Re: Dual WAN set-up

[Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx>]

On Thursday 12 January 2012 6:08:08 pm Lloyd Standish wrote:
> On Thu, 12 Jan 2012 15:51:18 -0600, Dimitri Yioulos 
<dyioulos@xxxxxxxxxxxxx> wrote:
> > I currently have an iptables/Netfilter firewall router
> > configured thusly:
> >                               WAN
> >
> >  (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)
> > OK, pretty basic.  And, it has worked well for a long time.
> > Now, I need to add a second WAN (provided by a second
> > provider). I need it to serve specific boxes in the DMZ, both
> > inbound and outbound.  Currently, all boxes in the DMZ are
> > served by the single WAN connection.  I'm not sure what other
> > information I need to provide you, but I'm hoping you all can
> > help with very specific instructions or a very detailed
> > how-to so I can get this accomplished.  And, of course, I
> > need to get this done yesterday.
>
> Hi,
>
> I am not highly experienced compared to most other posters
> here, but I'll try to help :)
>
> Shouldn't your diagram indicate that the fw is connected to the
> WAN (not to the DMZ)?  I will proceed under that assumption. 
> If you have a netfilters firewall installed, I think all
> interfaces would go "through" it.
>
>
> Adding a second (or more) uplink to a netfilters firewall is
> easy.  I suggest the following:
>
> 1. You could follow the basic information explained here, to
> set up split access:
> http://lartc.org/howto/lartc.rpdb.multiple-links.html  After
> reading this and understanding about using multiple routing
> tables to route traffic through different interfaces (uplinks),
> you can proceed.
>
> 2. You would set up a custom routing table for the special DMZ
> traffic.  Use the info in the above link to do that.  Suppose
> it is called "DMZSPECIAL".  You will set up routing to the new
> DMZ interface using the MYDMZ table, something like this:
>
> 	ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table
> DMZSPECIAL ip route add default via ${gateway} dev ${interface}
> table DMZSPECIAL
>
> (You will also keep your regular routing table to your old
> interface.  Also of course you keep your SNAT over your
> existing interface, only for LAN hosts of course.)
>
> 2. You might create a custom chain for the new interface, which
> is supposed to serve the special DMZ hosts.  This is to mark
> packets for subsequent decision on routing:
>
> 	iptables -t mangle -N CONNMARK1
> 	iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
> 	iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
> 	iptables -t mangle -A CONNMARK1 -j ACCEPT
>
> 3. You would NEW mark all packets from the special DMZ hosts
> with fwmark 1, like this (repeat for each source IP or subnet
> to use the new interface):
>
> 	iptables -t mangle -A PREROUTING -m state --state NEW -s
> 10.x.x.x -j CONNMARK1 etc.
>
>
> 4. You would restore the connection mark to the packet mark
> with a rule like this: iptables -t mangle -A PREROUTING -i
> ${dmz_if} -m state --state ESTABLISHED,RELATED -j CONNMARK
> --restore-mark
>
> Then add a policy routing rule, directing all traffic with the
> "1" mark to the new DMZ uplink:
>
> 	ip rule add fwmark 1 table MYDMZ
>
> That should do it.  Post back if you have any trouble.
> --
> Lloyd
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@xxxxxxxxxxxxxxx
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Lloyd,

Our fw/router routes traffic to both our LAN and our DMZ.  That's 
how it was set up a long time ago and, again, it works very well.  
Given that, do your instructions (btw, did I say I'm grateful for 
your help) still work?

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html