Multiple WAN Interfaces

From WiDirect
Jump to: navigation, search

This document describes how to configure a WiDirect or WiClient to use a specific WAN connection based on the source VLAN of the user's traffic.

IP Addresses

There are two VLAN interfaces on eth1 in this example:

eth1.210: 10.15.8.0/21
eth1.1014: 10.15.24.0/21

And two corresponding VLAN interfaces on eth0:

eth0.210: 10.185.210.30
eth0.1014: 10.10.1.64

Two VLANs are not required. The eth0 IP could be the IP of the WiDirect for one WAN interface, and a subinterface can be created for the second WAN connection.

First Steps

In this case they are also using separate DNS servers based on the source address. That would be configured in the DHCP server, and the instructions below modify the firewall to allow access to those IPs.

First go to the network configuration page on the WiDirect and verifying the IP on eth0 is what you want. There needs to be an IP here, but if using two VLAN interfaces the IP can be anything, and it doesn't have to be routable. It is not recommended to use an IP on the same subnet as either of your VLANs. If only using one VLAN or using a subinterface then the eth0 IP will be the IP will be the WiDirect's IP on the primary Internet connection.

You may specify a default gateway appropriate for one of the VLANs to use that interface by default (the WiDirect will automatically use its corresponding IP address from the VLAN interface when passing traffic through the gateway). Setting the default route is necessary to access the box remotely and/or have it send notification e-mails. You will specify the IPs for the VLANs later.

Create the VLANs

-Create the desired VLANs for eth0 and eth1 with the desired IPs on the GUI of the WiDirect.


NAT and Firewall

Get root access to the WiDirect by running this command:

su -

You may want to enable NAT on the eth0 VLAN interfaces. You will need to iptables firewall file, using "emacs /etc/sysconfig/iptables" Towards the bottom you will see:

-A POSTROUTING -o eth0 -j MASQUERADE

You can add these two lines:

-A POSTROUTING -o eth0.210 -j MASQUERADE
-A POSTROUTING -o eth0.1014 -j MASQUERADE

(You may also want to remove the first line to disable NAT on the plain interface without the VLAN)

Routes

You will need to tell the system that you will be using two separate types of routing tables. You will need to edit the /etc/iproute2/rt_tables file to create 2 routing tables, one called vlan210 and one called vlan1014. It should look like this:

-----------
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
---------

You should add two lines to this file:

3   vlan1014
4   vlan210

Then close that file and save it.

You will need to create the routes for each of the VLANs, and specify which users should use which VLAN. These commands need to be run every time the box starts, so you should edit the "/etc/rc.d/rc.local" file and add the commands to the end of it to have that done automatically. They can also be run from the command line to test that it works without restarting.

The following commands will create those routes:

###Create routing for administrator vlan
ip route add 10.10.0.0/16 dev eth0.1014 src 10.10.1.64 table vlan1014
ip route add default via 10.10.1.1 table vlan1014

###Create routing for user vlan
ip route add 10.85.210.0/24 dev eth0.210 src 10.85.210.30 table vlan210
ip route add default via 10.85.210.1 table vlan210

####Force users to use vlan210 route table
ip rule add from 10.15.8.0/21 table vlan210

###Force admins to use vlan1014 table
ip rule add from 10.15.24.0/21 table vlan1014

###The WiDirect IP will not be in the vlan routing table, as this
prevents the users from accessing the WiDirect IP
ip rule add from 10.15.8.1 table main
ip rule add from 10.15.24.1 table main
#######

Test

Test everything to make sure everything works as intended. Restart the WiDirect and make sure everything works again after a restart.

You can view traffic on any of the interfaces to make sure it is going the right way by using the either of the following commands:

tcpdump -ieth0.210
tcpdump -ieth0.1014

Verify the IP rules and routes are set correctly by running commands and verifying output is correct: Command "ip rule ls":

0:      from all lookup 255
32762:  from 10.15.24.1 lookup main
32763:  from 10.15.8.1 lookup main
32764:  from 10.15.24.0/21 lookup vlan1014
32765:  from 10.15.8.0/21 lookup vlan210
32766:  from all lookup main
32767:  from all lookup default

Command: "ip route ls table vlan210":

10.85.210.0/24 dev eth0.210  scope link  src 10.85.210.30
default via 11.85.210.1 dev eth0.210

Command: "ip route ls table vlan1014":

10.10.0.0/16 dev eth0.1014  scope link  src 10.10.1.64
default via 10.10.1.1 dev eth0.1014

Also verify that everything works through downloading large files and doing speed tests. You may want to check the messages file (available on web interface, titled syslog) and see if there are any errors related to the network cards during these downloads.