poor mans multihoming under linux

purpose: utilize simultaneously symmetric and asymmetric internet connections on linux router to achieve cost efficient way of providing internet access for few dozens of users. why? symmetric connections to internet still tend to be overpriced, poland is no exception. small ISPs providing internet access for 100 or 200 users usually cannot afford pipes fat enough to satisfy always growing demand of all those p2p lovers. adding asymmetric xDSL connections dedicated only for http traffic to existing symmetric internet uplink can significantly improve end-user experience without causing too much additional costs.

what needs to be done on linux router? not much:

  • new routing tables should be added
  • rules for selecting routing table based on source ip should be added
  • squid [working as transparent http proxy] should be told to bind to ip address of xDSL connection
  • users’ http traffic should be redirected to local http proxy [ squid in this case ]

to create new routing tables add at the end of /etc/iproute2/rt_tables following lines to :

100     T1
200     T2

this is just an human readable [ T1 ? not exactly ;] alias to number of routing table used internally by kernel.

put following rules in one of your network / firewall startup scripts:

# table for packets with src address in [ xDSL link ]
ip route add  dev eth0 src table T1   
ip route add  dev eth1 src table T1  
ip route add dev eth2 src table T1   
ip route add dev lo   table T1   
ip route add default via  table T1    
# rule : select table T1 if src address is in
ip rule add from table T1   
# table for packets with src address  [ symmetric link ]
ip route add  dev eth0 src table T2
ip route add  dev eth1 src table T2  
ip route add dev eth2 src table T2
ip route add dev lo   table T2
ip route add default via table T2 
# rule : select T2 if src address is
ip rule add from table T2   
# default routing table
ip route add default scope global nexthop via dev eth2

as you see each table should contain all routes including those available directly [ like – available on lan interface of described router ].

after running script above your router by default will initiate all outgoing connections with src address of and route them thru eth2, but if you force it to use src ip of connections will go thru gateway at eth1. so right now we just need to redirect all http requests coming from lan to squid and tell squid to bind to when initiating connections.

additional config change in /etc/squid/squid.conf – just add:


last thing to do : make sure you redirect local http traffic to squid:

iptables -t nat -A PREROUTING -s -p tcp --dport 80  -j REDIRECT --to-port 8080
# in my case i also masquarade all traffic going out via eth2
iptables -t nat -A POSTROUTING -s -o eth2 -j MASQUERADE

side effect of such a configuration: all http traffic initiated by users in lan will be seen as coming from one public ip addresses assigned to xDSL link. to make things even better one should always add QoS to make sure available bandwidth is fairly shared among users.

description is based on my experiences with some networks where i’ve successfully set up similar configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *


(Spamcheck Enabled)