Policy-Based Routing Using Software Firewalls?

Bios_Hakr asks: "My local computer group meets for monthly LAN parties. The location that hosts the parties also has a small internet cafe. After the cafe closes, they allow us to connect to their T-1 line. They supply us with a single IP address which we NAT/(PAT?) via a Linksys DSL router. We also have a second T-1 supplied by one of the more gracious members of our group. He agreed to supply this T-1 after experiencing abysmal ping rates with 30 people sharing the bandwidth. Herein lies the quandry: How can we implement Policy-Based routing for our LAN? I'd like all HTTP and FTP to be directed out one line while popular gaming ports are directed over the second line. All file-sharing traffic should be killed. I know how to do this via Cisco IOS and policy-route-mapping, but I'm at a loss when it comes to doing it via software firewall solutions. We have several Linux-familiar people in the group and lots of Windows geeks; but the solution should be simple and require zero brainpower to set up after the initial implementation. How would you split your LAN traffic across two T-1 lines?"

shorewall + traffic shaping

[1eyedhive]

shorewall firewall can handle DNAT requests, as for packet shaping, there are several solutions out there. a friend of mine runs a router like this: Red Hat 8 Shorewall traffic shaping routing a T1 and wireless T1 equiv. to a single lan. it requires a bit of thought, but you can setup the router to forward everything below port 1024 requests out connection A and everything above out connection B (that keeps the web/ftp/pop/ssh/telnet stuff on one line, games on the other, though you might want to route some of the less popular/bandwidth intensive stuff (RTS's for example) out A as well. btw: this pal of mine runs the local LAN/computer group around these parts, i'll alert him to this thread, who knows, you may get some help.

Best path routing

[mknewman]

You can do static routes to particular networks, but what you REALLY need is BGP routing to your two ISPs. Count on a router with AT LEAST 128 megs of memory to do this, and a high end CPU on the router to manage all the BGP tables. Even this will not give you load balancing, just best path routing.

Re:Best path routing

[vlm]

Yeah and you need to get an AS number and IP space from ARIN (or RIPE or APNIC).

Isn't going to happen due to the cost, and the ISP will not be amused that you flap your BGP session up and down every day, if not more often.

openbsd

[Triumph The Insult C]

pf [openbsd.org] w/integrated altq. setup authpf for those users that need to bend your rules a little

it's magical. it "just works"

lots of good examples in the man pages too

throw it on a soekris and toss the linksys =)

Documentation for Policy Routing in linux

[Garfunkel]

Tooting my co-workers horn here.

Please visit http://linux-ip.net [linux-ip.net] and more specifically for your problem: http://linux-ip.net/html/ch-advanced-routing.html [linux-ip.net]

That should get you started. It's be no means simple, but my understanding is that once you get it up, it works.

Easy

[ADRA]

Linux can handle this with little problems these days. Its a little technical, but you can basically do it with a combination of:
iproute2
iptables & Patch-o-matic
netfilter CONNMARK extension
You have the matching power of iptables to implement any sort of policy routing that you could ever dream of!

Re:Easy

[ADRA]

PS: if you need help on actually how to implement this, see the archives from either LARTC &| Netfilter

OpenBSD with pf and altq

[Yonder Way]

This is cake.

OpenBSD comes out of the box with a great firewall (that will also handle your NAT). The firewall can easily handle packet queueing and prioritization. Tell the firewall how much bandwidth you have to work with, set your host up with priority over your traffic, even break it down by protocol if you want.

• OpenBSD [openbsd.org]
• pf [openbsd.org]
• altq [openbsd.org]

Re:OpenBSD with pf and altq

[Dr. Smeegee]

I concour. altq in particular will surprise you. Very effective.

Click here ...

[psergiu]

http://www.openbsd.org/faq/pf/pools.html#outgoing [openbsd.org]

IPTables and QoS

[shyster]

A Linux box with 3 network cards and some IPTables and QoS should do what you're looking for. Take a look at the Linux Advanced Routing and Traffic Control HOWTO [lartc.org] for the nitty-gritty QoS details, and here [linux-ip.net] for the routing parts .

Basically, you'd be looking at doing the following things. Multiple outbound providers, [linux-ip.net] which will need another routing table built for the second link. Then you'll need to dive into QoS [lartc.org] to split up your traffic into your definitions of bulk (HTTP, FTP), priority (Gaming), and drop (P2P). I notice that you have no default set up, but I leave that up to you. Finally, you can use iptables to mark and NAT your traffic out the right interface.

Under Windows, you would need some advanced routing software I think. ISA may do it, but I doubt your budget allows it. By default, Windows does have the ability to enforce QoS terms, but you'd need something to apply those QoS marks (I doubt that games commonly mark their packets with ToS)...which means a bridge in front of the Windows router. Might as well use a Linux router instead.

If anybody knows of a way to get a Windows box to route based on ports, I'd love to hear it.

Oh, and a simple solution for the exact problem you describe (which I don't think is what you really want) would be a proxy for the HTTP and FTP link, and a router for the other link. All HTTP and FTP requests would be sent out the proxy, everything else would go the default route (to the router) which could be configured to drop P2P and route everything else. Optionally, you could do QoS on the router to prioritize certain traffic. If you go that route, I'm fond of AnalogX [analogx.com] Proxy (for Windows) because it's free and simple. Of course, that does require client configuration....unless you use Transparent Proxying [tldp.org].

Re:IPTables and QoS

[sean1121]

Wouldn't it be easier to do this with iptables:

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to $FIRST_T1
iptables -t nat -A POSTROUTING -p udp --dport 27015 -j SNAT --to $SECOND_T1

IIRC this will route all web traffic to the first T1 and all halflife traffic to the second T1, or did I miss something?

Re:IPTables and QoS

[shyster]

The SNAT option --to is really --to-source. But,you're still only modifying the packet to show that it came from that IP address, not actually routing it out that interface. You'd need iproute2 to actually make the packet go out the correct route.

To be specific, you're looking at doing policy based routing. Normally, routing is only done based on destination network. But, in this case, we want to route based on destination ports (or ToS if these games happen to classify their packets with it). iproute2 can

Re:IPTables and QoS

[dave1g]

"If anybody knows of a way to get a Windows box to route based on ports, I'd love to hear it."

Do you mean using Internet connection sharing?

If you click on the properties of the network connection you are sharing you can route ports (individual ones only unfortunately) to specific IP's on your lan. or even their computer name.

Ive used it, its works, the only problem is when you have port ranges greater than...oh say 2 that you want to forward, then its a bitch to do them all manually.

I've got emails an

Re:IPTables and QoS

[shyster]

Well, that's what I would normally term port forwarding (PNAT? or something like that)...not exactly what I meant.

I was talking more along the lines of the OP question, which is routing eg. destination port 80 one way and all others another.

Re:IPTables and QoS

[dave1g]

hmm, yeah i figured i was misreading it. oh well.

Re:Why not just go with simplicity?

[shyster]

The problem is that they get shitty pings when gaming because web, ftp and p2p traffic is swamping the link. The simplest solution is simply to route all gaming traffic out one T1 (by IP) and route everything to every other IP out the other T1 and block p2p with iptables.

If I understand you correctly, then you're talking about simply adding static routes for the gaming servers to the routing table. That would work if the IP addresses of the gaming servers are known in advance.

I kind of misspoke when

A couple of options

[DDumitru]

There are a bunch of areas in Linux that can help you. Only some of them are routing based.

The first thing I would try would be to setup one of your lines with 'tc' and bandwidth shape the line with CBQ and SFQ. CBQ will let you set the outbound "rate" for the line, and SFQ will enforce "fairness" between different "connections". This should keep ftp uploads from swamping upstream traffic and pushing your ping times thru the sky. You can do some similar things with 'tc' ingress policies to shape the incoming traffic, but this is less effective.

If you still want to try two lines, here is the basic setup.

You need a Linux box that has three network interfaces. One for each of your T-1s, and one for your local LAN. The Linux box's IP address is the default gateway for everyone on your local LAN.

You setup a firewall on the Linux box with something like:

LAN on eth0
T1 on eth1
T1 on eth2

iptables -i eth0 --dport 80 --state NEW,ESTABLISHED --set-mark 1
iptables -t nat -o eth1 -j MASQUERADE
iptables -t nat -o eth2 -j MASQUERADE

ip ru add fwmark 1 table 10
ip route add default via IP_ADDRESS_OF_T1#1 dev eth1
ip route add default via IP_ADDRESS_OF_T1#2 dev eth2 table 10

This is far from complete (and I haven't tested it), but it should set "fwmark" to 1 for HTTP traffic. The router table should then take traffic with FWMARK set to 1 and use routing table 10 instead of the default table, which can have a different default route. In that both eth1 and eth2 are MASQed, both will NAT.

You will need a lot more here to be fully functional. You need to completely filter the traffic you don't want, and probably classify a bunch more stuff along the way.

Good luck.

my rc.iprules script

[Paul Jakma]

See:

http://hibernia.jakma.org/~paul/rc.iprules [jakma.org]

For a script that does something similar to what you want, policy routing to route based on source IP. It should be easy enough to add an additional 'firewall mark' field to the table and policy route based on that (i'm on holiday, otherwise i might have done that for you). The listed "intranets" will use the main table.

Basically, all you need is:

1. create a table for each policy (edit /etc/iproute2/rt_realms)

2. use iptables to add arbitrary 'fwmarks' to incoming packets based on whatever criteria you have

3. use the 'ip rule' command to direct routing for packets with specific fwmarks to specific routing tables.

4. direct other traffic to the default 'main' table.

Finally, see the Linux Advanced Routing & Traffic Control [lartc.org] site for further information.

iptables on the linksys

[aminorex]

if the linksys itself is running linux,
and you can replace the system image
(tutorials exist for linksys routers)
then you can easily write a shell script
to select the outgoing connection by
destination port using a couple of iptable commands. No additional hardware is required.

Re:iptables on the linksys

[revmoo]

Only on the WRT45G if I recall correctly.

Also, the switches on those linksys boxes I'm sure aren't managed, so you'd not be able to use them to load-balance t1's like that very easily.

Best to use a pc with 3 NICS in it.

Sveasoft

[Bruha]

Search sveasoft on google and look up their aftermarket firmware..

Simple solution

[enachb]

I had a similar issue with my DSL connection at home. Using SSH was really painful, when someone was downloading...

A lot of people got down to the nitty gritty technical details, but as I understand you want something simple that just works. Well, I use a Linux Firewall distro to do the routing in combination with a small script to configure the QoS.

Try Clarkconnect [clarkconnect.org] in combination with Wondershaper [lartc.org]. Wondershaper uses some basic input parameter to configure the kernel to traffic prioritization. I found it

Re:Simple perl script will do it

[citog]

Bugger! I have mod points but 'wanker' isn't an option...

HTTP and FTP only? Proxy it.

[Anonymous Coward]

Set up Squid (or something else if you prefer) on a box that faces the first T1. Block port 80 going out on the second. Tell everyone that they have to set up their browsers to use the proxy or it won't work. For bonus points, do some transparent proxy stuff on the gateway system and just force their web hits to go to the Squid box.

Squid doesn't help for raw FTP, but you can still use it as a FTP proxy if you access it through a web browser. You could also some some masquerading and route mangling to s

Linux Advanced Routing and Traffic Control

[Kalzus]

Time to let your fingers do the walking...

Linux Advanced Routing and Traffic Control [lartc.org]

I know this stuff is dense, but I happen to think it's stuff that any serious Linux admin should know about eventually, so I spread the word. If you want some pointers on where to start, send me an IM. I'll be at work all day today more-or-less.

Since you asked...

[Game Genie]

How would you split your LAN traffic across two T-1 lines?

Very happily!

-------------------

linux

[cloudmaster]

First, split the traffic up with iptables, tagging "interface 2" traffic with a fwmark.

$IPTABLES -t mangle -A PREROUTING -p tcp --dport
80 -j MARK --set-mark 0x05
$IPTABLES -t mangle -A PREROUTING -j MARK --set-mark 0x06

Then, make sure you have used iproute to select the routing table you use based on the fwmark (requires entries in /etc/iproute2/rt_tables for each table)

echo 100 tone >> /etc/iproute2/rt_tables
echo 200 ttwo >> /etc/iproute2/rt_tables
ip route add $router1 dev eth1 src $eth1_ip

check out zebra

[fist_187]

GNU Zebra [zebra.org] is a cisco IOS clone [linuxforum.com] for linux. i think its what you're looking for.

Re:check out zebra

[kylegordon]

Zebra is nice, but it is unmaintained. Consequently, it was forked and taken over. It is now called Quagga [quagga.net] Kyle