How to elegantly handle two ISPs on a single box?

Dean Anderson dean at av8.com
Wed Apr 6 21:20:50 CEST 2005


Run zebra/quagga on your NAT boxes and "My Box", and have each announce a
default route to "My Box". You will need a strong preference on the
default route, so that they don't oscillate or 'load balance'. If the
selected ISP drops (or your default route changes), you will lose all of
your running TCP connections. 

It looks like you don't have any static IP addresses and no servers
handling incoming connections. So should all work.

But "elegantly, single box" was the question. I'd say best is to connect 
both ISP's directly to "My Box" and have it do the NATing.

		--Dean

On Wed, 6 Apr 2005, Marc Haber wrote:

> Hi,
> 
> given the following setting:
> 
> 
> 
> ---------               ---------
> | ISP A |               | ISP B |
> ---------               ---------
>     | 10.0.0.2/30           | 172.16.0.130/30
>     |                       |
>     |                       | 172.16.0.129/30
>     |     10.0.0.1/30  ----------        
>     -------------------| My Box |
>                        ----------
> 		            | 192.168.13.254/24
> 			    |
> 			    |
> 	       -------------------------- internal network
> 	              192.168.13.0/24
> 
> 
> 
> Both ISPs deliver full internet connectivity, but I have to NAT
> towards the internet.
> 
> ISP B is new, so my only default route currently points towards
> 172.16.0.130, and I would like to be able to switch back and forth
> between the two ISPs, pretty dynamically choosing which host on the
> internal network should use which ISP.
> 
> My Box runs Debian woody, so we are limited to a 2.4 kernel and
> iptables 1.2.6.
> 
> So I am pretty convinced that I need a combination of source policy
> routing (which I know is not done by netfilter) and SNAT.
> 
> Ideally, I would have an outgoing packet NATted to the apropriate
> public IP:
>   iptables --table nat --append POSTROUTING --src 192.168.13.4
>      --jump SNAT --to-source 172.16.0.129
>   iptables --table nat --append POSTROUTING --src 192.168.13.5
>      --jump SNAT --to-source 10.0.0.1
> and then have source policy routing in place:
> $ ip rule
> 0:      from all lookup local
> 10:	to 192.168.13.0/24 lookup main
> 20: 	from 10.0.0.1 lookup ispA
> 30:	from 172.16.0.129 lookup ispB
> 32766:  from all lookup main
> 32767:  from all lookup default
> $ ip route list table ispA
> default via 10.0.0.2
> $ ip route list table ispB
> default via 172.16.0.130
> 
> But unfortunately, this doesn't work, as the table name POSTROUTING
> suggests. So, it looks like it is necessary to first have appropriate
> rules to select the appropriate routing table to route to the
> appropriate interface, and then do the Source NAT to the appropriate
> IP address, selecting on the Interface. This seems to be awfully
> error-prone, since "ip rule" and netfilter have the reputation of not
> working together very well.
> 
> The other idea I have would be putting an appropriate fwmark on the
> packet in the FORWARD chain, and then doing both the routing decision
> _and_ the SNAT based on the fwmark. But I am not too fond of that idea
> as well.
> 
> Is there a more elegant way to do it? Did I miss any docs?
> 
> Any hints will be appreciated.
> 
> Greetings
> Marc
> 
> 

-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   





More information about the netfilter mailing list