LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-05-2007, 09:46 PM   #1
dimavo
LQ Newbie
 
Registered: Apr 2001
Location: Sydney, Australia
Distribution: CentOS
Posts: 17

Rep: Reputation: 0
Question Routing with multiple gateways


Hi,

I have two ISPs (IS1 and IS2) and 2 Devil Linux boxes that act as (Shorewall based) routers/firewalls for both ISPs (DL1 and DL2).

These connect to a DMZ switch , where I have a CentOS based authentication server connected.
Code:
   _____    _____
  |     |  |     |
  | IS1 |  | IS2 |   
  |_____|  |_____|
     |        |  
   __|__    __|__
  |     |  |     |
  | DL1 |  | DL2 |   
  |_____|  |_____|
     \        /
      \      /
    ____________
   |            |
   | DMZ Switch |
   |____________| 
         |
         |
    ____________
   |            |
   | Auth. Serv.|
   |____________|
When users login from home, the authentication server MUST know the IP address of the user. So instead of giving me a DMZ IP address of the DL1 or DL2, it gives me the public address of the user.

But, if I set the default gateway on the Authentication server to be DL1, when users try to login using DL2, they cannot, because the reply to their request is going through DL1 and IS1 instead of IS2.

I have setup Shorewall on DL1 to do one-to-one NAT to the auth. server and it was working well, until I decided to add another ISP

So what can I do, either on DL1 and DL2 or the auth. server to let my users login using both ISPs?



Thanks guys
 
Old 08-06-2007, 03:33 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
i will sound like a broken record i'm sure, but check chapter 4 of lartc.org. you should be able to use iptables marking to say that any inbound connections from DL2 should return to DL2 from the central server. i'm not too sure aboput the need for two isolated firewalls though... could you not look to use them in a clustered / active/passive mode instead of not knowing the other exists? you have the same issues as ion your question, but the problem then belongs to the firewall, not the server behind, and as an authentication server, it's really not a good thing for it to have to do anyway.

if you want to go further into this, you might want to explain more about what this authentication server actually is doing... radius for vpn's?

Last edited by acid_kewpie; 08-06-2007 at 03:35 PM.
 
Old 08-06-2007, 04:55 PM   #3
dimavo
LQ Newbie
 
Registered: Apr 2001
Location: Sydney, Australia
Distribution: CentOS
Posts: 17

Original Poster
Rep: Reputation: 0
Smile

Thanks for your reply, acid_kewpie

lartc.org goes into great detail on how to set this up using two different interfaces and when I tried to adapt it to use the same interface, I realised that it will not work.

There could be something on the layer 2 level - to remember which MAC address the connection is coming from - and send back the reply in the same direction.

The two firewalls are doing about a hundred other things - email, http, vpn, etc. and to me it seemed the least complicated having two firewalls. There is an offsite DNS name failover service so when the primary connection goes down, the name is pointed at the second connection and life goes on.

The authentication server is only doing SSH with X forwarding - that's why it needs to know the IP address of the user.

On user machines I tried using IP address as given by DHCP, but some users use modems that have a DHCP server inbuilt, so all I would get is a 192.168.1.* address on the authentication server.

If all else fails, I'd probably write something to be on the client machine to find out its IP address from somewhere else, but this would be useful for a number of other services - like checking where email has come from or analysing http logs.

I am open to suggestions on how I can redesign my network to have the above to work.

Thanks !
 
Old 08-06-2007, 05:36 PM   #4
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Isn't just having two IP's on authentication server enough? I thought you don't need real interfaces..
 
Old 08-06-2007, 07:35 PM   #5
dimavo
LQ Newbie
 
Registered: Apr 2001
Location: Sydney, Australia
Distribution: CentOS
Posts: 17

Original Poster
Rep: Reputation: 0
Wink

That would mean I need 3 IPs - including the local network..

I'll just restrict them - if they want to use X they have to go through DL1. DL2 will send its own IP.

Thanks everyone for your input
 
Old 08-06-2007, 09:40 PM   #6
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 30
Quote:
Originally Posted by dimavo
That would mean I need 3 IPs - including the local network..

I'll just restrict them - if they want to use X they have to go through DL1. DL2 will send its own IP.

Thanks everyone for your input
try GNU Zebra. Its a routing software for linux
 
Old 08-07-2007, 02:09 AM   #7
raskin
Senior Member
 
Registered: Sep 2005
Location: Russia
Distribution: NixOS (http://nixos.org)
Posts: 1,893

Rep: Reputation: 68
Why three IP's - just two local IP's inside local network. But DMZ should be instructed to redirect DL1 traffic to the first and DL2 traffic to the second. And even having 3 IP's on the same ethernet link is not that bad.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing to multiple gateways The Jesus Linux - Networking 6 09-20-2012 01:58 AM
Red Hat 7.3 and multiple gateways on multiple interfaces bluefmc Linux - Networking 2 11-19-2004 05:01 PM
Advanced Networking - Multiple gateways, routing question/shorewall micaheli Linux - Networking 2 09-30-2004 12:05 AM
multiple ips, multiple gateways, one interface drpixel Linux - Networking 6 12-04-2002 12:56 AM
Possible to have 2 gateways at once in routing table? magnakuz Linux - Networking 1 03-04-2002 09:54 AM


All times are GMT -5. The time now is 03:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration