At work, we have two ADSL lines, one of which is faster than the other and tends to be used as the "main" route out of the office, but it has a dynamic IP address. The slower line has a static IP and has ports mapped for services I want to access remotely (eg SSH).
However, with the default gateway being set to the IP of the router on the faster line (say 192.169.10.1), this means that connections through the second router (say 192.168.11.1) don't work. My PC obviously has addresses on both subnets, and out to be able to respond to a connection coming in on the 192.168.11.x address replying via a default gateway on that subnet, but as I understand it I only have one default gateway.
So, how should I set this up?
On 09/08/10 09:18, Mark Rogers wrote:
However, with the default gateway being set to the IP of the router on the faster line (say 192.169.10.1), this means that connections through the second router (say 192.168.11.1) don't work. My PC obviously has addresses on both subnets, and out to be able to respond to a connection coming in on the 192.168.11.x address replying via a default gateway on that subnet, but as I understand it I only have one default gateway.
That could get a bit messy, if you always access ssh in from a specific address then you could just set a static entry in your office machine's routing table that uses your second gateway as the route for the address (or block of addresses) you want to access ssh from.
That has the problem that any traffic to those addresses will be routed via your 2nd line.
Another (complicated) way might be to use iproute2 on the PC in the office.
I can't remember the exact magic but essentially you use iproute2 to create a new routing table and give it a number to identify it
Then you tell iptables to MARK all traffic based on the rules you want (so specific ports, specific destinations etc) with that number (it's an action like DROP)
Then you tell iproute2 to route all traffic marked with that number by your firewall via the new routing table you created with something like
ip rule add fwmark "number of table" table "table name"
I am sure after I did this I found several other more sane ways of doing it, one may have been to drop the iptables rules altogether and do it somehow within iproute's rules.
On 12 Aug 00:39, Wayne Stallwood wrote:
On 09/08/10 09:18, Mark Rogers wrote:
However, with the default gateway being set to the IP of the router on the faster line (say 192.169.10.1), this means that connections through the second router (say 192.168.11.1) don't work. My PC obviously has addresses on both subnets, and out to be able to respond to a connection coming in on the 192.168.11.x address replying via a default gateway on that subnet, but as I understand it I only have one default gateway.
That could get a bit messy, if you always access ssh in from a specific address then you could just set a static entry in your office machine's routing table that uses your second gateway as the route for the address (or block of addresses) you want to access ssh from.
That has the problem that any traffic to those addresses will be routed via your 2nd line.
Another (complicated) way might be to use iproute2 on the PC in the office.
That's not complicated, and as the PC is the multihomed it's the right place to be making routing decisions, so, here's the trick:
Edit /etc/iproute2/rt_tables and add (at the bottom) a line that says:
11 second.router
Then, all you needs to do is:
ip rule add from 192.168.11.0/24 table second.router ip route add default dev eth0 via 192.168.11.1 table second.router ip route add 192.168.11.1/24 dev eth0 table second.router
Obviously, eth0 is the device that you have the 192.168.11.x address on, and 192.168.11.1 is the address of the router, file you edited is purely for asthetics (so that an ip rule list gives you easier foo to read!).
The first line says "any packet from the 192.168.11.0/24 range, throw to routing table 11 (second.router)", the second adds the default route for that router, and the third adds access to the 192.168.11.0/24 range directly on that device, without sending those packets to the router.
Of course, this would not be so nice and easy on a windows box... but if you need that, then I'd suggest putting a permanent linux box infront of the 2 routers that does the cunning routing in anyway you like and use that as the DHCP server and default gw instead.
Hope that helps,
On 12/08/10 11:34, Brett Parker wrote:
That's not complicated, and as the PC is the multihomed it's the right place to be making routing decisions, so, here's the trick:
Edit /etc/iproute2/rt_tables and add (at the bottom) a line that says:
11 second.router
You mention that this is just for asthetics: does the 11 have any significance, or did you just pick it because of the 192.168.*11*.0 subnet (ie does it need to match that, or is it just convention or convenience)?
Then, all you needs to do is:
ip rule add from 192.168.11.0/24 table second.router ip route add default dev eth0 via 192.168.11.1 table second.router ip route add 192.168.11.1/24 dev eth0 table second.router
I've seen ip rules but never played with them, so I've never been sure how they persist. Do I need to add these to my ifup script, or are they a one-off? If the latter, where are they stored?
Of course, this would not be so nice and easy on a windows box... but if you need that, then I'd suggest putting a permanent linux box infront of the 2 routers that does the cunning routing in anyway you like and use that as the DHCP server and default gw instead.
It would be nice to have similar options on the windows boxes, but on the other hand opening them up to the outside world isn't very secure anyway! It's only me that tends to do stuff like SSH to my desktop.
On 12 Aug 12:06, Mark Rogers wrote:
On 12/08/10 11:34, Brett Parker wrote:
That's not complicated, and as the PC is the multihomed it's the right place to be making routing decisions, so, here's the trick:
Edit /etc/iproute2/rt_tables and add (at the bottom) a line that says:
11 second.router
You mention that this is just for asthetics: does the 11 have any significance, or did you just pick it because of the 192.168.*11*.0 subnet (ie does it need to match that, or is it just convention or convenience)?
Basically, it just has to be a number between 1 and 252, 11 looked nice...
Then, all you needs to do is:
ip rule add from 192.168.11.0/24 table second.router ip route add default dev eth0 via 192.168.11.1 table second.router ip route add 192.168.11.1/24 dev eth0 table second.router
I've seen ip rules but never played with them, so I've never been sure how they persist. Do I need to add these to my ifup script, or are they a one-off? If the latter, where are they stored?
I'd be adding them when the interface is brought up (post-up), and I'd be changing the add to a delete in a pre-down script.
So, yes, they're not persistant, you'll need them in a up/down script.
Of course, this would not be so nice and easy on a windows box... but if you need that, then I'd suggest putting a permanent linux box infront of the 2 routers that does the cunning routing in anyway you like and use that as the DHCP server and default gw instead.
It would be nice to have similar options on the windows boxes, but on the other hand opening them up to the outside world isn't very secure anyway! It's only me that tends to do stuff like SSH to my desktop.
It's probably possible, but windows networking is always a little interesting.
Anyways - hope that all works!
Cheers,
On 12/08/10 12:29, Brett Parker wrote:
I'd be adding them when the interface is brought up (post-up), and I'd be changing the add to a delete in a pre-down script.
In Ubuntu I have if-pre-up.d, if-up.d, if-down.d, if-post-down.d
So I've used if-up.d and if-down.d, is that right?
Next question: Can I modify my resolver settings from if-up? DHCP is only (capable of) giving me a single DNS search domain, and I need two. The Windows PCs have this given to them via group policies, but that's not much help to me (I assume!)
I have only ever edited /etc/resolv.conf before but that gets overwritten by NetworkMangler.
On 12 Aug 13:14, Mark Rogers wrote:
On 12/08/10 12:29, Brett Parker wrote:
I'd be adding them when the interface is brought up (post-up), and I'd be changing the add to a delete in a pre-down script.
In Ubuntu I have if-pre-up.d, if-up.d, if-down.d, if-post-down.d
So I've used if-up.d and if-down.d, is that right?
That'd be about right :)
Next question: Can I modify my resolver settings from if-up? DHCP is only (capable of) giving me a single DNS search domain, and I need two. The Windows PCs have this given to them via group policies, but that's not much help to me (I assume!)
Actually, it can give more than one, space seperated... but that doesn't work for windows clients... ;)
I have only ever edited /etc/resolv.conf before but that gets overwritten by NetworkMangler.
If I remember correctly, network manager will play nicely with resolvconf, so install resolvconf, and do the magic in it's configuration instead.
On 12/08/10 15:43, Brett Parker wrote:
Actually, it can give more than one, space seperated... but that doesn't work for windows clients... ;)
Is that within the DHCP spec? Do Windows clients degrade gracefully and just use the first one?
If I remember correctly, network manager will play nicely with resolvconf, so install resolvconf, and do the magic in it's configuration instead.
That looks like the way to go but I can't quite see how to go about it.
I tried echo "search my-domain" | resolvconf -a eth0 .. but that overwrites the config (ie it loses the nameserver info put in there by DHCP). How do all the various bits sit together?
On 12/08/10 16:13, Mark Rogers wrote:
I tried echo "search my-domain" | resolvconf -a eth0 .. but that overwrites the config (ie it loses the nameserver info put in there by DHCP). How do all the various bits sit together?
Still having no joy with this. I tried bypassing resolvconf and adding: sed -i.old -e 's/search /search my-domain /i' /etc/resolv.conf
.. into an if-up.d script, but it's having no effect, I'm not sure why.
This is proving to be a real pain! Is there any way to fix my search domains so that all the relevant scripts load them from somewhere (environment variables?) and ignore what the DHCP server tells me?
Mark Rogers wrote:
This is proving to be a real pain! Is there any way to fix my search domains so that all the relevant scripts load them from somewhere (environment variables?) and ignore what the DHCP server tells me?
My guess would be to move or remove /etc/dhcp3/dhclient-enter-hooks.d/resolvconf or edit other files in /etc/resolvconf, but I didn't find a system with resolvconf installed to test it on when I looked around quickly.
Hope that helps,
On 16 Aug 12:28, MJ Ray wrote:
Mark Rogers wrote:
This is proving to be a real pain! Is there any way to fix my search domains so that all the relevant scripts load them from somewhere (environment variables?) and ignore what the DHCP server tells me?
My guess would be to move or remove /etc/dhcp3/dhclient-enter-hooks.d/resolvconf or edit other files in /etc/resolvconf, but I didn't find a system with resolvconf installed to test it on when I looked around quickly.
There is, if I remember rightly, a top and a bottom and all manner of interesting things that can be done with it, but I don't personally use it on my laptop at the moment (though, I keep meaning to, as then I could do DNS on a trusted DNS server over ipv6 rather than believing the ISPs nameservers on the connection I'm using...), I'll see if I get a chance later (but I'm of the axiom "if it ain't broke, don't fix it" for this laptop at the moment, as it's also my primary work machine).
Cheers,
On 16/08/10 12:45, Brett Parker wrote:
There is, if I remember rightly, a top and a bottom and all manner of interesting things that can be done with it, but I don't personally use it on my laptop at the moment (though, I keep meaning to, as then I could do DNS on a trusted DNS server over ipv6 rather than believing the ISPs nameservers on the connection I'm using...), I'll see if I get a chance later (but I'm of the axiom "if it ain't broke, don't fix it" for this laptop at the moment, as it's also my primary work machine)
Indeed, top and bottom are there (in /etc/resolvconf/resolv.conf.d/ as head and tail respectively). However I want to edit one of the lines, not just append to the file.
After a reboot, my /etc/resolv.conf says:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.11.10 search ourdomain.local
What I want it to say is:
nameserver 192.168.11.10 search ourdomain.co.uk ourdomain.local
*Ideally* I want to just add ourdomain.co.uk, not replace the whole line. That way if the DHCP server sends something different in future then I don't need to change my hack.
On Mon, Aug 16, 2010 at 12:58:05PM +0100, Mark Rogers wrote:
On 16/08/10 12:45, Brett Parker wrote:
There is, if I remember rightly, a top and a bottom and all manner of interesting things that can be done with it, but I don't personally use it on my laptop at the moment (though, I keep meaning to, as then I could do DNS on a trusted DNS server over ipv6 rather than believing the ISPs nameservers on the connection I'm using...), I'll see if I get a chance later (but I'm of the axiom "if it ain't broke, don't fix it" for this laptop at the moment, as it's also my primary work machine)
Indeed, top and bottom are there (in /etc/resolvconf/resolv.conf.d/ as head and tail respectively). However I want to edit one of the lines, not just append to the file.
After a reboot, my /etc/resolv.conf says:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.11.10 search ourdomain.local
What I want it to say is:
nameserver 192.168.11.10 search ourdomain.co.uk ourdomain.local
*Ideally* I want to just add ourdomain.co.uk, not replace the whole line. That way if the DHCP server sends something different in future then I don't need to change my hack.
Add:
prepend domain-name "ourdomain.co.uk";
to /etc/dhcp/dhclient.conf ?
J.
On 16/08/10 13:41, Jonathan McDowell wrote:
prepend domain-name "ourdomain.co.uk";
to /etc/dhcp/dhclient.conf ?
Ah, that looks promising.
<tinker...>
Doesn't seem to be working though (as in nothing seems to have changed). Maybe I now need to get rid of resolvconf?
-
Brett Parker -
Jonathan McDowell -
Mark Rogers -
MJ Ray -
Wayne Stallwood