25.

Here is my "script" for iproute2 (I'm a little bit basic with
scripting ...):
#!/bin/bash
#creation 17/05/2004

echo "Routing rules and tables"
echo "removing old rules"

ip rule del prio 50 table main
ip rule del prio 80 from 10.117.71.2 table 80
ip rule del prio 90 from 10.117.71.156 table 90
ip rule del prio 100 from 10.117.71.0/25 table 100
ip rule del prio 110 from 10.117.71.128/25 table 110

echo "flushing tables"
ip route flush table 80
ip route flush table 90
ip route flush table 100
ip route flush table 110

# Setting new rules
#######################
echo "Setting new routing rules"

# main table look first (default gateway here)
ip rule add prio 50 table main
ip route del default table main

# Specific defined Rules Here

# Server1 lookup table 80
ip rule add prio 80 from 10.117.71.2 lookup 80
ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 80
ip route add default via 1.2.3.5 dev eth1 table 80

# Server2 lookup table 90
ip rule add prio 90 from 10.117.71.156 lookup 90
ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 90
ip route add default via 1.2.3.5 dev eth1 table 90

# ISP 2 line for 10.117.71.0/25
ip rule add prio 100 from 10.117.71.0/25 lookup 100
ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 100
ip route add default via 5.6.7.9 dev eth2 table 100

# ISP 1 Line for 10.117.71.128/25
ip rule add prio 110 from 10.117.71.128/25 lookup 110
ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 110
ip route add default via 1.2.3.5 dev eth1 table 110

ip route flush cache


Here is my script for iptables:

#!/bin/bash
#creation 17/05/2004

echo "firewall constants setup"

# FLUSH the tables
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT

# SNAT

# Allow all access to http and https (port 80, port 443) only for http
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 110 -j SNAT --to
1.2.3.4

# Allow all access to http and https (port 80, port 443) only for http
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to
5.6.7.8
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 443 -j SNAT --to
5.6.7.8
iptables -t nat -A POSTROUTING -o eth2 -p udp --dport 53 -j SNAT --to
5.6.7.8
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 110 -j SNAT --to
5.6.7.8



"pcfixer" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Depending on how your network is designed, you're probably making it more
> complicated than it has to be. I'm guessing you have all computers on the
> 10.0.0.0 network set to a single default gateway. I would suggest having
> two gateways, with one directing Internet traffic to one ISP and the other
> to the other ISP, and having all the other routing table entries identical.
> Then just change the default gateway on your computers to whichever gateway
> that has the ISP you want that computer to use. If you use a DHCP network
> instead of static IP addressing, then there should be configuration options
> available in the DCHP setup to give certain computers certain settings. If
> you wanted to go a little more complex, VLANs might also be an option.
>
> "riviereg" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Hi,
> >
> > I try to loadbalance my 2 ISP connection for my office,
> > but it wasn't a good idea (The line bandwith are too differents).
> >
> > Now, I would like to simply "route" a part of my local network to
> > my first ISP and an other part to my second ISP.
> >
> > Do you know a very simple way to this ?
> >
> > For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
> > and my second ISP IP address is 5.6.7.8
> >
> > I would like to send (SNAT) all my customer from 10.0.0.0 ->
> > 10.0.0.128 to ISP 1
> > and all others to ISP2. I also would like to do some DNAT on ISP 1.
> >
> > I try some configuration with iproute and iptables2 but it's not
> > working.
> > Is there a simple example of route (iproute) and NAT (iptable)
> > configuration for this somewhere ?
> >
> > Thank you very much,
> > Guillaume

You are in luck. I just got this setup after weeks of hunting, asking for help and tweaking.

First read this: http://linux-ip.net/html/adv-multi-internet.html
This site brought me closer to my solution.
Credit given to the poster who pointed me to this site.


This is what I did:

#ISP 1 nat (defualt route)
iptables -t nat -A POSTROUTING -o $ISP1_iface -s ip_net1/bits -j MASQUERADE

#ISP 2 nat
$iptables -t mangle -A PREROUTING -s $ip_net2/bits -j MARK --set-mark 5
$iptables -t nat -A POSTROUTING -o $ISP2_iface -j SNAT -s ip_net2/bits --to-source $ISP2_IPaddr

#Add the iproute2 and marker/s for ISP2 nat
/sbin/ip route flush table 5
/sbin/ip route add table 5 default via ISP2_gw_IPaddrr
/sbin/ip rule add fwmark 5 table 5


Good luck.



On 29 Aug 2004 21:04:58 -0700, (E-Mail Removed) (riviereg) wrote:

>Hi,
>
>I try to loadbalance my 2 ISP connection for my office,
>but it wasn't a good idea (The line bandwith are too differents).
>
>Now, I would like to simply "route" a part of my local network to
>my first ISP and an other part to my second ISP.
>
>Do you know a very simple way to this ?
>
>For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
>and my second ISP IP address is 5.6.7.8
>
>I would like to send (SNAT) all my customer from 10.0.0.0 ->
>10.0.0.128 to ISP 1
>and all others to ISP2. I also would like to do some DNAT on ISP 1.
>
>I try some configuration with iproute and iptables2 but it's not
>working.
>Is there a simple example of route (iproute) and NAT (iptable)
>configuration for this somewhere ?
>
>Thank you very much,
>Guillaume


To e-mail, remove the obvious

Thank you very much for this,
I will try it ASAP ...

Before starting, I have another question around my GNU/Debian sarge
network configuration:

How to automaticaly (at boot) set my ip interface with iproute2
instead of ifconfig: I mean, curently, I use /etc/network/interface
(see below)

How to do this automatically and with a possibility of
stop/start/restart with
iproute2 ?

I check many discussions auroud this I cannot find something clear for
me.

Thanks a lot,
Guillaume

my /etc/network/interface
# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian
installation
# (network, broadcast and gateway are optional)
auto eth1 eth0 eth2

# local network (LAN)
iface eth0 inet static
address 10.117.71.1
netmask 255.255.255.0

# external network (etown WAN)
iface eth1 inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.10

iface eth1:0 inet static
address 1.2.3.5
netmask 255.255.255.248
gateway 1.2.3.10

AcCeSsDeNiEd <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> You are in luck. I just got this setup after weeks of hunting, asking for help and tweaking.
>
> First read this: http://linux-ip.net/html/adv-multi-internet.html
> This site brought me closer to my solution.
> Credit given to the poster who pointed me to this site.
>
>
> This is what I did:
>
> #ISP 1 nat (defualt route)
> iptables -t nat -A POSTROUTING -o $ISP1_iface -s ip_net1/bits -j MASQUERADE
>
> #ISP 2 nat
> $iptables -t mangle -A PREROUTING -s $ip_net2/bits -j MARK --set-mark 5
> $iptables -t nat -A POSTROUTING -o $ISP2_iface -j SNAT -s ip_net2/bits --to-source $ISP2_IPaddr
>
> #Add the iproute2 and marker/s for ISP2 nat

> /sbin/ip route flush table 5
> /sbin/ip route add table 5 default via ISP2_gw_IPaddrr
> /sbin/ip rule add fwmark 5 table 5
>
>
> Good luck.
>
>
>
> On 29 Aug 2004 21:04:58 -0700, (E-Mail Removed) (riviereg) wrote:
>
> >Hi,
> >
> >I try to loadbalance my 2 ISP connection for my office,
> >but it wasn't a good idea (The line bandwith are too differents).
> >
> >Now, I would like to simply "route" a part of my local network to
> >my first ISP and an other part to my second ISP.
> >
> >Do you know a very simple way to this ?
> >
> >For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
> >and my second ISP IP address is 5.6.7.8
> >
> >I would like to send (SNAT) all my customer from 10.0.0.0 ->
> >10.0.0.128 to ISP 1
> >and all others to ISP2. I also would like to do some DNAT on ISP 1.
> >
> >I try some configuration with iproute and iptables2 but it's not
> >working.
> >Is there a simple example of route (iproute) and NAT (iptable)
> >configuration for this somewhere ?
> >
> >Thank you very much,
> >Guillaume
>
>
> To e-mail, remove the obvious

Thank you very much for this,

I have a question concerning your configuration:

I have 2 external gateway, do I configure my interface with those
gateway for default ?

I have 2 different DNS, currently my router is our office DNS, how do
I manage
this ?

I mean, which ISP is used by my router ?, If I try to access to DNS
provided by ISP2 with ISP1 connection I will be reject.

Thanks a lot,
Guillaume

AcCeSsDeNiEd <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> You are in luck. I just got this setup after weeks of hunting, asking for help and tweaking.
>
> First read this: http://linux-ip.net/html/adv-multi-internet.html
> This site brought me closer to my solution.
> Credit given to the poster who pointed me to this site.
>
>
> This is what I did:
>
> #ISP 1 nat (defualt route)
> iptables -t nat -A POSTROUTING -o $ISP1_iface -s ip_net1/bits -j MASQUERADE
>
> #ISP 2 nat
> $iptables -t mangle -A PREROUTING -s $ip_net2/bits -j MARK --set-mark 5
> $iptables -t nat -A POSTROUTING -o $ISP2_iface -j SNAT -s ip_net2/bits --to-source $ISP2_IPaddr
>
> #Add the iproute2 and marker/s for ISP2 nat

> /sbin/ip route flush table 5
> /sbin/ip route add table 5 default via ISP2_gw_IPaddrr
> /sbin/ip rule add fwmark 5 table 5
>
>
> Good luck.
>
>
>
> On 29 Aug 2004 21:04:58 -0700, (E-Mail Removed) (riviereg) wrote:
>
> >Hi,
> >
> >I try to loadbalance my 2 ISP connection for my office,
> >but it wasn't a good idea (The line bandwith are too differents).
> >
> >Now, I would like to simply "route" a part of my local network to
> >my first ISP and an other part to my second ISP.
> >
> >Do you know a very simple way to this ?
> >
> >For example, my LAN is 10.0.0.0, my first ISP IP address is 1.2.3.4
> >and my second ISP IP address is 5.6.7.8
> >
> >I would like to send (SNAT) all my customer from 10.0.0.0 ->
> >10.0.0.128 to ISP 1
> >and all others to ISP2. I also would like to do some DNAT on ISP 1.
> >
> >I try some configuration with iproute and iptables2 but it's not
> >working.
> >Is there a simple example of route (iproute) and NAT (iptable)
> >configuration for this somewhere ?
> >
> >Thank you very much,
> >Guillaume
>
>
> To e-mail, remove the obvious

AcCeSsDeNiEd wrote:
> You are in luck. I just got this setup after weeks of hunting, asking for help and tweaking.
>
> First read this: http://linux-ip.net/html/adv-multi-internet.html
> This site brought me closer to my solution.
> Credit given to the poster who pointed me to this site.
>
>
> This is what I did:
>
> #ISP 1 nat (defualt route)
> iptables -t nat -A POSTROUTING -o $ISP1_iface -s ip_net1/bits -j MASQUERADE
>
> #ISP 2 nat
> $iptables -t mangle -A PREROUTING -s $ip_net2/bits -j MARK --set-mark 5
> $iptables -t nat -A POSTROUTING -o $ISP2_iface -j SNAT -s ip_net2/bits --to-source $ISP2_IPaddr
>
> #Add the iproute2 and marker/s for ISP2 nat
> /sbin/ip route flush table 5
> /sbin/ip route add table 5 default via ISP2_gw_IPaddrr
> /sbin/ip rule add fwmark 5 table 5
>

I try your solution, but it's not working for me, do you know what I'm
doing wrong ?

I just go on my first ISP with this, never on my second ISP,
If I remove the default (ISP1) gateway in my /etc/nerwork/interfaces
I cannot access anymore to internet (also from the router himself).
(eth1 -> my first ISP / eth2 -> my second ISP)

Here is my script for routing and iptables:
################################################## ######################
# ISP2
/sbin/ip route flush table 5
/sbin/ip route add table 5 default via 5.6.7.9 dev eth2
/sbin/ip rule add fwmark 5 table 5

# ISP1
/sbin/ip route flush table 6
/sbin/ip route add table 6 default via 1.2.3.5 dev eth1
/sbin/ip rule add fwmark 6 table 6

echo "firewall constants setup"

# FLUSH the tables
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING

## Mangeling Rules ##

# special rules for some IPs to go on second ISP
iptables -t mangle -A PREROUTING -s 10.117.71.162 -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -s 10.117.71.171 -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -s 10.117.71.174 -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -s 10.117.71.175 -j MARK --set-mark 5
iptables -t mangle -A PREROUTING -s 10.117.71.176 -j MARK --set-mark 5

# default for all our network
iptables -t mangle -A PREROUTING -s 10.117.71.0/24 -j MARK --set-mark 6
################################################## #####################

Here is my /etc/init.d/interface :

################################################## #####################
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)

# The loopback interface
auto lo
iface lo inet loopback

# The first network card - this entry was created during the Debian
installation
# (network, broadcast and gateway are optional)
auto eth1 eth0 eth2

# local network (LAN)
iface eth0 inet static
address 10.117.71.1
netmask 255.255.255.0

# external network (ISP1)
iface eth1 inet static
address 1.2.3.4
netmask 255.255.255.248
gateway 1.2.3.5


iface eth2 inet static
address 5.6.7.8
netmask 255.255.255.0

################################################## ####################


Thank you for help,
Guillaume

riviereg wrote:
> AcCeSsDeNiEd wrote:
>
>> You are in luck. I just got this setup after weeks of hunting, asking
>> for help and tweaking.
>>
>> First read this: http://linux-ip.net/html/adv-multi-internet.html
>> This site brought me closer to my solution. Credit given to the poster
>> who pointed me to this site.
>>
>>
>> This is what I did:
>>
>> #ISP 1 nat (defualt route)
>> iptables -t nat -A POSTROUTING -o $ISP1_iface -s ip_net1/bits -j
>> MASQUERADE
>>
>> #ISP 2 nat
>> $iptables -t mangle -A PREROUTING -s $ip_net2/bits -j MARK --set-mark 5
>> $iptables -t nat -A POSTROUTING -o $ISP2_iface -j SNAT -s ip_net2/bits
>> --to-source $ISP2_IPaddr
>>
>> #Add the iproute2 and marker/s for ISP2 nat
>> /sbin/ip route flush table 5
>> /sbin/ip route add table 5 default via ISP2_gw_IPaddrr
>> /sbin/ip rule add fwmark 5 table 5
>>
>
> I try your solution, but it's not working for me, do you know what I'm
> doing wrong ?
>
> I just go on my first ISP with this, never on my second ISP,
> If I remove the default (ISP1) gateway in my /etc/nerwork/interfaces
> I cannot access anymore to internet (also from the router himself).
> (eth1 -> my first ISP / eth2 -> my second ISP)
>
> Here is my script for routing and iptables:
> ################################################## ######################
> # ISP2
> /sbin/ip route flush table 5
> /sbin/ip route add table 5 default via 5.6.7.9 dev eth2
> /sbin/ip rule add fwmark 5 table 5
>
> # ISP1
> /sbin/ip route flush table 6
> /sbin/ip route add table 6 default via 1.2.3.5 dev eth1
> /sbin/ip rule add fwmark 6 table 6
>
> echo "firewall constants setup"
>
> # FLUSH the tables
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
>
> ## Mangeling Rules ##
>
> # special rules for some IPs to go on second ISP
> iptables -t mangle -A PREROUTING -s 10.117.71.162 -j MARK --set-mark 5
> iptables -t mangle -A PREROUTING -s 10.117.71.171 -j MARK --set-mark 5
> iptables -t mangle -A PREROUTING -s 10.117.71.174 -j MARK --set-mark 5
> iptables -t mangle -A PREROUTING -s 10.117.71.175 -j MARK --set-mark 5
> iptables -t mangle -A PREROUTING -s 10.117.71.176 -j MARK --set-mark 5
>
> # default for all our network
> iptables -t mangle -A PREROUTING -s 10.117.71.0/24 -j MARK --set-mark 6
> ################################################## #####################
>
> Here is my /etc/init.d/interface :
>
> ################################################## #####################
> # /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)
>
> # The loopback interface
> auto lo
> iface lo inet loopback
>
> # The first network card - this entry was created during the Debian
> installation
> # (network, broadcast and gateway are optional)
> auto eth1 eth0 eth2
>
> # local network (LAN)
> iface eth0 inet static
> address 10.117.71.1
> netmask 255.255.255.0
>
> # external network (ISP1)
> iface eth1 inet static
> address 1.2.3.4
> netmask 255.255.255.248
> gateway 1.2.3.5
>
>
> iface eth2 inet static
> address 5.6.7.8
> netmask 255.255.255.0
>
> ################################################## ####################
>
>
> Thank you for help,
> Guillaume

Here is my problem:

# default for all our network
iptables -t mangle -A PREROUTING -s 10.117.71.0/24 -j MARK --set-mark 6

when I remove this line I can access to my gateway from my internal
network (from ip 10.117.71.176 for example).

Is the PREROUTING mangle table erase the 5 mark to a 6 mark in this case
? Because there is for the IP 10.117.71.171 (for example) 2 rules

But now, my problem is that with 10.117.71.176, I cannot access anymore
to internet:

From the gateway of ISP2 (in fact my adsl modem, I can access to
internet, no problem)

But from 10.117.71.176 I can just access to my modem ip (ISP gateway 2)
and not to internet -> there is a long time and my browser said "No
response from ..." .

Do someone know what's going wrong with my configuration ?

Amicalement,
Guillaume