purpose: utilize simultaneously symmetric and asymmetric internet connections on linux router to achieve cost efficient way of providing internet access for few dozens of users. why? symmetric connections to internet still tend to be overpriced, poland is no exception. small ISPs providing internet access for 100 or 200 users usually cannot afford pipes fat enough to satisfy always growing demand of all those p2p lovers. adding asymmetric xDSL connections dedicated only for http traffic to existing symmetric internet uplink can significantly improve end-user experience without causing too much additional costs.
what needs to be done on linux router? not much:
- new routing tables should be added
- rules for selecting routing table based on source ip should be added
- squid [working as transparent http proxy] should be told to bind to ip address of xDSL connection
- users’ http traffic should be redirected to local http proxy [ squid in this case ]
to create new routing tables add at the end of /etc/iproute2/rt_tables following lines to :
100 T1 200 T2
this is just an human readable [ T1 ? not exactly ;] alias to number of routing table used internally by kernel.
put following rules in one of your network / firewall startup scripts:
# table for packets with src address in 184.108.40.206/29 [ xDSL link ] ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table T1 ip route add 220.127.116.11/29 dev eth1 src 18.104.22.168 table T1 ip route add 22.214.171.124/30 dev eth2 src 126.96.36.199 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add default via 188.8.131.52 table T1 # rule : select table T1 if src address is in 184.108.40.206/29 ip rule add from 220.127.116.11/29 table T1 # # table for packets with src address 18.104.22.168 [ symmetric link ] ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table T2 ip route add 22.214.171.124/29 dev eth1 src 126.96.36.199 table T2 ip route add 188.8.131.52/30 dev eth2 src 184.108.40.206 table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add default via 220.127.116.11 table T2 # rule : select T2 if src address is 18.104.22.168 ip rule add from 22.214.171.124 table T2 # # default routing table ip route add default scope global nexthop via 126.96.36.199 dev eth2
as you see each table should contain all routes including those available directly [ like 192.168.0.1 – available on lan interface of described router ].
after running script above your router by default will initiate all outgoing connections with src address of 188.8.131.52 and route them thru eth2, but if you force it to use src ip of 184.108.40.206 connections will go thru 220.127.116.11 gateway at eth1. so right now we just need to redirect all http requests coming from lan to squid and tell squid to bind to 18.104.22.168 when initiating connections.
additional config change in /etc/squid/squid.conf – just add:
last thing to do : make sure you redirect local http traffic to squid:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 # in my case i also masquarade all traffic going out via eth2 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE
side effect of such a configuration: all http traffic initiated by users in lan will be seen as coming from one public ip addresses assigned to xDSL link. to make things even better one should always add QoS to make sure available bandwidth is fairly shared among users.
description is based on my experiences with some networks where i’ve successfully set up similar configuration.