Split access from multiple uplinks

Question

Our setting is as follows:

 +---------+ +------------+ / | | | Modem | / +-----------+------| Firewall|----+ Provider 1 +------- __ | | | | | | / ___/ \_ | +------+----+ +---------+ +------------+ | _/ \__ | | p4p1 | / / \ | | | | | Local network -+ |Ubuntu srv | |Internet \_ __/ | | | \__ __/ | em1 | \ \___/ +------+----+ +------------+ | | | Router | \ +----------+ Provider 2 +---------------- | | | +------------+ 

We would like the Ubuntu server to be able to use the em1 interface, specially for ftp traffic.

That makes it harder, I believe, since FTP creates connections on Passive Mode that should be correctly routed through the em1. Am I mistaken to raise a red flag here?

We don't need nor want load balancing, and the LAN won't access the Internet through em1, so that should make things easier since the Ubuntu server doesn't have to reroute anything coming from em1.

We have a static public address given to the firewall, but the router of Provider 2 will have a dynamic address that we will have to DynDNS or something.

I've found this HOWTO and this stackoverflow question but I'm confused on that script values.

What are the IP1 and IP2 values really? Which will be the default route for packets originating from the ubuntu server? Where is that default route set and to which value? Is the P0_NET unnecessary in my case?

How would I modify that script to fit my case scenario? I believe it should at least be

#!/bin/bash -v #IPs of device connected to the internet IP1=192.168.30.240 (or is it the public ip 85.12.34.56?) #static IP provided by ISP2 IP2=192.168.0.10 (or is it the dynamic ip 190.12.34.56?) #Your Gateways (type route in terminal it should be in the same line as default) P1=192.168.30.1 #gateway provided by ISP1 P2=192.168.0.254 #gateway provided by ISP2 #Your Subnets P1_NET=192.168.30.0/24 #local network subnet + p4p1 P2_NET=192.168.0.0/24 #em1 LAN # NICs your internet interfaces IF1=p4p1 IF2=em1 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 

Answer 1

This is not a matter of routing. Routing works on layer 3 ie. the IP addresses but to sort out FTP traffic you'd need layer 4 information.

Make sure you bind the FTP server to em1's IP address only and it'll be accessible only on that side while also using passive ports on that IP address.

For vsftpd, IP binding is described in https://askubuntu.com/questions/301028/how-to-use-specific-ip-with-vsftpd

Answer 2

I had to set proper routing like this, no filtering needed since we are not setting routing for connections initiated by the server.

You have to set the tables name in /etc/iproute2/rt_tables

255 local 254 main 253 default 0 unspec 200 wan3table 201 wan1table 

and then add the following routes:

ip route add 192.168.30.0/24 dev p4p1 table wan1table ip route add default via 192.168.30.1 table wan1table ip route add 192.168.0.0/24 dev em1 table wan3table ip route add default via 192.168.0.254 table wan3table ip rule add from 192.168.30.240 table wan1table ip rule add from 192.168.0.10 table wan3table ip route add 127.0.0.0/8 dev lo table wan1table ip route add 127.0.0.0/8 dev lo table wan3table ip route add 192.168.0.0/24 dev em1 table wan1table ip route add 192.168.30.0/24 dev p4p1 table wan3table