[SOLVED] 2 NIC's 2 seperate networks, traffic routing

kamaradski1 · 10-13-2011, 08:36 AM

Hi all,

I have a bit of a complicated situation here that i would need some help with.

my machine at home is configured with Debian squeeze to run several services, and in addition is also used for some more house&kitchen purposes.

i have 2 NIC's connected with the following setup:

eth0 = LAN connection
10.0.0.10
255.255.255.224

eth0 connects to a E3000 Linksys router and the rest of my home network.

&

eth1 = WAN connection
7xx.xxx.xxx.125
255.255.255.0

eth1 connects straight to to my ISP without any routers, modems or switches from my end. (Citywide LAN network)

&

The E3000 router also connects eventually to the same internet however with a separate IP but the same subnet:
7xx.xxx.xxx.202
255.255.255.0

Now what i would like to do is the following:

eth0 - This should handle most traffic: samba, browsing, downstream of music, some port 80 traffic i use in the LAN, etc... as with the extra router in between i feel more secure in terms of traffic-blocking.

eth1 - This should handle some of the more specific traffic: Apache, upstream of my shoutcast server, remote sessions, torrent-traffic, and all the rest of this NIC should be totally closed down except for the protocol essentials to maintain connectivity.

as eth0 is primary it already decided to handle all traffic, so i was hoping when for instance i close port X on this NIC, all traffic for this port would automatically find it's way to eth1. However this is not the case

Hopefully some of you here will be able to help me find a solution, or at least be able to point me in the right direction. Currently i don't even know if there is a technical term for this, so i can focus my search, or if this is at all possible.

Thanks in advance for any help,
kamaradski

phaemon · 10-13-2011, 09:29 AM

You want the iproute2 utility and you're looking for Policy Routing.

Unfortunately it's a bit complicated! You might want to start at http://lartc.org/howto/

Also, I found this blog entry which might give a simpler introduction to the topic!

pingu · 10-13-2011, 09:37 AM

You are mixing things up, also you have over-complicated your network setup (if I understand correctly).
See attached file, this is what I believe you have.

I can't really see any point in this setup, I'd suggest simply remove / close eth1 on server and use only router's connection for internet.
Then you have one single machine to configure, and will avoid lots of confusion.

Let's start here, first of all just tell me if your setup is the way I've understood it then we can discuss further.

kamaradski1 · 10-14-2011, 02:08 PM

First of all, 2 very constructive replies

thanks, this gives me some hope.

@pingu:
Yes you are spot on with your layout! This is exactly how i configured my setup.

I'm also aware this looks a little bit over complicated, however my thought-process was as follows:

- Load balancing by giving the most important services a dedicated direct access and bandwidth to the net.
- Take some load off the LAN as i have almost constant very high traffic there.
- A good divider to physically split internal and external services on the Debian server for increased security.

And last but not least whats the fun of a standard setup without any challenge ? hahahaha

In case it's technically not possible this way i might have to look into alternative load balancing options, with for example a proxy server? However my preferred option would be the current setup.

KR
kamaradski

Edit:
Didn't have much time tonight, however i have quickly read some of the materials suggested by phaemon. (thanks again)

I never realized return traffic would always be routed to the primary interface (eth0 in most cases)and it certainly explained the behavior i have been monitoring.

However the fix as described there would already make my setup much easier, as i would be able to bind applications to the exact interfaces, and have the return traffic from the same interface\ip.

i guess this will for sure be my next step in troubleshooting the setup.

KR
kamaradski

kamaradski1 · 10-16-2011, 06:41 AM

Step-1 making each interface handle it's own traffic is working as per above instructions is almost done.

Added in etc/rc.local:
ip route add 7xx.xx.xx.0/27 dev eth1 src 7x.xx.xx.125 table admin
ip route add default via 7x.xx.xx1 dev eth1 table admin

however in rc.local the following 2 ip rules are not correctly started:
ip rule add from 7x.xx.xx.125/32 table admin
ip rule add to 7x.xx.xx.125/32 table admin

anyone know where to put this, so it will work for all users ?

KR
Willem

kamaradski1 · 12-26-2011, 07:01 AM

This issue was solved as the instructions on the Kindlund Blog as pointed out above.

Please be aware if you choice this set-up you will have a firewall nightmare ahead

Thanks for the help on this issue !

KR
kamaradski