# Linux router, network issue

## PietdeBoer

Hey guys,

I've created a home router for my primary internet connection, the setup is as follows:

line -> modem -> linux router -> local network

*Local network is 192.168.2.0

The iptables script can be seen below.

Now i want to add a second internet connection to it, this internet connection is already setup with a router, so i plug one of the lan ports of the existing router to my linux router;

line -> modem/router -> linux router 

The ip of the existing router of the 2th internet connection is 192.168.1.254, when i do a dhclient on the interface on my linux router i get an ip address in the correct range.

When i try to ping the router (ping 192.168.1.254) i get a connection timeout..

Any clues?

*Iptables script:

```

# First we flush our current rules

iptables -F

iptables -t nat -F

# Setup default policies to handle unmatched traffic

#iptables -P INPUT ACCEPT

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

#iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Copy and paste these examples ...

export LAN=eth1

export WAN=eth0

export LANBCK=eth2

# Then we lock our services so they only work from the LAN

iptables -I INPUT 1 -i ${LAN} -j ACCEPT

iptables -I INPUT 1 -i ${LANBCK} -j ACCEPT

iptables -I INPUT 1 -i lo -j ACCEPT

iptables -A INPUT -p UDP --dport bootps ! -i ${LAN} -j REJECT

iptables -A INPUT -p UDP --dport domain ! -i ${LAN} -j REJECT

iptables -A INPUT -i ${WAN} -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow access to our services from the LAN

#iptables -A INPUT -p TCP --dport 10000 -i ${LAN} -j ACCEPT

#iptables -A INPUT -p TCP --dport 389 -i ${LAN} -j ACCEPT

#iptables -A INPUT -p TCP --dport 22 -i ${LAN} -j ACCEPT

#iptables -A INPUT -p TCP --dport 25 -i ${LAN} -j ACCEPT

#iptables -A INPUT -p TCP --dport 8888 -i ${LAN} -j ACCEPT

# Allow access to our services from the WAN

#iptables -A INPUT -p TCP --dport 389 -i ${WAN} -j ACCEPT

#iptables -A INPUT -p TCP --dport 22 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 25 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 143 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 80 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 110 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 23081 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 23080 -i ${WAN} -j ACCEPT

iptables -A INPUT -p TCP --dport 236 -i ${WAN} -j ACCEPT

#Drop TCP / UDP packets to privileged ports

# iptables -A INPUT -p TCP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# iptables -A INPUT -p UDP ! -i ${LAN} -d 0/0 --dport 0:1023 -j DROP

# Finally we add the rules for NAT

iptables -I FORWARD -i ${LAN} -d 192.168.2.0/255.255.255.0 -j DROP

iptables -A FORWARD -i ${LAN} -s 192.168.2.0/255.255.255.0 -j ACCEPT

iptables -A FORWARD -i ${WAN} -d 192.168.2.0/255.255.255.0 -j ACCEPT

iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Tell the kernel that ip forwarding is OK

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

iptables -t nat -A PREROUTING -p tcp --dport 3389 -i ${WAN} -j DNAT --to 192.168.2.201

# This is so when we boot we don't have to run the rules by hand# 

/sbin/iptables-save > /etc/iptables-save

# If you have a dynamic internet address you probably want to enable this:

# net.ipv4.ip_dynaddr = 1

```

----------

## Bones McCracker

Have you configured routing appropriately?

What is the output of the command 'route' or the command 'ip route show'?

Also, examine articles that come under Google search:

 *Quote:*   

> linux routing dual isp

 

----------

## PietdeBoer

Thx for your quick reply, output of the cmd's below, please not that;

eth0 = connected to primary isp modem

eth1 = connected to internal switch and thus clients

eth2 = connected to router of secondary isp

eth3 = connected to router of secondary isp

Output of the cmd "route":

```

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.2.0     *               255.255.255.0   U     0      0        0 eth1

192.168.1.0     *               255.255.255.0   U     0      0        0 eth3

192.168.1.0     *               255.255.255.0   U     0      0        0 eth2

192.168.232.0   *               255.255.255.0   U     0      0        0 vmnet8

62.212.129.0    *               255.255.255.0   U     0      0        0 eth0

172.16.41.0     *               255.255.255.0   U     0      0        0 vmnet1

default         fe0-ams4-gw1-vp 0.0.0.0         UG    0      0        0 eth0

default         192.168.1.254   0.0.0.0         UG    0      0        0 eth3
```

Output of the cmd "ip route show":

```
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.254

192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.67

192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.10

192.168.232.0/24 dev vmnet8  proto kernel  scope link  src 192.168.232.1

62.212.129.0/24 dev eth0  proto kernel  scope link  src 62.212.129.34

172.16.41.0/24 dev vmnet1  proto kernel  scope link  src 172.16.41.1

default via 62.212.129.1 dev eth0

default via 192.168.1.254 dev eth3
```

----------

## AngelKnight

Hello,

 *Quote:*   

> 
> 
> ```
> 192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.254
> 
> ...

 

192.168.1.0/24 is local to both eth3 and eth2; which is the correct one?  What gave eth2 192.168.1.10/24 as an address assignment?

If somehow they're both correct, from which interface is the "secondary ISP" actually expecting frames from your linux router?  From which interface will frames from the "secondary ISP" be sent to your Linux box?

Given the gateway I'm guessing eth3.  Could you try disabling eth2 in this setup ("/sbin/ip link set down dev eth2") and see if the results improve?

----------

