[SOLVED] Different default gateway for one host

nuvista175 · 01-19-2012, 04:02 AM

Hello

I have a Linux machine that act as router between internal networks and Internet. There are several network interfaces on this host, but right now we only talk about two as I see it:

eth0 - local network (172.16.1.1/16)
eth1 - Internet connection (Dynamic IP)

I have set up a new VPN connection (ppp0) on this host and I want some hosts in my network to use this link as "way out to the Internet" instead of eth1. All other hosts should use eth1 as before.

But how do I do this? I've tried to search for it, got some hints here and there. I've tried some, but nothing have worked out for me so far.

If you know how to do this, please give some examples on how this could be done. I guess that we're talking about both static routes as well as iptables entries to accomplish this.

Best regards and thanks in advance

// Robert

MartinStrec · 01-19-2012, 04:16 AM

Hi,

you have to think about packet flow in iptables. Use the packet marking (it's a prerouting process) and then choose correct correct routing table. I send you a page with a good example.

see http://www.linuxhorizon.ro/iproute2.html

nuvista175 · 01-19-2012, 06:19 AM

Hello and thank you for you answer.

If I understand this correctly, I can use this method but I only need to have one entry in the /etc/iproute2/rt_tables, the VPN link. All other traffic will go the same way as it does today, using the systems default gateway. Am I right?

Q1) The example show how this is done if you have two or more subnets that you wan't to route differently, but in my case I need to add a specific host in the same network as everything else instead of a specified subnet. Is that possible somehow?

While setting up these routing rules for the VPN connection, I have to specify an IP address for the VIA clause. I don't know this apparantly, I don't see it anywhere. I've checked in the /var/log/messages and it tells me:
CHAP authentication succeeded
PPP MPPE Compression module registered
MPPE 128-bit stateless compression enabled
local IP address X.X.X.83
remote IP address X.X.X.1

Q2) Should I use "remote IP address" from the ppp0 link to route via or is it possible somehow to use the "interface name" ppp0? I ask this because this IP address might be different the next time the link is set up.

// Robert

MartinStrec · 01-19-2012, 10:03 AM

A1)

yes, that link is just an example. You can use any kind of identify packet by (-s) source IP or mask or (-i) input interface. That is the way how to mark packet. Google 'iptables packet mark example' you obtain many relevant pages.

A2)

your second default route is to the gateway X.X.X.1 via ppp0

nuvista175 · 01-22-2012, 08:53 AM

This does not work for me. I must have missed something. I will try explain what I have done so far:

1. I "call" the VPN with pppd call ANONINE

2. The link is established and shows up after a few seconds in ifconfig

ppp0 Link encap:Point-to-Point Protocol
inet addr:178.73.197.70 P-t-P:178.73.197.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1496 Metric:1
RX packets:26151 errors:0 dropped:0 overruns:0 frame:0
TX packets:81231 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:3099924 (2.9 MiB) TX bytes:12238574 (11.6 MiB)

3. I've added a new entry in /etc/iproute2/rt_tables so that it look like this

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 ANONINE

4. I then use the two commads to set the default gateway for the ANONINE table and add the wanted host to that table

ip route add default via 178.73.197.1 dev ppp0 table ANONINE
ip rule add from 172.16.100.11/32 table ANONINE

5. All other hosts still got Internet connection through the "regular" default gateway but my 172.16.100.11 doesn't get any Internet connection at all.

6. I've got two rows in my /etc/sysconfig/iptables file also. I'm not certain about those but I thought they should be there to make the ppp0 connection work as my regular Internet connection does.

-A POSTROUTING -o ppp0 -j MASQUERADE
-A FORWARD -i eth0 -o ppp0 -j ACCEPT

(I've got the same two lines, but with -o eth1)

Is there easy way to see if my VPN is working at all? I can see traffic going on that device (ppp0) but I'm not really sure it works as it should. Any easy thing I can do to verify this?

// Robert

nuvista175 · 01-23-2012, 02:24 AM

Update... and problably the solution

ip rule add from 172.16.100.11 table ANONINE
did the trick. Thanks a million!

// Robert

Lexus45 · 01-23-2012, 02:27 AM

If you have an opportunity - you may use SNAT for those IP addresses/subnets and NAT all traffic from them to the certain interface (VPN link).
But if you can not use NAT, this method is not preferred.