Specific Routing per IP

[thort]

LAN Clients --- CHPoint SPLAT (R60) --- Inet Router 1
000000000000000000000000000000 |
000000000000000000000000000000 -- Inet Router 2

Hello, I am looking for a way to provide custom routing for a few internal clients. Basically, every internal client should use the default gateway (Inet Router 1) which is the current setup, but a few internal clients (fixed ip addresses) sould use another gateway (Inet Router 2). Is this possible (through NATing Possibly?). Iam not currently using ISP redundancy or LoadBalancing.
Thanks for your responses and ideas!

[Joncon]

Can you not manually define the gateway on the client directly? As the clients with fixed IPs need to route through a different gateway I am assumming they don't get their configs through DHCP and therefore the manually defined gateway info will not get overwritten.

[thort]

Actually I made a few errors in my statement about the LAN clients.... the standard gateway for the SPLAT is Inet Router1. All clients behind the SPLAT are on a fixed IP, and their default gateway is the SPLAT. The SPLAT's default gateway is Inet Router1. I would like specific clients to exit out to the Internet via Inet Router2 and not the default pathway through Inet Router1.
---------------------------------------
The SPLAT is not working in a transparent mode, so it is the LAN clients gateway before requests get forwarded through the Inet Router. So how to get certain clients behind the SPLAT to use Inet Router2 ? Or moreover how to get the SPLAT to foward certain client's requests (based on IP) through InetRouter2 and not InetRouter1 ?

[chillyjim]

This is called "source based routing" it is not supported by Check Point on anything but VSX. That said, the tools are there for it in SPLAT.

If you look up "source based routing in Linux" you should find what you need.

NOTE -- I've never done this but I'm told it works YMMV

[abeyaz]

RouterA || RouterB
1.1.1.2 || 1.1.1.3
||
Fw-ext-ip(1.1.1.1)
Firewall==================DMZ(192.168.0.0/24)
Fw-int-ip(10.0.0.1/24)

We assume that SPlat default gw to RouterA.
route add default gw 1.1.1.2

Now we will define policy based routing. We need to define a Table ID and an alias for it.

Defining Alias:
=================
Edit /etc/iproute2/rt_tables file. As you see below we have added ID 23 to alias adsl.

#more rt_tables
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
23 adsl


You may use below command for this:
#echo 23 adsl >> /etc/iproute2/rt_tables

Then we will specify which source ip address will be use this table:
#ip rule add from 10.0.0.5/24 table adsl (all lan IPs will use this table)

Lets specify this adsl table's default gateway to RouterB
#ip route add default via 1.1.1.3 dev eth0 table adsl

We have to add following rule in order to give access from 10.0.0.x to the dmz
#ip route add 192.168.0.0/24 dev eth2 table adsl

To activate changes type following
#ip route flush cache

After reboot things we made will not be remain. We have to add all the commands to rc.local file to make changes permenant after reboot.


ip rule add from 10.0.0.0/24 table adsl
ip route add default via 1.1.1.3 dev eth0 table adsl
ip route add 192.168.0.0/24 dev eth2 table adsl
ip route flush cache

I hope this helps.
You may also find Turkish version of this document here.