3 NIC, 2 ADSL, Help me

Hi,

My Gateway and firewall Linux RH7.3
I'm running pptp(VPN), Mail and Web, all works fine from inside(private LAN)
and outside (public access to vpn, web and mail).
Now that my pptp is getting busier with six remote users, I decided to add
another NIC and connect it to my other ADSL link, to just serve pptp
connections.
Should have been as easy as changing the pptpd.conf to listen to the new IP
address of the second ADSL link,
Well it didn't work.
Not only that, can't even ping it; why!
I think what is happening is like this, the ping goes to the new ADSL IP
address but the reply tries to come back via the default gateway.
which brings us to this point, my problem:
How can I make the second ADSL connection to reply to pptp via it's own
gateway?
I'm using rc.firewall version 2.0rc9 (iptables), been working well for the
past two years.
My network topology is like this: fictional IPs

eth0: 203.220.199.10 gw 203.220.199.8 (ADSL-1) running services, Webserver
and Mailserver
eth1: 192.168.1.1 private subnet
eth2: 203.185.222.20 gw 203.185.222.18 (ADSL-2) running services, VPN, pptp

the iptables entry for pptp was like this:
iptables -A FORWARD -i eth0 -p tcp --dport 1723 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d 203.220.199.10 -p tcp --dport
1723 -j DNAT --to-destination 192.168.1.1:1723
iptables -A FORWARD -i eth0 -p tcp --dport 47 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -d 203.220.199.10 -p tcp --dport 47 -j
DNAT --to-destination 192.168.1.1:47

I add same statements but with ip address of the second ADSL, but didn't
work.
I'm out of options..!

route -n shows the default gateway is via eth0: 203.220.199.8
if my ADSL-2 subnet is 203.185.222.17/28
In "/etc/sysconfig/static-routes" I added "eth2 net 203.185.222.20 netmask
255.255.255.248 gw 203.185.222.18"
Now route -n shows two default gateways, but still I can't ping the eth2.
I spend few hours searching in google for similar setup, but couldn't find
any.

I'm stuck, please help....


Vania







Vania Lolham

Vania Lolham schreef:
> Hi,
>
> My Gateway and firewall Linux RH7.3
> I'm running pptp(VPN), Mail and Web, all works fine from inside(private LAN)
> and outside (public access to vpn, web and mail).
> Now that my pptp is getting busier with six remote users, I decided to add
> another NIC and connect it to my other ADSL link, to just serve pptp
> connections.
> Should have been as easy as changing the pptpd.conf to listen to the new IP
> address of the second ADSL link,
> Well it didn't work.
> Not only that, can't even ping it; why!
> I think what is happening is like this, the ping goes to the new ADSL IP
> address but the reply tries to come back via the default gateway.
> which brings us to this point, my problem:
> How can I make the second ADSL connection to reply to pptp via it's own
> gateway?
> I'm using rc.firewall version 2.0rc9 (iptables), been working well for the
> past two years.
> My network topology is like this: fictional IPs
>
> eth0: 203.220.199.10 gw 203.220.199.8 (ADSL-1) running services, Webserver
> and Mailserver
> eth1: 192.168.1.1 private subnet
> eth2: 203.185.222.20 gw 203.185.222.18 (ADSL-2) running services, VPN, pptp
>
> the iptables entry for pptp was like this:
> iptables -A FORWARD -i eth0 -p tcp --dport 1723 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -d 203.220.199.10 -p tcp --dport
> 1723 -j DNAT --to-destination 192.168.1.1:1723
> iptables -A FORWARD -i eth0 -p tcp --dport 47 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -d 203.220.199.10 -p tcp --dport 47 -j
> DNAT --to-destination 192.168.1.1:47
>
> I add same statements but with ip address of the second ADSL, but didn't
> work.
> I'm out of options..!
>
> route -n shows the default gateway is via eth0: 203.220.199.8
> if my ADSL-2 subnet is 203.185.222.17/28
> In "/etc/sysconfig/static-routes" I added "eth2 net 203.185.222.20 netmask
> 255.255.255.248 gw 203.185.222.18"
> Now route -n shows two default gateways, but still I can't ping the eth2.
> I spend few hours searching in google for similar setup, but couldn't find
> any.
>
> I'm stuck, please help....
>
>
> Vania
>
>
>
>
>

You could look into "policy routing". In my configuration all trafic
coming from one network has another default gateway defined than all
trafic coming from the other network. It might even work if you use the
interface as selection criterium, but that didn't work for me.

--
Max

Open Source is an ode to common sense

I found this site: http://www.lartc.org/howto/lartc.rpd...ple-links.html
It is exactly what I want to do.
But I don't know how to write the /etc/iproute2/rt_tables
I put all the statements into a shell script, runs fine but errors in
rt_tables.
Any suggestions?


Vania




> You could look into "policy routing". In my configuration all trafic
> coming from one network has another default gateway defined than all
> trafic coming from the other network. It might even work if you use the
> interface as selection criterium, but that didn't work for me.
>
> --
> Max
>
> Open Source is an ode to common sense

In comp.os.linux.networking Vania Lolham <(E-Mail Removed)>:

[ problems with two simultaneous ADSL connections ]

>> You could look into "policy routing". In my configuration all trafic
>> coming from one network has another default gateway defined than all
>> trafic coming from the other network. It might even work if you use the
>> interface as selection criterium, but that didn't work for me.

> I found this site: http://www.lartc.org/howto/lartc.rpd...ple-links.html
> It is exactly what I want to do.
> But I don't know how to write the /etc/iproute2/rt_tables
> I put all the statements into a shell script, runs fine but errors in
> rt_tables.

Best idea you show us the exact error message (cut&paste) and the
script, or part where it happens if it's huge.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 316: Elves on strike. (Why do they call EMAG
Elf Magic)

Here is the script:
-----------------
#!/bin/sh
#
# This script will be executed *after* all the other init scripts in
/etc/rc.d.
# we are going to create Routing for multiple uplinks/providers.

#### current subnets are fiction, for Ex. use only ####
# IP1_NET is 203.100.1.24/28
# IP2_NET is 203.100.2.36/30

#start
#-----
ip route flush cache

# name of the private interface
IF0="eth1"

# name of the first public interface
IF1="eth0"

# name of the second public interface
IF2="eth2"

#IP address associated with IF1
IP1="203.100.1.26"

#IP address associated with IF2
IP2="203.100.2.38"

#Local network
P0_NET="192.168.1.0"

#IP address of the gateway at Provider 1
P1="203.100.1.25"

#IP address of the gateway at Provider 2
P2="203.100.2.37"

#the IP network P1 is in
IP1_NET="203.100.1.24"

#the IP network P1 is in
IP2_NET="203.100.2.36"

#One creates two additional routing tables, say T1 and T2.
#These are added in /etc/iproute2/rt_tables.
#Then you set up routing in these tables as follows:
ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2

#set up the main routing table
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

#your preference for default route:
ip route add default via $P1

#set up the routing rules
ip rule add from $IP1 table T1
ip rule add from $IP2 table T2

#This set of commands makes sure all answers to traffic
#coming in on a particular interface
#get answered from that interface.

ip route add $P0_NET dev $IF0 table T1
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $P0_NET dev $IF0 table T2
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo table T2

#..........end

I also added these lines in /etc/iproute2/rt_tables
= = = = = = = = =
201 T1
202 T2
0: from all lookup local
32760: from 192.168.1.1 lookup T1
32761: from all lookup main
32762: from all lookup default
32763: from 192.168.1.1 lookup T2
= = = = = = = = = = = = = = =

When I run this script, I lose all access to the server from outside( can't
ping or telnet etc..).

I'm not sure if all the statements in the scrip are correct, I just searched
for iproute2 howto and this is what I could make out of the articles I was
reading.
The source I sniped from is this:
http://www.lartc.org/howto/lartc.rpd...ple-links.html

I only hope someone out there done this and can put me on the right track.
Thanks.


Vania





"Michael Heiming" <michael+(E-Mail Removed)> wrote in message
news:j9n8h2-(E-Mail Removed)...
> In comp.os.linux.networking Vania Lolham
<(E-Mail Removed)>:
>
> [ problems with two simultaneous ADSL connections ]
> Best idea you show us the exact error message (cut&paste) and the
> script, or part where it happens if it's huge.
>
> --
> Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
> mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
> #bofh excuse 316: Elves on strike. (Why do they call EMAG
> Elf Magic)

Vania Lolham schreef:
[...]
> #Local network
> P0_NET="192.168.1.0"
>
Shouldn't this be "192.168.1.0/24"?

> #IP address of the gateway at Provider 1
> P1="203.100.1.25"
>
> #IP address of the gateway at Provider 2
> P2="203.100.2.37"
>
> #the IP network P1 is in
> IP1_NET="203.100.1.24"
>
> #the IP network P1 is in
> IP2_NET="203.100.2.36"
>
I guess these networks are also larger than 1 IP-adres?
IP1_NET="203.100.1.0/24"
IP2_NET="203.100.2.0/24"

What I did is routing based on the source network with

/sbin/ip rule add from $IP1_NET table T1
/sbin/ip rule add from $IP2_NET table T2

> #One creates two additional routing tables, say T1 and T2.
> #These are added in /etc/iproute2/rt_tables.
> #Then you set up routing in these tables as follows:
> ip route add $P1_NET dev $IF1 src $IP1 table T1
> ip route add default via $P1 table T1
> ip route add $P2_NET dev $IF2 src $IP2 table T2
> ip route add default via $P2 table T2
>
> #set up the main routing table
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
>
> #your preference for default route:
> ip route add default via $P1
>
> #set up the routing rules
> ip rule add from $IP1 table T1
> ip rule add from $IP2 table T2
>
> #This set of commands makes sure all answers to traffic
> #coming in on a particular interface
> #get answered from that interface.
>
> ip route add $P0_NET dev $IF0 table T1
> ip route add $P2_NET dev $IF2 table T1
> ip route add 127.0.0.0/8 dev lo table T1
> ip route add $P0_NET dev $IF0 table T2
I think defining two routes for $P0_NET cannot work.

> ip route add $P1_NET dev $IF1 table T2
> ip route add 127.0.0.0/8 dev lo table T2
>
> #..........end
$P2_NET and $P1_NET are not defined are they?


--
Max

Open Source is an ode to common sense