I have this machine (Leonardo is its name) that acts as a
gateway/firewall/masquerader to the Internet for a private organization.
Until recently, it had its own public ip address, and was connected to the
Internet through a ISDN router placed on the same local ethernet segment,
like this:
Leonardo ISDN router
| |
a.a.a.238 ------> a.a.a.237------> Internet
So far, the configuration is trivial, and in fact to configure and get the
above working ok, the following lines were enough:
ifconfig eth1 a.a.a.238 broadcast a.a.a.255 netmask a.a.a.0
route add -net a.a.a.0 netmask a.a.a.255 dev eth1
route add default gw a.a.a.237 metric 1
where eth1 is the ethernet card for the traffic outside the private LAN (eth0
and the internal routing are ok, so I'll ignore them in this discussion).
Since the link to the Internet was just a 64Kbps, recently we have
obtained from the local telco a T1 link through another router, that has a
different IP number being it on a different class C network. The router has
been placed on the same physical ethernet segment:
T1-router Leonardo router
| | |
Internet <-- b.b.b.1 <------- a.a.a.237 ---> a.a.a.237 ---> Internet
In order to address the new router without adding another network card, I
thought to add a new ip address for the same card, with:
ifconfig eth1:0 b.b.b.2 broadcast b.b.b.255 netmask b.b.b.0
where b.b.b.2 will be the new additional IP address for Leonardo and then:
route add -net b.b.b.0 netmask b.b.b.255 dev eth1:0
At this stage, everything is still ok, I can ping both routers, and start
adding static test routes to external hosts through the new router, as with:
route add -host ftp.cdrom.com gw b.b.b.1 and happily connect to ftp.cdrom.com
and download at >70 Kb/sec.
For the final touch, I wish to make the new router the default gateway, in
place of the old one. The intention is to have all outbound traffic go through
the new line, but keeping the old address active for incoming traffic only,
like email and our own 2 hops connection to Leonardo. Eventually, the DNS
entry for Leonardo (which also acts as primary NS and MX for the customer's
domain) will be updated in the Internic tables, but we'll want to keep the old
interface active anyways, for backup and maintenance purposes. So, I add:
route add default gw b.b.b.2
and then the first surprise, the new default route doesn't replace the old
one, but in the routing table comes listed first, followed by the old one. In
my understanding, a "default" route should be unique, so why both the new and
the old one? What's really bad, is that with this configuration, the new
interface works fine for both outgoing and incoming traffic (meaning I can
telnet, ftp etc from Leonardo using the T1 line, as well as I can do the same
things FROM the outside to the new IP address), but the old one is stuck:
from the outside, ping a.a.a.238 works, but any TCP connection remains
hanging. A look at the netstat output shows that on the Leonardo side, such
connections remain in SYN_RCVD state, with 1 single byte in the output queue:
it's like it's receiving on the a.a.a.238 address, but tries to reply through
the new IP address.
But what's really weird, is that if at this stage I execute the following:
route add default gw a.a.a.237
hence obtaining the old default route listed first, followed by the new one,
what happens is that BOTH interfaces work perfectly: I can happily reach
Leonardo from the outside on both addresses/routes, establishing sessions and
the like. BUT, all outgoing traffic is routed by default through the old slow
link, while I need it to to go through the T1.
The machine is a 486/33 with 32 megs, running kernel 2.0.27 compiled with the
following options enabled:
Network firewalls
Network aliasing
TCP/IP networking
IP forwarding/gatewaying
multicasting
firewalling
firewall packet logging
masquerading
always defragment
accounting
optimize as router
aliasing support
Now, I just don't know what I'm doing wrong, and what should I do instead. The
customer is eager to use the new T1 line (of course), and I told them it
would be up by next Monday, but we also need the old address active too at
least for some time, so not to block incoming email. ANY help would be
greatly appreciated, folks.
thank you
Danilo
----------------------------------------------------------------------
Danilo Fiorenzano <danilo@terranet.ab.ca>
-= Software Consulting & Development =-
For PGP public key: finger danilo@terranet.terranet.ab.ca
----------------------------------------------------------------------
To iterate is human, to recurse, divine.
-- Robert Heller