CentOS 8: Two External Network Adapters, Two ISPs – Routing Problems

Home » CentOS » CentOS 8: Two External Network Adapters, Two ISPs – Routing Problems
CentOS 2 Comments

Hello!

Given: a CentOS 8-powered computer with three network adapters.

eth0, eth2: external, connected to two different ISPs eth1: faces home network (intranet)

The task: allow accessing certain internal services from either ISP. There are several services, I only mention SSH below.

In the configs below:
IP1: external IP at first ISP (ISP1), assigned to eth0
Gateway1: IP of gateway provided by ISP1
Network1,Netmask1: related to IP1
IP2: external IP at second ISP (ISP2), assigned to eth2
Gateway2: IP of gateway provided by ISP2
Network2,Netmask2: related to IP2
LocalSSHIP: IP in intranet (eth1) where SSH server is running

Current configs follow. Routing tables:

echo “200 isp1” >> /etc/iproute2/rt_tables echo “201 isp2” >> /etc/iproute2/rt_tables

Routing policies:
/etc/sysconfig/network-scripts/route-eth0

Network1 dev eth0 src IP1 table isp1
default via Gateway1 dev eth0 table isp1

/etc/sysconfig/network-scripts/route-eth2

Network2 dev eth2 src IP2 table isp2
default via Gateway2 dev eth2 table isp2

Routing rules:
/etc/sysconfig/network-scripts/rule-eth0

from IP1/32 table isp1

/etc/sysconfig/network-scripts/rule-eth2

from IP2/32 table isp2

iptables snippets. External traffic forwarded to local SSH server from both interfaces:

iptables -A PREROUTING -t nat -i eth0 -p tcp -d IP1 –dport 22 -j DNAT
–to LocalSSHIP:22
iptables -A PREROUTING -t nat -i eth2 -p tcp -d IP2 –dport 22 -j DNAT
–to LocalSSHIP:22
iptables -A FORWARD -p tcp -d LocalSSHIP –dport 22 -j ACCEPT

eth0 is default gateway:
$ ip route

default via Gateway1 dev eth0 proto static metric 100
default via Gateway2 dev eth2 proto static metric 101

$ ip rule

0: from all lookup local
32764: from IP2 lookup isp2
32765: from IP1 lookup isp1
32766: from all lookup main
32767: from all lookup default

SNAT is applied for the traffic originating from eth1:

iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT –to-source IP1

Current situation:

– All services forwarded from eth0 are working normally.
– All traffic originating from intranet passes out and back normally.
– All the attempts to access services from eth2 time out.

There are no obvious hints in /var/log/messages (such as complaints about “martian IPs”).

I am somewhat at a loss here, all the pieces of advice would be very welcome.

2 thoughts on - CentOS 8: Two External Network Adapters, Two ISPs – Routing Problems

  • The setup looks reasonable at first sight, and it is similar to what I have (on a C7). Have you tried some tcpdump on the interfaces?
    If the src-based routing rules are not working well, it happens that your answers go out the wrong ethernet and nothing works (especially if your provider doesn’t want to forward what looks like spoofed packets).

    Regards.

  • You need to SNAT the outbound traffic on eth0 and eth2 to use the interface address that the packets leave from.