Thursday, 19 February 2009

Adding a second Internet connection

I have just installed a second ADSL connection, intending it to be a backup in case the first one goes down. This comes with a DSL-2640R NAT router (including firewall).


My existing network is somewhat complicated - at its heart is a CentOS 4 Linux box from Tranquil PC, with three network cards, which routes between the three networks.


  • My existing ADSL router is on eth0 (192.168.2.1) at 192.168.2.5.
  • I have a 100 Mbit network on eth1 (192.168.1.1)
  • I have a Gbit network on eth2 (192.168.3.1)

Although I want untimately to set up load sharing and automatic failover, to start with I just wanted everything to work, viz:

  • All machines on the network to have access to the Internet, and all other machines (including both ADSL routers).
  • To be able to connect to the Linux box from outside, via either Internet connection.

The first thing I did was to assign the new DSL-2640R router IP address 192.168.1.250, turn off DHCP (so it didn't conflict with the existing DHCP server) and add it to the network on eth1. I originally tried to put it on the same network as the existing router, but I don't understand how it would be possible to distinguish outside traffic coming in via the two routers unless they were on separate interfaces. It may be worth trying a virtual interface here.

Allowing the router to see the other networks


Now I could see the DSL-2640R from the Linux box, but not from either of the other networks (as the DSL-2640R did not have a setting for default gateway on its LAN side, so it couldn't find a route back to the other networks).


I first tried setting up NAT on the Linux box for the eth0 interface, by editing /etc/sysconfig/iptables as follows:

*nat
:PREROUTING ACCEPT [39:3410]
:POSTROUTING ACCEPT [33:2787]
:OUTPUT ACCEPT [10:677]
-A POSTROUTING -d 192.168.1.250 -o eth0 -j MASQUERADE
COMMIT

That enabled me to see the web interface of the DSL-2640R from anywhere on my network, but did not allow incoming traffic from the router to see the rest of my network.


I discovered that the router has a telnet interface, which shows the following help (once you have logged in and typed "help"):

Valid commands are:
sys exit ether wan
ip bridge dot1q pktqos
show set lan

Although I couldn't find any documentation for this interface, it looked remarkably familiar to the one on my ZyXel Prestige 660HW, for which I did have documentation.


I therefore set up two static routes in rom (so they survive a reboot), as follows:

D-Link> ip route addrom index 1
D-Link> ip route addrom name gbit
D-Link> ip route addrom set 192.168.3.0/24 192.168.1.1 1
D-Link> ip route addrom save
ip route addrom: save ok
D-Link> ip route addrom index 2
D-Link> ip route addrom name dirty
D-Link> ip route addrom set 192.168.2.0/24 192.168.1.1 1
D-Link> ip route addrom save
ip route addrom: save ok

That worked fine, so I reverted iptables to its original state.

Enabling incoming traffic


The next step was to enable incoming traffic from the DSL-2640R. I first opened up the necessary ports in the DSL-2640R's NAT setup, redirecting them all to the Linux box on 192.168.1.1. That allowed the incoming traffic, but the Linux box couldn't reply, because its default route back was via the original ADSL router at 192.168.2.5. Having read an article at http://lartc.org/howto/lartc.rpdb.multiple-links.html, I amended the routing tables on the Linux box. I first added two new tables to /etc/iproute2/rt_tables

200 ISP1
201 ISP2

Then added routes to these tables:

ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1 table ISP1
ip route add default via 192.168.2.5 table ISP1

ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table ISP2
ip route add default via 192.168.1.250 table ISP2

ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1
ip route add default via 192.168.2.5

ip rule add from 192.168.2.1 table ISP1
ip rule add from 192.168.1.1 table ISP2


I don't fully understand how all this works (and I would be grateful if anyone explains it to me), but it does seem to.

Switching between the two Internet connections


The next step is to allow switching the default gateway between the two routers (in case the primary one goes down). This is done using a couple of scripts:

# Switch to new Internet connection
ip route del default
ip route add default via 192.168.1.250


#Switch to original Internet connection
ip route del default
ip route add default via 192.168.2.5


That works too - I may set this up to switch automatically, or to load balance, but I think I've done enough for now.