Slashdot Mirror

← Back to Stories (view on slashdot.org)

Policy-Based Routing Using Software Firewalls?

Posted by Cliff on from the for-use-in-bandwidth-sharing-schemes dept.

Bios_Hakr asks: "My local computer group meets for monthly LAN parties. The location that hosts the parties also has a small internet cafe. After the cafe closes, they allow us to connect to their T-1 line. They supply us with a single IP address which we NAT/(PAT?) via a Linksys DSL router. We also have a second T-1 supplied by one of the more gracious members of our group. He agreed to supply this T-1 after experiencing abysmal ping rates with 30 people sharing the bandwidth. Herein lies the quandry: How can we implement Policy-Based routing for our LAN? I'd like all HTTP and FTP to be directed out one line while popular gaming ports are directed over the second line. All file-sharing traffic should be killed. I know how to do this via Cisco IOS and policy-route-mapping, but I'm at a loss when it comes to doing it via software firewall solutions. We have several Linux-familiar people in the group and lots of Windows geeks; but the solution should be simple and require zero brainpower to set up after the initial implementation. How would you split your LAN traffic across two T-1 lines?"

1 of 38 comments (clear)

  1. HTTP and FTP only? Proxy it. by Anonymous Coward · · Score: 1, Insightful

    Set up Squid (or something else if you prefer) on a box that faces the first T1. Block port 80 going out on the second. Tell everyone that they have to set up their browsers to use the proxy or it won't work. For bonus points, do some transparent proxy stuff on the gateway system and just force their web hits to go to the Squid box.

    Squid doesn't help for raw FTP, but you can still use it as a FTP proxy if you access it through a web browser. You could also some some masquerading and route mangling to send port 21 stuff out through the first T1. You need iptables to masquerade things to the gateway's address, plus iproute2 to make it use a specific router. Unfortunately, iproute2 has the syntax from hell, so it'll take a while to figure that out.

    All the talk about BGP and filtering and so forth is technically correct, but it's seriously complicated for what you want to do. Handle your biggest troublemaking protocols with some application level proxies and you can spend the rest of your time playing games instead of pulling your hair out with EBGP, getting the ISPs to play nicely, dealing with an AS number of your own, flapping routes, and so on.

    If your users are being bastards and are going around your port blocking, consider blocking everything but your gaming ports on the second T1. That will force them to use the proxy to get to the "other" services.