Gateway with Dual ISP

kassle · 07-12-2006, 04:43 AM

I have follow linux advanced routing and trafic control manual to merge two ISP (A and B), and it work well. Using traceroute (from gateway) the gateway is able to splitting into different ISP.

But the problem is the clients (LAN) always use ISP A, never use B. Which is wrong? the route and/or iptable, or the other.

the routing picture:

Code:

------------              ------------
|  ISP A   |              |   ISP B  |
| 10.0.0.1 |              | 10.1.1.1 |
------------              ------------
      |                        |
      -----------        ---------
(eth0 10.0.0.2) |        | (eth1 = 10.1.1.2)
             ---------------
             |   GATEWAY   |
             |     eth2    |
             | 11.11.11.11 |
             ---------------
                    |
                 -------
                 | LAN |
                 -------

here is my routing

Code:

ip route add 10.0.0.0/24 dev eth0 src 10.0.0.2 table CBN
ip route add default via 10.0.0.1 table CBN
ip route add 10.1.1.0/24 dev eth1 src 10.1.1.2 table IDS
ip route add default via 10.1.1.1 table IDS

ip route add default scope global nexthop via 10.0.0.1 dev eth0 weight 1 nexthop via 10.1.1.1 dev eth1 weight 1

my routing rule

Code:

ip rule add from 10.1.1.2 table IDS
ip rule add from 10.0.0.2 table CBN

my iptables

Code:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

r0b0 · 07-12-2006, 09:57 AM

Try using SNAT target in the iptables instead of MASQUERADE. See man iptables:

MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain.It should only be used with dynamically assigned IP (dialup) connec-tions: if you have a static IP address, you should use the SNAT target.
Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).

SNAT
This target is only valid in the nat table, in the POSTROUTING chain.
It specifies that the source address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. It takes one type of option:
--to-source ipaddr[-ipaddr][:port-port]
which can specify a single new source IP address, an inclusive range of IP addresses, and optionally, a port range (which is only valid if the rule also specifies -p tcp or -p udp). If no port range is specified, then source ports below 512 will be mapped to other ports below 512: those between 512 and 1023 inclusive will be mapped to ports below 1024, and other ports will be mapped to 1024 or above. Where possible, no port alteration will occur.

You can add several --to-source options. If you specify more than one source address, either via an address range or multiple --to-source options, a simple round-robin (one after another in cycle) takes place between these adresses.