02-17-2005
Firewall - 2 Internet accesses - routing rules from source
Hello,
I would like to modify my firewall configuration for being able to handle 2 internet connections in my Red zone.
I would then like to configure some selecting routing rules depending on the internal source.
Actual configuration:
=====================
1 router A (ISP)
|
| (Red) with different public adresses
|
FW---------------- (Orange)
|
|(green)
|
===================== (LAN)
the default gateway of my firewall is fixed to the @ of my ISP router
New desired configuration :
=====================
I now have 2 ISP providers with 2 different routers. (belonging to my ISP)
In the future I even think to add some more new ones.
routers A(ISP-A) and router B (ISP-B)
-------------
|
| (Red) with different public adresses
|
FW---------------- (Orange)
|
|(green)
|
===================== (LAN)
I wish to configure some routing rules in my firewall, so to be able to select the INTERNET exit gateway depending on the internal source.
I succeeded to make a simulation of this situation, using a Linux server as firewall and router.
I configured all rules in the Linux box using commands like : iptables, ip rule, an so on... .
I used some examples found in books and in Internet pages or forum.
But now I'm looking in a way to do it in my PRODCTION environment with my SMOOTHWALL-SERVER firewall.
I did not succeed to find how to do it with the Web interface of this product. Or better say, I did not know exactly where to look for it.
I even tried to force a configuration in a text mode command. But it seems that ip rule commands are not usable in the kernel situation of the Smoothwall.
If anyone knows how to do it with Smoothwall Server or Smoothwall Express I would appreciate some help. From a Smoothwall Express example, I would surely find a similar way of doing it with Smoothwall Server.
Here is the example of the routing rules I would like to be able to configure.
* all internet traffic from a server A in my LAN zone should pass through router B to go to the INTERNET.
* and all the traffic from all other computers or servers from my LAN should go through router A.
or the same rule for computers in my orange zone.
* all internet traffic from a server B in my orange zone should pass through router B to go to the INTERNET.
* and all the traffic from all other computers or servers from my orange zone should go through router A.
My question will perhaps seems a little bit tricky or even stupid for some of you.
But I'm a beginner in firewall configuration and I do not know much about it.
I just a begginer and any help will be fully appreciate.
Thanks for any indications or help that can guide me through my researches an tests.
Excuse all english mistakes in this text. I'm just a french guy and I do not write in english very often.
Thanks to all of you.
8 More Discussions You Might Find Interesting
1. IP Networking
I'm running OS X. (OS X Server actually) and right now I use a program called BrickHouse to handle my router configuration. But this program kind of sucks. I'd much rather learn how to configure these programs manually. By these programs, I mean the programs OS X comes with to handle these jobs... (0 Replies)
Discussion started by: l008com
0 Replies
2. UNIX for Dummies Questions & Answers
any recommendations ?
thanks (1 Reply)
Discussion started by: upirate
1 Replies
3. UNIX for Advanced & Expert Users
I have a PC with KUBUNTU installed on it and with 2NIC's on it (two PCI network 100Mbit cards). I want to use it as a server packet router and firewall between two computers with windows installed on them, each of this computer being connected to one different card on the KUBUNTU server. The... (1 Reply)
Discussion started by: meorfi
1 Replies
4. Linux
Hi to all.
There are eth0(wan) eth1(lan) and eth3(dmz) in my debian router.
In dmz is planing dns, ad, dhcp, smtp/pop/imap, https(web-based imap client). I don't configured rules on "iptables" and "route" loads for right relation lan clients with dmz services.
Please explain me example... (0 Replies)
Discussion started by: sotich82
0 Replies
5. IP Networking
hi,
i have this diagram
internet
|
|
--------------
|firewall/sslvpn |
--------------
|
| 192.168.0.0/24
|
-------------------------- ---- -------------
| internet gateway win2003|----|10.1.2.0/24 |... (0 Replies)
Discussion started by: itik
0 Replies
6. Red Hat
Hi Gurus,
I need to add Multicast Port = xyz
Multicast Address = 123.134.143 ( example) to my firewall rules. Can you please guide me with the lines I need to update my iptables files with. (0 Replies)
Discussion started by: rama krishna
0 Replies
7. IP Networking
Hello
I have a question about routing in MANET using Dynamic Source Routing protocol.
IN RFC4728 (DSR) in section "IP fields" of RREP (Route Reply) packet we have this:
ok.
I read in several books and also in rfc4728 that: when a source node (node that initiate route discovery process)... (1 Reply)
Discussion started by: acu281
1 Replies
8. IP Networking
Hello,
since a while, i have a very strange and frustrating network problem with my Huawei p6(Android 4.4.2). The ROM is "Omni Rom", i think - but it shouldn't matter.
The problem is: when i try to connect through wlan (i have no mobile internet), according to the network manager of android,... (1 Reply)
Discussion started by: Palindrom
1 Replies
LEARN ABOUT DEBIAN
shorewall6-rtrules
SHOREWALL6-RTRULES(5) [FIXME: manual] SHOREWALL6-RTRULES(5)
NAME
rtrules - Shorewall6 Routing Rules file
SYNOPSIS
/etc/shorewall6/rtrules
DESCRIPTION
Entries in this file cause traffic to be routed to one of the providers listed in shorewall6-providers[1](5).
The columns in the file are as follows.
SOURCE (Optional) - {-|interface|address|interface:<address>}
An ip address (network or host) that matches the source IP address in a packet. May also be specified as an interface name optionally
followed by ":" and an address. If the device lo is specified, the packet must originate from the firewall itself.
Beginning with Shorewall 4.5.0, you may specify &interface in this column to indicate that the source is the primary IP address of the
named interface.
DEST (Optional) - {-|address}
An ip address (network or host) that matches the destination IP address in a packet.
If you choose to omit either SOURCE or DEST, place "-" in that column. Note that you may not omit both SOURCE and DEST.
PROVIDER - {provider-name|provider-number|main}
The provider to route the traffic through. May be expressed either as the provider name or the provider number. May also be main or 254
for the main routing table. This can be used in combination with VPN tunnels, see example 2 below.
PRIORITY - priority
The rule's numeric priority which determines the order in which the rules are processed. Rules with equal priority are applied in the
order in which they appear in the file.
1000-1999
Before Shorewall6-generated 'MARK' rules
11000-11999
After 'MARK' rules but before Shorewall6-generated rules for ISP interfaces.
26000-26999
After ISP interface rules but before 'default' rule.
MARK - {-|mark[/mask]}
Optional -- added in Shorewall 4.4.25. For this rule to be applied to a packet, the packet's mark value must match the mark when
logically anded with the mask. If a mask is not supplied, Shorewall supplies a suitable provider mask.
EXAMPLES
Example 1:
You want all traffic coming in on eth1 to be routed to the ISP1 provider.
#SOURCE DEST PROVIDER PRIORITY MASK
eth1 - ISP1 1000
FILES
/etc/shorewall6/rtrules
SEE ALSO
http://shorewall.net/MultiISP.html
shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5), shorewall6-routestopped(5),
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)
NOTES
1. shorewall6-providers
http://www.shorewall.net/manpages6/shorewall6-providers.html
[FIXME: source] 06/28/2012 SHOREWALL6-RTRULES(5)