[oclug] Repost from OCLUG Tech list

Bill Strosberg oclug at strosberg.com
Wed Sep 2 08:44:06 EDT 2009


All:

I'm reposting this here as it seems the tech list isn't getting a lot of 
traffic since the last time I was there.

---------------------------------------------------------------------------------------

It's been years since I posted here.  I've got a situation that I could
use some help on.

I've got a client who is doing some interesting things.  I've got a
firewall with four Ethernet interfaces in that connects to the Internet
via PPPoE.

eth0 - Internal private network
eth1 - Public wireless network for their clients and visitor use
eth2 - connection to DSL via PPPoE
eth3 - connection to internal VOIP system (use for failover if dedicated
VOIP internet connection fails)
tun0 - OpenVPN
ppp0 - External connection

Everything has worked fine in this site for years.  The client recently
decided to move to a VOIP system for their internal phones, and it has
it's own Internet connection to the provider.  The VOIP provider's
proprietary router has an Ethernet interface to allow failover
connection to a secondary provider if their own network fails.

eth3 is set up as static 10.20.0.2/255.255.0.0/16 with the external
Ethernet interface on the VOIP router (10.20.0.1) as the default gateway
on the network.

I've set up iproute2 to add a new table in /etc/iproute2/rt_tables:

100   voip_provider
255   local
254   main
253   default

In /etc/network I've added a script if-post-up-eth3.sh:

ip rule add from 222.88.20.0/24 table voip_provider
ip rule add from 222.88.21.0/24 table voip_provider
ip rule add from 222.88.22.0/24 table voip_provider
ip route add default via 10.20.0.1 dev eth3 table voip_provider
ip route flush cache

ip masq is working for eth3.

I can connect a PC on the eth3 10.20.0.0/16 network and it has no
problem surfing etc.

What I want to do is have packets from all of the specified external
subnets routed out of the firewall to the address 10.20.0.1 on eth3.
Basically, all external traffic from these source address ranges need to
be forwarded to the VOIP provider's router, with no exception.

Any ideas?

-- 
Bill S



More information about the OCLUG mailing list