Network Routing Configuration

pjlewis · 01-20-2006, 07:24 PM

Hi,

I have four network cards, detailed below. eth0 and eth3 connect to my ISPs, and eth1 and eth2 connect to local networks. I want to route all traffic from eth2 to eth0, and from eth1 to eth3. However, I am having a few problems with this.

eth0
ip: 192.168.100.253/24
gw: 192.168.100.254 (ISP)

eth1
ip: 192.168.3.253/22
gw: 192.168.20.253 (eth3)

eth2
ip: 192.168.7.253/22
gw: 192.168.100.253 (eth0)

eth3
ip: 192.168.20.253/24
gw: 192.168.20.254 (ISP)

I have tried setting up routing using these commands:

echo "ISP_1" >> /etc/iproute2/rt_tables
echo "ISP_2" >> /etc/iproute2/rt_tables

ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2

ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2

However, this yielded no success. I have also tried a simple iptables forwarding configuration (without the routing config above):

iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT

# default policy
iptables -P FORWARD DROP

Again, with no success. I do have a reasonably complex firewall in place, but no other rules in the FORWARD section of the firewall. I have a number of open ports under INPUT for other services the machine provides, and nothing under OUTPUT.

In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting or denying machines based on their MAC).

I've had a few thoughts on this; do I need to have four default gateways configured; one for each network card? And do I need more (or any) forwarding rules in the firewall?

I have also got the following configured:
"echo 1 > /proc/sys/net/ipv4/ip_forward"

I've been struggling with this problem for some time now, and it's really starting to annoy me. I would really appreciate any feedback people could send me.

Many thanks,

Paul

clinux_rulz · 01-21-2006, 08:39 PM

Code:

eth0
ip:      11000000.10101000.01100100.11111101 (192.168.100.253)
submask: 11111111.11111111.11111111.00000000 (255.255.255.000)
subnet:  11000000.10101000.01100100.00000000 (192.168.100.000)
gateway: 11000000.10101000.01100100.11111110 (192.168.100.254)
gw subn: 11000000.10101000.01100100.00000000 (192.168.100.000)
           .
          /|\
           |
         GOOD

eth1
ip:      11000000.10101000.00000011.11111110 (192.168.003.254)
submask: 11111111.11111111.11111100.00000000 (255.255.252.000)
subnet:  11000000.10101000.00000000.00000000 (192.168.000.000)
gateway: 11000000.10101000.00010100.11111101 (192.168.020.253)
gw subn: 11000000.10101000.00010100.00000000 (192.168.020.000)
           .
          /|\
           |
      PROBLEM: Gateway and interface are on different subnets.

eth2
ip:      11000000.10101000.00000111.11111101 (192.168.007.253)
submask: 11111111.11111111.11111100.00000000 (255.255.252.000)
subnet:  11000000.10101000.00000100.00000000 (192.168.004.000)
gateway: 11000000.10101000.01100100.11111101 (192.168.100.253)
gw subn: 11000000.10101000.01100100.00000000 (192.168.100.000)
           .
          /|\
           |
      PROBLEM: Gateway and interface are on different subnets.

eth3
ip:      11000000.10101000.00010100.11111101 (192.168.020.253)
submask: 11111111.11111111.11111111.00000000 (255.255.255.000)
subnet:  11000000.10101000.00010100.00000000 (192.168.020.000)
gateway: 11000000.10101000.00010100.11111110 (192.168.020.254)
gw subn: 11000000.10101000.00010100.00000000 (192.168.020.000)
           .
          /|\
           |
         GOOD

Suggestions:

 * change interface eth1's ip address to 192.168.23.254/22
   (11000000.10101000.00010111.11111110/22)

 * change interface eth2's ip address to 192.168.103.253/22
   (11000000.10101000.01100111.11111101/22)

I'm not sure how much this helps, but good luck anyway.

clinux_rulz · 01-21-2006, 11:05 PM

Hang on now, I would not change eth1 and eth2, because I would imagin they are already hooked up to alot of machines, right? Instead consider changing the ip's of eth0 and eth3, so that the gw and interface ip's on eth1 lie in the same subnet, and so that the gw and interface ip's on eth2 lie in the same subnet. Be carefull not to make the subnet of eth0's gw and interface different, and be carefull not to make the subnet of eth3's gw and interface different.

If the gateway and interface subnets for eth0 and eth3 don't pair, then carefully change the sub-masks.

Clinton.