[wellylug] multiple gateways

Fri Dec 3 12:25:51 NZDT 2004

The way I would set this up in your current scenario is as follows:

Configure 2 ip addresses on your internal server's NIC using an alias.

Configure each firewall to rewrite the destination addresses of incoming 
connections to one of the IP addresses - e.g. firewall 1 redirects to 
192.168.0.1 and firewall 2 redirects to 192.168.0.2 (where your servers 
eth0 is configured an 192.168.0.1 and eth0:1 is 192.168.0.2).

On the server machine, you need to set up iptables to flag packets with 
a destination address of 192.168.0.2, and send them to a routing table 
with a default gateway of firewall 2. Your standard routing table has 
firewall 1 as it's default gateway.

You could do this with interfaces instead of destination IP e.g. if the 
packet comes in on eth0 route it via the default routing table, if it 
comes in on eth1 route it via a different route table.

The specifics of how to do this can be found under the 'advanced routing 
howto' and the man pages for the 'ip' command.

You may need to install the iproute/iproute2 packages, as the standard 
'route' command can only modify the kernel's default routing table.

If you get stuck, you can contact me off list, however I am a bit busy 
today so I may not be able to respond in an entirely prompt manner.

Should you require more direct assistance i.e. you want somebody to do 
it for you, I may be able to provide support but it will cost you money. 
Again, contact me off-list regarding this.

-Pete

> Hi
>
> Sorry about not being clear enough
>
> I have 1 nic in the server and 2 firewalls boxes each with separate 
> internet connections
> .
> presently all traffic for the server comes in via one firewall. I 
> would like to be able to connect to the server via the other firewall 
> as well so that external clients can connect to the server via either 
> external ip address.
>
> If I threw a second nic in the server could I just configure it to the 
> other gateway?
>
> This is all as a temporary mmeasure as I transition from one internet 
> connection to another. I could just go "cold turkey" and switch all 
> the client pc's over to the new ip address but it will just be a bit 
> more pressured /stressful.
>
> cheers
>
> Mark
>
>
>
> Pete Black wrote:
>
>> Can you clarify this please - when you say you want to respond to 
>> traffic that comes in from two different gateways, do you simply mean 
>> you have multiple interfaces on your machine?
>>
>> Can you be more specific about your network setup, as the degree to 
>> which linux's default arp, rp_filter etc. proc entries and route 
>> cache will ruin your day depends very much on exactly what you are 
>> trying to do.
>>
>> You can do just about any kind of 'smart' routing using iproute2 and 
>> iptables, and the assertion that you can have only one default 
>> gateway is technically not correct.
>>
>> You can have only one default gateway per routing table. - it is 
>> relatively easy simply to mark all packets entering via a given 
>> interface and sending them to a specified route table which will 
>> enable you to control which interface a packet leaves on based on the 
>> interface it entered on etc. etc.
>>
>> -Pete
>>
>>> You can only have one default gateway. If you know the source
>>> addresses for all traffic coming in one of the interfaces, you can set
>>> up a bunch of static routes (route add <network> <netmask> <gateway>).
>>>
>>> Other than that, this indicates a pretty broken network set up and I
>>> suggest you fix it before you try any nasty hacks :)
>>>
>>> On Fri, 03 Dec 2004 at 10:06:17 +1300, Mark Signal wrote:
>>>
>>>  
>>>
>>>> Hi
>>>>
>>>> hopefully a simple question
>>>>
>>>> I want a debian box to be able to respond to traffic that comes  2 
>>>> different gateways.
>>>>
>>>> I tried adding a second gateway setting for eth0 in the  
>>>> /etc/network/interfaces file but as I expected it spat the dummy
>>>>
>>>> presumably I need a primary gateway (as defined in 
>>>> /etc/network/interfaces?) and an alternative gateway set up in 
>>>> routing somehow?
>>>>
>>>> as usual - any pointers/abuse gratefully accepted
>>>>
>>>> thanks
>>>>
>>>> Mark Signal
>>>>
>>>>
>>>> -- 
>>>> Wellington Linux Users Group Mailing List: 
>>>> wellylug at lists.wellylug.org.nz
>>>> To Leave:  http://lists.wellylug.org.nz/mailman/listinfo/wellylug
>>>>   
>>>
>>>
>>>
>>>
>>>  
>>>
>>
>>
>
>