[SOLVED] Help 2 Gateways

balbung · 09-10-2012, 12:30 PM

Hi everyone,

i´ve got a proxy on squid and 2 isp providers. Also i´ve got 2 subnets. for example: dmz & internal network.

All traffic pass through the proxy but i need that dmz subnet goes out internet through isp_router 1 and internal subnet for isp_router 2.

I´ve tryed to do it with iproute2 but it didn´t work. Only one subnet can access internet at the same time.
Maybe there is something wrong on my configuratión. This is my configuration:

ip eth0:
172.24.220.25
255.255.255.0
GW 172.24.220.254

ip eth1:
172.24.100.1
255.255.255.0
GW 172.24.220.254

An this is that i´m doing with iproute2:

echo "201 t1" >> /etc/iproute2/rt_tables
echo "202 t2" >> /etc/iproute2/rt_tables
ip route add 172.24.220.0/24 dev eth0 src 172.24.220.25 table t1
ip route add default via 172.24.220.254 table t1
ip route add 172.24.100.0/24 dev eth1 src 172.24.100.1 table t2
ip route add default via 172.24.100.254 table t2
ip rule add from 172.24.220.25 table t1
ip rule add from 172.24.100.1 table t2
route add default gw 172.24.100.254 eth1

I will apreciatte any help that you can give me

Ygrex · 09-15-2012, 07:01 PM

Quote:

Originally Posted by balbung

Only one subnet can access internet at the same time.

what does it mean?

balbung · 09-17-2012, 04:20 AM

Thanks a lot for your response because i become so desperate. Sorry i wasn´t very clear with my issue.

I´m gonna put my configuration again with more details:

This is my configuration IP:

Code:

eth0      Link encap:Ethernet  HWaddr 00:50:56:AF:00:0E
          inet addr:172.24.220.25  Bcast:172.24.220.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feaf:e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2345012 errors:216 dropped:125 overruns:0 frame:0
          TX packets:731249 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:486347570 (463.8 MiB)  TX bytes:166293313 (158.5 MiB)
          Interrupt:59 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:50:56:AF:00:1B
          inet addr:172.24.100.1  Bcast:172.24.100.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feaf:1b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:103024 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95166 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9559295 (9.1 MiB)  TX bytes:26251018 (25.0 MiB)
          Interrupt:67 Base address:0x2080

This is my route after make configuration with iproute2 (the eth1 GW it would be 172.24.100.254):

Code:

 route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.24.220.0    *               255.255.255.255 UH    0      0        0 eth0
172.24.100.0    *               255.255.255.255 UH    0      0        0 eth1
172.24.100.0    *               255.255.255.0   U     0      0        0 eth1
172.24.220.0    *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth1
default         172.24.220.254  0.0.0.0         UG    0      0        0 eth0

And this is my iproute2 configuration:

Code:

echo "201 t1" >> /etc/iproute2/rt_tables
echo "202 t2" >> /etc/iproute2/rt_tables
ip route add 172.24.220.0 dev eth0 src 172.24.220.25 table t1
ip route add default via 172.24.220.254 table t1
ip route add 172.24.100.0 dev eth1 src 172.24.100.1 table t2
ip route add default via 172.24.100.254 table t2
ip route add 172.24.220.0 dev eth0 src 172.24.220.25
ip route add 172.24.100.0 dev eth1 src 172.24.100.1
ip route add default via 172.24.220.254
ip rule add from 172.24.220.25 table t1
ip rule add from 172.24.100.1 table t2

But with this configuration doesn´t work any of two interfaces. if instead of iproute2 using iptables with masquerade over eth0 both subnet access to internet through the same ip provider. And if i try to put 2 default gateways only one of them has access to internet.

Please i need to find a solution because i´m very desperate. if it necesary i will pay (that´s a joke)!!! But seriously i will apreciate any help that you can me offer

Ygrex · 09-17-2012, 11:38 AM

in your iproute2 configuration, I suppose it is just a typo and you are actually specifying network masks for routes, right?
please, let us know what these rules are for? both addresses are local and cannot affect forwarding anyhow

Code:

ip rule add from 172.24.220.25 table t1
ip rule add from 172.24.100.1 table t2

balbung · 09-17-2012, 12:14 PM

Hi man thanks a lot for your reply!!!

If i´m honest i´ve just followed a tutorial that explain it. This is the tutorial http://lartc.org/howto/lartc.rpdb.multiple-links.html. If you know a better way to do it i will apreciatte it.

Seriously i apreciate all your help

Best Regards

Ygrex · 09-17-2012, 11:03 PM

ok, thanks for the link, but you did not reply

balbung · 09-18-2012, 03:26 AM

you have right... sorry.

Quote:

in your iproute2 configuration, I suppose it is just a typo and you are actually specifying network masks for routes, right?

Yes that´s right

Quote:

in your iproute2 configuration, I suppose it is just a typo and you are actually specifying network masks for routes, right?

I was trying to say that i hadn´t idea because i´m a begginer and i just followed the tutorial. Sorry.....

Best Regards

Ygrex · 09-18-2012, 03:02 PM

well, two question:
1. what do you call DMZ here? can you show your iptables rules? at least for NAT table
2. are you trying to route local or forwarded traffic (i.e. clients in your networks)?

balbung · 09-19-2012, 10:33 AM

Firstly, I would like to thank you all that you are doing, sorry for my English and for the way to express myself.

Quote:

1. what do you call DMZ here? can you show your iptables rules? at least for NAT table

maybe I expressed myself poorly. That´s not a dmz. I´ve got 2 diferent networks with users each network. The users in the network 172.24.220.0 must get out to internet through the gw 172.24.220.254 and the users in the net 172.24.100.0 must get out to internet through gw 172.24.100.254

This is my iptables rules for NAT

Quote:

iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

And this is my ip tables for filter

Quote:

iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Quote:

2. are you trying to route local or forwarded traffic (i.e. clients in your networks)?

I think that i answered you above. I´ve got a squid server and i need separate users networks to access internet.

balbung · 09-20-2012, 10:44 AM

I found the solution:

echo 1 t1 >> /etc/iproute2/rt_tables
echo 2 t2 >> /etc/iproute2/rt_tables
ip route add default via 172.24.220.254 dev eth0 table t1
ip rule add from 172.24.220.0/24 table t1
ip route add default via 172.24.100.254 dev eth1 table t2
ip rule add from 172.24.100.0/24 table t2

With this the network 172.24.220.0 get out through isp 1 and the another one through isp 2

Thanks a lot for your help