So I work a lot from home, approx 99% of the time, and soon my wife will be joining me in working from home, one day a week.
I kept them separate, as the missus isn't technical so auto route failing issues, might not be diagnoseable for her, and it's easy for her to swap between primary and backup lines by just changing wifi SSIDs.
So one of the things that was provided by BOnline was a Technicolor TG582n router (not the best, but it'll do) - it is afterall a backup line to get internet access.
Current setup. The switches are HP Procurve managed switches with 4gb trunked, portchanneled connections between them both.
Internet1 ---> [eth2] Firewall1 (vlan1) +----- wifi1 (vlan1)
|
+----- switch1 (vlan 1,2)
| | | |
Internet2 ---> Technicolor (vlan2) ----+----- switch2 (vlan 1,2)
|
+----- wifi2 (vlan2)
For traffic on the internal LAN, to be access anything on the backup line LAN (192.168.1.0/24)
For both lines, to be able to access the internet independently of each other.
To be able to VPN/SSH into to the firewall from either the primary line or backup line.
Steps needed
* Add VLAN for backup line
* ensure DHCP scopes do not conflict
* Add static routing to the Technicolour.
* Add routing to the firewall
Internet ---> [eth2] Firewall +----- [eth0] LAN 192.168.2.254/24
|
+----- [eth1] Backup 192.168.1.200/24
|
+----- [eth3] DMZ 10.40.0.0/24
|
|
I allocated eth1 to the new LAN, and assigned 192.168.1.200 to it (set it in /etc/network/interfaces). I needed to add a static route on the Technicolour so that everything on the backup line knew how to access everything on the main LAN (192.168.2.0/24). You can't do this via the web i/f as it doesn't have anything that advanced listed there.
The Technicolour has telnet access, so after seting myself and account and telnetting in I issued:
Don't forget to saveall, otherwise it'll be running under the running-config, and next boot, it will not be applied.
Then I portforwarded a port from the Technicolour WAN for SSH access to my firewall [eth1/192.168.1.200].
Testing SSH access I tried sshing to my backup line and got this in the firewall logs (if you've enabled martian logging, your syslog will have entries similar to this):
Mar 18 15:56:31 aibo2 kernel: [586653.881530] IPv4: martian source 192.168.1.200 from 77.96.x.x, on dev eth1
Preamble
One line is fibre from Virgin Media (150mb+), the other is an ADSL BOnline (7mb+), which uses the Tiscali network (AS9105).I kept them separate, as the missus isn't technical so auto route failing issues, might not be diagnoseable for her, and it's easy for her to swap between primary and backup lines by just changing wifi SSIDs.
So one of the things that was provided by BOnline was a Technicolor TG582n router (not the best, but it'll do) - it is afterall a backup line to get internet access.
Current setup. The switches are HP Procurve managed switches with 4gb trunked, portchanneled connections between them both.
Internet1 ---> [eth2] Firewall1 (vlan1) +----- wifi1 (vlan1)
|
+----- switch1 (vlan 1,2)
| | | |
Internet2 ---> Technicolor (vlan2) ----+----- switch2 (vlan 1,2)
|
+----- wifi2 (vlan2)
Requirements
For traffic on the backup line to be able to access the internal LAN (192.168.2.0/24)For traffic on the internal LAN, to be access anything on the backup line LAN (192.168.1.0/24)
For both lines, to be able to access the internet independently of each other.
To be able to VPN/SSH into to the firewall from either the primary line or backup line.
Steps
So one of the first things to do is get it connected to my main LAN.Steps needed
* Add VLAN for backup line
* ensure DHCP scopes do not conflict
* Add static routing to the Technicolour.
* Add routing to the firewall
Setup
So I added a VLAN to the HP procurve switch (conneted to eth1), and untagged it to force all traffic to be backup VLAN, and excluded all others to eth1Internet ---> [eth2] Firewall +----- [eth0] LAN 192.168.2.254/24
|
+----- [eth1] Backup 192.168.1.200/24
|
+----- [eth3] DMZ 10.40.0.0/24
|
|
I allocated eth1 to the new LAN, and assigned 192.168.1.200 to it (set it in /etc/network/interfaces). I needed to add a static route on the Technicolour so that everything on the backup line knew how to access everything on the main LAN (192.168.2.0/24). You can't do this via the web i/f as it doesn't have anything that advanced listed there.
The Technicolour has telnet access, so after seting myself and account and telnetting in I issued:
ip rtadd dst=192.168.2.0/25 gateway=192.168.1.200 ip saveall
Don't forget to saveall, otherwise it'll be running under the running-config, and next boot, it will not be applied.
Then I portforwarded a port from the Technicolour WAN for SSH access to my firewall [eth1/192.168.1.200].
Testing SSH access I tried sshing to my backup line and got this in the firewall logs (if you've enabled martian logging, your syslog will have entries similar to this):
Mar 18 15:56:31 aibo2 kernel: [586653.881530] IPv4: martian source 192.168.1.200 from 77.96.x.x, on dev eth1
This looked funny to me, as 77.96.x.x is my primary line (virgin media). My backup line was 79.78.x.x W00t was going on?
This is due to the fact that linux is not expecting a packet with that source address from that destination. i.e It's not expecting an internal address with that subnet to come from an external IP address. The external IP address is actually the interface belonging to Virgin Media, as that is my default route.
So we need to change the routing, so that all packets from the backup line are associated with the backup interface, and not get routed through my default route)
Then added routing to tell that anything from 192.168.1.0/24 and eth1, store it in table beonline
This is due to the fact that linux is not expecting a packet with that source address from that destination. i.e It's not expecting an internal address with that subnet to come from an external IP address. The external IP address is actually the interface belonging to Virgin Media, as that is my default route.
So we need to change the routing, so that all packets from the backup line are associated with the backup interface, and not get routed through my default route)
Routing
Pre-req: iproute2 (this should be installed by default)
So we need linux to understand that packets from eth1, stay with eth1, and are not routed via the default eth2.
So edit /etc/iproute2/rt_tables
I added a table for beonline
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 beonline
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 beonline
Then that a default route for traffic destined for table beonline is the default gateway of beonline
Then add anything from table beonline has a src of 192.168.1.200
ip route add 192.168.1.0/24 dev eth1 192.168.1.200 table beonline
ip route add default via 192.168.1.254 table beonline
ip rule add from 192.168.1.200 table beonline
ip route add default via 192.168.1.254 table beonline
ip rule add from 192.168.1.200 table beonline
This works for me, with my routing table looking like so:
root@aibo2:/etc# ip route
default via 77.96.x.x dev eth2 metric 100
77.96.x.0/22 dev eth2 proto kernel scope link src 77.96.x.x
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.200
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
To test this is all working, you can use ping or better, traceroute from your firewall:
via virgin media
root@aibo2:/etc# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.89.x.x (10.89.x.x) 6.719 ms 6.675 ms 6.640 ms
2 croy-core-2a-ae6-648.network.virginmedia.net (81.96.228.201) 9.544 ms 9.576 ms 9.528 ms
3 * * *
4 * * *
5 * * *
6 72.14.198.97 (72.14.198.97) 18.411 ms 18.529 ms 18.611 ms
7 72.14.233.247 (72.14.233.247) 23.630 ms 209.85.253.95 (209.85.253.95) 27.590 ms 27.279 ms
8 209.85.245.187 (209.85.245.187) 32.126 ms 209.85.242.123 (209.85.242.123) 32.164 ms 209.85.142.177 (209.85.142.177) 32.024 ms
9 google-public-dns-a.google.com (8.8.8.8) 31.025 ms 21.973 ms 11.934 ms
via beonline
root@aibo2:/etc# traceroute -s 192.168.1.200 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.254 (192.168.1.254) 0.729 ms 0.946 ms 1.408 ms
2 host-62-24-254-203.as13285.net (62.24.254.203) 27.596 ms 29.215 ms 28.727 ms
3 host-78-151-228-57.as13285.net (78.151.228.57) 29.979 ms 31.896 ms 31.348 ms
4 host-78-151-228-78.as13285.net (78.151.228.78) 33.601 ms host-78-151-228-72.as13285.net (78.151.228.72) 34.557 ms host-78-151-228-70.as13285.net (78.151.228.70) 34.967 ms
5 host-78-144-11-223.as13285.net (78.144.11.223) 36.972 ms host-78-144-11-117.as13285.net (78.144.11.117) 37.424 ms host-78-144-9-81.as13285.net (78.144.9.81) 38.420 ms
6 72.14.214.222 (72.14.214.222) 39.440 ms 25.707 ms 27.260 ms
7 216.239.56.67 (216.239.56.67) 27.685 ms 216.239.56.203 (216.239.56.203) 26.193 ms 216.239.56.67 (216.239.56.67) 26.010 ms
8 216.239.57.131 (216.239.57.131) 31.134 ms 216.239.57.153 (216.239.57.153) 29.699 ms 216.239.57.131 (216.239.57.131) 32.021 ms
9 google-public-dns-a.google.com (8.8.8.8) 34.251 ms 32.332 ms 34.870 ms
Note that the traffic by default routes over my primary line (virgin media), so no source address needed. With beoline, I have to specify the source address, so that it knows to push the traffic via eth1 (backup line)
In part 2, I will be discussing how to route specific traffic over one connection or another.
e.g. You want FTP traffic going over your primary line, by skype traffic going over your backup line.
default via 77.96.x.x dev eth2 metric 100
77.96.x.0/22 dev eth2 proto kernel scope link src 77.96.x.x
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.200
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.254
NAT/Masquerade
As an extra step, I added an iptables rule to masquerade all traffic from eth1 to the Technicolour router. I wasn't sure if this was necessary, but added it anyway (thinking about it, probably not since I added a static route on the technicolour)
via virgin media
root@aibo2:/etc# traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 10.89.x.x (10.89.x.x) 6.719 ms 6.675 ms 6.640 ms
2 croy-core-2a-ae6-648.network.virginmedia.net (81.96.228.201) 9.544 ms 9.576 ms 9.528 ms
3 * * *
4 * * *
5 * * *
6 72.14.198.97 (72.14.198.97) 18.411 ms 18.529 ms 18.611 ms
7 72.14.233.247 (72.14.233.247) 23.630 ms 209.85.253.95 (209.85.253.95) 27.590 ms 27.279 ms
8 209.85.245.187 (209.85.245.187) 32.126 ms 209.85.242.123 (209.85.242.123) 32.164 ms 209.85.142.177 (209.85.142.177) 32.024 ms
9 google-public-dns-a.google.com (8.8.8.8) 31.025 ms 21.973 ms 11.934 ms
via beonline
root@aibo2:/etc# traceroute -s 192.168.1.200 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 192.168.1.254 (192.168.1.254) 0.729 ms 0.946 ms 1.408 ms
2 host-62-24-254-203.as13285.net (62.24.254.203) 27.596 ms 29.215 ms 28.727 ms
3 host-78-151-228-57.as13285.net (78.151.228.57) 29.979 ms 31.896 ms 31.348 ms
4 host-78-151-228-78.as13285.net (78.151.228.78) 33.601 ms host-78-151-228-72.as13285.net (78.151.228.72) 34.557 ms host-78-151-228-70.as13285.net (78.151.228.70) 34.967 ms
5 host-78-144-11-223.as13285.net (78.144.11.223) 36.972 ms host-78-144-11-117.as13285.net (78.144.11.117) 37.424 ms host-78-144-9-81.as13285.net (78.144.9.81) 38.420 ms
6 72.14.214.222 (72.14.214.222) 39.440 ms 25.707 ms 27.260 ms
7 216.239.56.67 (216.239.56.67) 27.685 ms 216.239.56.203 (216.239.56.203) 26.193 ms 216.239.56.67 (216.239.56.67) 26.010 ms
8 216.239.57.131 (216.239.57.131) 31.134 ms 216.239.57.153 (216.239.57.153) 29.699 ms 216.239.57.131 (216.239.57.131) 32.021 ms
9 google-public-dns-a.google.com (8.8.8.8) 34.251 ms 32.332 ms 34.870 ms
Note that the traffic by default routes over my primary line (virgin media), so no source address needed. With beoline, I have to specify the source address, so that it knows to push the traffic via eth1 (backup line)
In part 2, I will be discussing how to route specific traffic over one connection or another.
e.g. You want FTP traffic going over your primary line, by skype traffic going over your backup line.
No comments:
Post a Comment