Force one ISP with ISP REDUNDANCY

[Porter]

In the meantime I found a way with splat to force a host or a network to be reachable over on iSP while ISP RED. is active in loadsharing or primary/backup mode. If you want to make shure that only ISP A is used for that host or network you can simply do this with source or policy routing. In that case don't use the "NAT the behind the GW", just use a public adress from ISP A or NAT it manually to that IP. Routing is done after the packets went through CP, what ever which mode you've definded for ISP RED. packets will go always that way you definded in the routing policy, now an example how this could look like:

First of all create table(s) in /etc/iproute2/rt_tables:
echo 200 ISP A >> /etc/iproute2/rt_tables

Afterwards add rules to the table(s):
ip rule add from 10.0.0.10 table ISP A

Verify that information has been set:
ip rule ls

You should now see something like this:
0: from all lookup local
32765: from 10.0.0.10 lookup ISP A
32766: from all lookup main
32767: from all lookup default

Now add the routes to the table:
ip route add default via 194.162.56.1 dev ethx table ISP A

194.162.56.1 means the router from ISP A
ethx is the interface attached to that ISP

Note: All other networks that have to be reached behind the FW need to be added to the policy, also if you have already a existing route to that network, just add them to the table ISP A

Finally flush the routing table:
ip route flush cache

To have this policy available after a reboot add this to /etc./rc.d/rc.local
In our example here this would look like this:

ip rule add from 10.0.0.10 table ISP A
ip route add default via 194.162.56.1 dev eth2 table ISP A
ip route flush cache


Hope that helps some of you who have such requests or needs to the environment!

[betski]

Thanks for the info porter.

I had the same NAT issue with 'Force One' for Cisco Concentrator's and Firewall's.

[MBreve]

I think I understand most of it but the following line isn't clear to me.

"ip rule add from 10.0.0.10 table ISP A"

Could you explain this one?

[Reaper]

Those are linux ip rule commands:

"ip rule add from 10.0.0.10 table ISP A"

stands for:

for all traffic originating from 10.0.0.10, use routing table named ISP A.

then there is added routing entry into ISP A routing table:
ip route add default via 194.162.56.1 dev eth2 table ISP A

You can view the ISP A routing table:
ip route ls table ISP A

Btw, with "ip rule ls" you can view the order of routing tables:
0: from all lookup local
32765: from 10.0.0.10 lookup ISP A
32766: from all lookup main
32767: from all lookup default

if traffic sould not be matched in table "ISP A" then the next rule is taken... One can set up quite complicated linux routings that way.

[MBreve]

Okay, I understand.

In this case, all traffic from 10.0.0.10 will nerver route over the ISP B.

But where does NAT come in?

You wrote that Routing is done after the packets went through CP. I have now client side NAT which would mean that the packet is already translated before it goes to routing. And the Source 10.0.0.10 is already translated to the Public IP adres.

[Reaper]

This is just routing, no NAT.

Now, it depends what is doing NAT for you. If it is Linux only, then use iptables firewall for doing NAT. But since it is CP forum i guess its CP thats doing NAT for you. Now I can't help you with that - I don't know CP well enough, I don't even like it. I just have to work with it :(

[Porter]

in your case use the public adress of the gw instead of 10.0.0.10 for routing, never tried but should work

[mohankumar]

In case ISP A is down will it route the traffic to ISP B