[Durham] Fwd: Port forwarding via two ADSL lines

Richard Mortimer richm at oldelvet.org.uk
Wed May 25 18:00:28 UTC 2011 

Hi Martin,

On 25/05/2011 17:54, Martin Ward wrote:
>
> I have just had another ADSL line installed. Both lines have
> a static IP address, so I decided to set up port forwarding
> on both routers to the same machine (my main file server).
> The idea is that if one ISP goes down, I can still access my home
> machine via the other ISP by using the other IP address:
> and similarly email will still get through if I set the new IP address
> as a backup MX host.
>
> But this doesn't work: it seems that the server will only accept
> forwarded connections that come in through its default outgoing route.
>
> If I do:
>
> route del default
> route add default gw IP-OF-OLD-ROUTER
>
> then I can ssh in via OLD-IP-ADDRESS, but not NEW-IP-ADDRESS
>
> If i change the default route:
>
> route del default
> route add default gw IP-OF-NEW-ROUTER
>
> then I can ssh in via NEW-IP-ADDRESS but not OLD-IP-ADDRESS.
>
> Both routers are port forwarding ssh to the internal IP address
> of the server.
>
> Is there a way to tell the server to accept incoming connections
> from both routers?
>
First off the server does accept incoming connections from both. It just 
tries to send outgoing "packets" via a single route and that confuses 
stateful firewalls. Oh and any decent ADSL provider should be filtering 
"martians" (packets with sender addresses that aren't part of the ip 
that it is supposed to be routing.

It's tricky but it can be made to work. There are a number of ways:

1 - there are some netgear firewall/routers that have two wan ports. 
They just do the magic for you using conntrack and automatically monitor 
things and route things via the correct ports. Its 3/4 years (and a 
couple of companies ago) since I used one so I don't know whats on the 
market now.

2 - I currently do a slightly different version of this where I can get 
access via a standby (3g dongle) route but only using ssh on a single 
port. It doesn't do the outgoing by default although I can use openwrt 
to change limited outgoing as/when necessary).

3 - assuming you aren't doing (1) and you only need one server to 
automagically work via both routes then I'd suggest setting up two ip 
addresses on the server (on the same lan is fine) and port forward to 
one from server (a) and the other from server (b). Then you just need to 
do some routefu to do it. Basically you say that anything going out from 
address (a) goes via route (a) and vice-versa.

I don't have the exact routefu at hand right now but suggest you look at

man ip

specifically  the "rule" section.

You will be looking at something along the lines of

/sbin/ip rule add from 192.168.1.101 table adsl1
/sbin/ip rule add from 192.168.1.102 table adsl2
/sbin/ip route add default via 192.168.1.1 dev eth0 src 192.168.1.101 
table adsl1
/sbin/ip route add default via 192.168.1.2 dev eth0 src 192.168.1.101 
table adsl2

you may be able to use the rules to do some nat on there and make it 
"just work"

You can just about make the outgoing work the same. Although you might 
need to use a 3rd address for that and basically deprecate the incoming 
2 addresses so that outgoing connections use the 3rd.

Hopefully that gives you a good starting point.

Richard

More information about the Durham mailing list