purpose: utilize simultaneously symmetric and asymmetric internet connections on linux router to achieve cost efficient way of providing internet access for few dozens of users. why? symmetric connections to internet still tend to be overpriced, poland is no exception. small ISPs providing internet access for 100 or 200 users usually cannot afford pipes fat enough to satisfy always growing demand of all those p2p lovers. adding asymmetric xDSL connections dedicated only for http traffic to existing symmetric internet uplink can significantly improve end-user experience without causing too much additional costs.
what needs to be done on linux router? not much:
- new routing tables should be added
- rules for selecting routing table based on source ip should be added
- squid [working as transparent http proxy] should be told to bind to ip address of xDSL connection
- users’ http traffic should be redirected to local http proxy [ squid in this case ]
to create new routing tables add at the end of /etc/iproute2/rt_tables following lines to :
100 T1 200 T2
this is just an human readable [ T1 ? not exactly ;] alias to number of routing table used internally by kernel.
put following rules in one of your network / firewall startup scripts:
# table for packets with src address in 99.99.99.88/29 [ xDSL link ] ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table T1 ip route add 99.99.99.88/29 dev eth1 src 99.99.99.90 table T1 ip route add 11.11.11.124/30 dev eth2 src 11.11.11.126 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add default via 99.99.99.89 table T1 # rule : select table T1 if src address is in 99.99.99.88/29 ip rule add from 99.99.99.88/29 table T1 # # table for packets with src address 11.11.11.126 [ symmetric link ] ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table T2 ip route add 99.99.99.88/29 dev eth1 src 99.99.99.90 table T2 ip route add 11.11.11.124/30 dev eth2 src 11.11.11.126 table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add default via 11.11.11.125 table T2 # rule : select T2 if src address is 11.11.11.126 ip rule add from 11.11.11.126 table T2 # # default routing table ip route add default scope global nexthop via 11.11.11.125 dev eth2
as you see each table should contain all routes including those available directly [ like 192.168.0.1 – available on lan interface of described router ].
after running script above your router by default will initiate all outgoing connections with src address of 11.11.11.126 and route them thru eth2, but if you force it to use src ip of 99.99.99.90 connections will go thru 99.99.99.89 gateway at eth1. so right now we just need to redirect all http requests coming from lan to squid and tell squid to bind to 99.99.99.90 when initiating connections.
additional config change in /etc/squid/squid.conf – just add:
tcp_outgoing_address 99.99.99.90
last thing to do : make sure you redirect local http traffic to squid:
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 80 -j REDIRECT --to-port 8080 # in my case i also masquarade all traffic going out via eth2 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth2 -j MASQUERADE
side effect of such a configuration: all http traffic initiated by users in lan will be seen as coming from one public ip addresses assigned to xDSL link. to make things even better one should always add QoS to make sure available bandwidth is fairly shared among users.
description is based on my experiences with some networks where i’ve successfully set up similar configuration.