Multiple WAN Interfaces
This document describes how to configure a WiDirect or WiClient to use a specific WAN connection based on the source VLAN of the user's traffic.
There are two VLAN interfaces on eth1 in this example:
eth1.210: 10.15.8.0/21 eth1.1014: 10.15.24.0/21
And two corresponding VLAN interfaces on eth0:
eth0.210: 10.185.210.30 eth0.1014: 10.10.1.64
Two VLANs are not required. The eth0 IP could be the IP of the WiDirect for one WAN interface, and a subinterface can be created for the second WAN connection.
In this case they are also using separate DNS servers based on the source address. That would be configured in the DHCP server, and the instructions below modify the firewall to allow access to those IPs.
First go to the network configuration page on the WiDirect and verifying the IP on eth0 is what you want. There needs to be an IP here, but if using two VLAN interfaces the IP can be anything, and it doesn't have to be routable. It is not recommended to use an IP on the same subnet as either of your VLANs. If only using one VLAN or using a subinterface then the eth0 IP will be the IP will be the WiDirect's IP on the primary Internet connection.
You may specify a default gateway appropriate for one of the VLANs to use that interface by default (the WiDirect will automatically use its corresponding IP address from the VLAN interface when passing traffic through the gateway). Setting the default route is necessary to access the box remotely and/or have it send notification e-mails. You will specify the IPs for the VLANs later.
Create the VLANs
-Create the desired VLANs for eth0 and eth1 with the desired IPs on the GUI of the WiDirect.
NAT and Firewall
Get root access to the WiDirect by running this command:
You may want to enable NAT on the eth0 VLAN interfaces. You will need to iptables firewall file, using "emacs /etc/sysconfig/iptables" Towards the bottom you will see:
-A POSTROUTING -o eth0 -j MASQUERADE
You can add these two lines:
-A POSTROUTING -o eth0.210 -j MASQUERADE -A POSTROUTING -o eth0.1014 -j MASQUERADE
(You may also want to remove the first line to disable NAT on the plain interface without the VLAN)
You will need to tell the system that you will be using two separate types of routing tables. You will need to edit the /etc/iproute2/rt_tables file to create 2 routing tables, one called vlan210 and one called vlan1014. It should look like this:
----------- # # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep ---------
You should add two lines to this file:
3 vlan1014 4 vlan210
Then close that file and save it.
You will need to create the routes for each of the VLANs, and specify which users should use which VLAN. These commands need to be run every time the box starts, so you should edit the "/etc/rc.d/rc.local" file and add the commands to the end of it to have that done automatically. They can also be run from the command line to test that it works without restarting.
The following commands will create those routes:
###Create routing for administrator vlan ip route add 10.10.0.0/16 dev eth0.1014 src 10.10.1.64 table vlan1014 ip route add default via 10.10.1.1 table vlan1014 ###Create routing for user vlan ip route add 10.85.210.0/24 dev eth0.210 src 10.85.210.30 table vlan210 ip route add default via 10.85.210.1 table vlan210 ####Force users to use vlan210 route table ip rule add from 10.15.8.0/21 table vlan210 ###Force admins to use vlan1014 table ip rule add from 10.15.24.0/21 table vlan1014 ###The WiDirect IP will not be in the vlan routing table, as this prevents the users from accessing the WiDirect IP ip rule add from 10.15.8.1 table main ip rule add from 10.15.24.1 table main #######
Test everything to make sure everything works as intended. Restart the WiDirect and make sure everything works again after a restart.
You can view traffic on any of the interfaces to make sure it is going the right way by using the either of the following commands:
tcpdump -ieth0.210 tcpdump -ieth0.1014
Verify the IP rules and routes are set correctly by running commands and verifying output is correct: Command "ip rule ls":
0: from all lookup 255 32762: from 10.15.24.1 lookup main 32763: from 10.15.8.1 lookup main 32764: from 10.15.24.0/21 lookup vlan1014 32765: from 10.15.8.0/21 lookup vlan210 32766: from all lookup main 32767: from all lookup default
Command: "ip route ls table vlan210":
10.85.210.0/24 dev eth0.210 scope link src 10.85.210.30 default via 188.8.131.52 dev eth0.210
Command: "ip route ls table vlan1014":
10.10.0.0/16 dev eth0.1014 scope link src 10.10.1.64 default via 10.10.1.1 dev eth0.1014
Also verify that everything works through downloading large files and doing speed tests. You may want to check the messages file (available on web interface, titled syslog) and see if there are any errors related to the network cards during these downloads.