Split access from multiple uplinks

Question

Our setting is as follows:

                                    +---------+    +------------+        /
                                    |         |    |  Modem     |       /
                 +-----------+------| Firewall|----+ Provider 1 +-------
        __       |           |      |         |    |            |    /
    ___/  \_     |    +------+----+ +---------+    +------------+   |
  _/        \__  |    |     p4p1  |                               /
 /             \ |    |           |                              |
| Local network -+    |Ubuntu srv |                              |Internet
 \_           __/     |           |                              |
   \__     __/        |     em1   |                               \
      \___/           +------+----+     +------------+             |
                             |          |  Router    |              \
                             +----------+ Provider 2 +----------------
                                        |            |                |
                                        +------------+

We would like the Ubuntu server to be able to use the em1 interface, specially for ftp traffic.

That makes it harder, I believe, since FTP creates connections on Passive Mode that should be correctly routed through the em1. Am I mistaken to raise a red flag here?

We don't need nor want load balancing, and the LAN won't access the Internet through em1, so that should make things easier since the Ubuntu server doesn't have to reroute anything coming from em1.

We have a static public address given to the firewall, but the router of Provider 2 will have a dynamic address that we will have to DynDNS or something.

I've found this HOWTO and this stackoverflow question but I'm confused on that script values.

What are the IP1 and IP2 values really? Which will be the default route for packets originating from the ubuntu server? Where is that default route set and to which value? Is the P0_NET unnecessary in my case?

How would I modify that script to fit my case scenario? I believe it should at least be

#!/bin/bash -v
#IPs of device connected to the internet
IP1=192.168.30.240 (or is it the public ip 85.12.34.56?)
#static IP provided by ISP2
IP2=192.168.0.10 (or is it the dynamic ip 190.12.34.56?)

#Your Gateways (type route in terminal it should be in the same line as default)
P1=192.168.30.1 #gateway provided by ISP1
P2=192.168.0.254 #gateway provided by ISP2

#Your Subnets
P1_NET=192.168.30.0/24 #local network subnet + p4p1
P2_NET=192.168.0.0/24 #em1 LAN
# NICs your internet interfaces
IF1=p4p1
IF2=em1

ip route add $P1_NET dev $IF1 src $IP1 table T1
ip route add default via $P1 table T1
ip route add $P2_NET dev $IF2 src $IP2 table T2
ip route add default via $P2 table T2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2

ip rule add from $IP1 table T1
ip rule add from $IP2 table T2
ip route add $P2_NET dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo table T1
ip route add $P1_NET dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo table T2

score 1 · Answer 1 · answered Dec 20 '17 at 21:18

1

This is not a matter of routing. Routing works on layer 3 ie. the IP addresses but to sort out FTP traffic you'd need layer 4 information.

Make sure you bind the FTP server to em1's IP address only and it'll be accessible only on that side while also using passive ports on that IP address.

For vsftpd, IP binding is described in https://askubuntu.com/questions/301028/how-to-use-specific-ip-with-vsftpd

answered Dec 20 '17 at 21:18

Zac67

8,639
2
10
28

Do I really need filtering? Wouldn't it suffice that traffic from em1 goes thru em1? Since the ftp will only be visible from em1. Or you mean that the filtering is necessary because of the passive ports ftp transfer, which wouldnt be distinguishable by interface/ip? How would you achieve the routing/ftp? Is the script posted correct? – quimnuss Dec 20 '17 at 21:28
I believe you mistook my mention to FTP. I believe it is solely a routing problem since traffic coming from one interface should be properly replied, as starters. – quimnuss Jan 05 '18 at 10:53

score 0 · Answer 2 · answered Jan 24 '18 at 11:02

I had to set proper routing like this, no filtering needed since we are not setting routing for connections initiated by the server.

You have to set the tables name in /etc/iproute2/rt_tables

255     local
254     main
253     default
0       unspec
200 wan3table
201 wan1table

and then add the following routes:

ip route add 192.168.30.0/24 dev p4p1 table wan1table
ip route add default via 192.168.30.1 table wan1table

ip route add 192.168.0.0/24 dev em1 table wan3table
ip route add default via 192.168.0.254 table wan3table

ip rule  add from 192.168.30.240 table wan1table
ip rule  add from 192.168.0.10 table wan3table
ip route add 127.0.0.0/8 dev lo table wan1table
ip route add 127.0.0.0/8 dev lo table wan3table
ip route add 192.168.0.0/24 dev em1 table wan1table
ip route add 192.168.30.0/24 dev p4p1 table wan3table

Split access from multiple uplinks

2 Answers2

Linked