Linux firewall with 2 default gateway

[carlwerner]

Hi
In order to access the internet through our linux suse 10 firewall firewall builder automatically changes the default gateway on the internal network card to the external card ip. In order for the firewall to work in the VLAN environment that we have running i need to add another default gateway to the internal network card that points to the vlan interface ip to allow the other pcs in the vlans to access the internet through the firewall. Ive used the route add -net default gw .. dev eth1 command but then the NAT doesnt work. Any ideas would be appreciated

Thanks

 

[teknb]

Well, two default gateways will not work!... ever.

You have a network that yoy manage with private (10.x.x.x/8, 172.16.x.x/12, 192.168.x.x/16) or a range of public address possibly subnetted.
Those are internal, you KNOW the addresses. So you can add routes to that network.
For all address you do not know the default route is used.
(pointing to the internet).

kind regards,

Nico Baggus

 

[BuckWeet]

Look at possibly enabling OSPF between the linux box and your internal routers.

or just add static routes for the inside segments..


BuckWeet

 

[ericbrunson]

Well, two default gateways will not work!... ever.

That's a completely false statement.

I managed about 100 servers in 18 gateways for a major internet backbone provider and they all had multiple default routes. Redundancy of this sort is required for high availability systems. Given equal cost routes the kernel will load balance across the paths until one fails, then whatever routing protocol you're running will converge on the remaining path(s).

This may not be possible without the cooperation of the upstream provider, but to say it will never work is just flat wrong.

 

[flugh]

I have a similar situation, also using suse 10.
[tt]
# route add default gw XX.YY.ZZ.AA [blue]; this is my internet gateway address assigned by ISP[/blue]
# route add -net 192.168.1.0/24 gw 192.168.1.1 eth1 [blue]; this is for the LAN[/blue]
[/tt]
I had a heck of a lousy time trying to use yast (the suse configuration program) to get this to happen. Finally just went to a shell and made it happen. My point (sorry, I ramble) is, maybe instead of using "-net default" for your LAN, use the more specific net.

----
JBR

 

[LawnBoy]

Eric,
I'm a bit confused by your post and want to make sure it's not a problem with semantics. I know that you can have multiple routes, but can you actually declare two simultaneous default gateways? In other words, if I entered the following two lines:

route add default gw 10.1.1.1
route add default gw 192.1.1.1

both entries would be valid and unchanged?

 

[mrballcb]

When I specify multiple default gateways in linux, it uses the last one always. It does not bounce back and forth between gateways. I think Eric was talking about some advanced route controls, maybe based on quagga or some other similar system.

 

[ericbrunson]

Gated and OSPF.

 

[carlwerner]

Hi.
Got it working thanks.Used the method Flugh described. Also had a hard time with Yast and the CLI method didnt work in SUSe 10 either. All traffic just went through the default gateway. Installed SUSE 9.3 and same story except the CLI method worked.

Thank again

 

[ericbrunson]

So, you weren't asking the right question... Flugh described a single default route and a single network specific static route.