Iproute2: Routing with multiple networks and multiple gateways

iproute2routingstatic-routes

I have a Linux box running Ubuntu 10.04 with three interfaces: eth0, eth1 and eth2. I am planning to use it as a WAN router for 4 public subnets assigned by two different ISP's. Here are the subnets (I have converted the ISP assigned subnets to class C private subnets):

ISP 1   
WAN 192.168.0.176/30 gateway 192.168.0.177   
LAN 192.168.3.192/29

ISP 2   
WAN 192.168.6.208/30 gateway 192.168.6.209  
LAN 192.168.9.216/29

/30 subnets face respectives ISPs and /29 subnets face my LAN switch.

This is how IPs are assigned to the interfaces:

LAN interface 
eth0 192.168.3.193/29
eth0:0 192.168.9.217/29

ISP 1 interface
eth1 192.168.0.178/30

ISP 2 interface
eth2 192.168.6.210/30

I want to route traffic between respective ISP assigned /30 and /29 subnets separetly. If traffic comes from one ISP's /30 network, it should be routed to that ISPs /29 network and visa versa. I don't mind if traffic originated in one ISP's /29 network destined to the other ISP's /29 network gets routed in my router (without getting it sent to one ISP and comes back other ISP's link).

My aim is to not to buy two routers for two ISP's. How can I achieve this by using iproute2 tables and policy routing?

Best Answer

First, create a routing table for each ISP (only done once):

echo "11 isp1" >> /etc/iproute2/rt_tables
echo "12 isp2" >> /etc/iproute2/rt_tables

Then add a default route to each table pointing to the corresponding gateway:

ip route add default via 192.168.0.177 table isp1
ip route add default via 192.168.6.209 table isp2

Then add rules to send traffic to these tables based on the source address:

ip rule add from 192.168.3.192/29 table isp1
ip rule add from 192.168.0.176/30 table isp1
ip rule add from 192.168.9.216/29 table isp2
ip rule add from 192.168.6.208/30 table isp2

Related Solutions

Firewall – Multiple interface NAT routing

These rules probably don't do what you want. The first rule permits any new connection from eth1 and eth2, the second permits everything from eth0 and eth1. This appears to permit everything from any interface basically making your firewall pointless.

iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth2 -j ACCEPT

You may mean this instead.

iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT

Anyway, instead of adding things to rc.local I would probably update your /etc/network/interfaces to look like this. I am making some guesses about what you have for masks, so be sure to check and update. You probably should be adding all of the link routes to the fiber table.

auto eth0
iface eth0 inet static
  address 192.168.1.2
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  gateway 192.168.1.1
  up ip route add table fiber scope link proto kernel dev eth0 192.168.1.0/24

auto eth1
iface eth1 inet static
  address 10.254.239.1
  netmask 255.255.255.0
  network 10.254.239.0
  broadcast 10.254.239.255
  up ip route add table fiber scope link proto kernel dev eth1 10.254.239.0/24

auto eth2
iface eth2 inet static
  address 20.20.20.22
  netmask 255.255.255.252
  network 20.20.20.20
  broadcast 20.20.20.23
  up ip route add table fiber scope link proto kernel dev eth2 20.20.20.20/30
  up ip route add default via 20.20.20.21 table fiber
  up ip rule add fwmark 2 table fiber

Centos – Multihoming with iproute2 and multiple VLANs

First set up basic multihoming:

echo -e "200\tuplink2" >> /etc/iproute2/rt_tables
echo "default table uplink2 via GA.TE.WA.Y2" > /etc/sysconfig/network-scripts/route-eth1
echo "from IP.AD.DR.ES table uplink2" > /etc/sysconfig/network-scripts/rule-eth1

after that you need to create iptables rules to match and mark your VOIP traffic:

iptables -A PREROUTING -t mangle <some voip matching> -j MARK --set-mark 0x1

and add this rule to actually route marked packets

echo "ip rule add from all fwmark 0x1 table uplink2" > /etc/sysconfig/network-scripts/rule-eth1

and don't forget to restart networking:

service network restart

Best Answer

Related Solutions

Firewall – Multiple interface NAT routing

Centos – Multihoming with iproute2 and multiple VLANs

Related Topic