The "routing configurator" script now supports DHCP and interface routing (in addition to static IP routing). The script provides support for multiple gateways on multiple interfaces, and allows designation of the Internet 'route of last resort' for a particular gateway of one's choosing.The script can be downloaded via HTTP, for now, from: http://www.securityappraisers.net/downloads/routes.tar The script can be extracted to /sbin/init.d/routes.local (this is a 'hook' wisely provided by Astaro; a script in this location gets called whenever a change is made to the "Routes" or "Interfaces" pages in the webadmin). This script has been tested with version 4. This script serves as a good example of adapting Astaro to your needs. If you have ideosyncratic routing requirements, this script can serve as a good point of departure. The MD5 for the script is: f8c6d9dabde6ba823c6952b55da40351 [ Check posts below to see if this script has been updated; newer MD5 signatures will be listed in such posts ] Specify individual gateways for multiple interfaces; then add an "Any" route on the "Routes" page of the webadmin, specifying a target gateway of either an interface or a host. In the case of an interface target, the script will obtain the gateway from the interface's static gateway entry, or, in the case of DHCP, from the gateway brokered by a DHCP server. This script will: flush all prior routes (except loopback network 127.0.0.0) add routes for the network defined by each interface's address and mask (also specifying a gateway if one is specified on the interface) [the interface that will support the route of last resort will not be specified as a subnetwork route, since the route of last resort should cover this...] add specific routes specified on the Routes webadmin page (based on networks that are not labeled "Any") add routes of last resort (0.0.0.0) for targets labeled "Any" [there should only be one "Any"/"route of last resort"; dead gateway is not supported in this script implementation...) [/list] The script generates an HTML formatted log in Astaro's web publishing directory. This log can be accessed from the webadmin by using a url of: https:// your_webadmin_url /routes.htm This software is neither expressly endorsed nor supported by Astaro. Although reasonable efforts of software quality assurance have been made, this free software implies no obligations of support or liability by SecurityAppraisers. Trivial sanity checking of data is performed by this script; but routing and interface misconfigurations are NOT handled (e.g., two interfaces having the same address, or overlapping networks, etc.). For extra details read the comments in the script. Note : From a troubleshooting, reliability, and security perspective, it is almost always preferable to use static IP addressing on your vital Internet gateways, as opposed to DHCP. Having said that, we understand the constraints that many people may be working under that requires them to employ DHCP on their gateway addressing...

Routing Script+DHCP and interface routing support

The "routing configurator" script now supports DHCP and interface routing (in addition to static IP routing). The script provides support for multiple gateways on multiple interfaces, and allows designation of the Internet 'route of last resort' for a particular gateway of one's choosing.The script can be downloaded via HTTP, for now, from:

http://www.securityappraisers.net/downloads/routes.tar

The script can be extracted to /sbin/init.d/routes.local (this is a 'hook' wisely provided by Astaro; a script in this location gets called whenever a change is made to the "Routes" or "Interfaces" pages in the webadmin). This script has been tested with version 4. This script serves as a good example of adapting Astaro to your needs. If you have ideosyncratic routing requirements, this script can serve as a good point of departure.

The MD5 for the script is:

f8c6d9dabde6ba823c6952b55da40351

[Check posts below to see if this script has been updated; newer MD5 signatures will be listed in such posts]

Specify individual gateways for multiple interfaces; then add an "Any" route on the "Routes" page of the webadmin, specifying a target gateway of either an interface or a host. In the case of an interface target, the script will obtain the gateway from the interface's static gateway entry, or, in the case of DHCP, from the gateway brokered by a DHCP server.

This script will:

flush all prior routes (except loopback network 127.0.0.0)
add routes for the network defined by each interface's address and mask (also specifying a gateway if one is specified on the interface)
[the interface that will support the route of last resort will not be specified as a subnetwork route, since the route of last resort should cover this...]
add specific routes specified on the Routes webadmin page (based on networks that are not labeled "Any")
add routes of last resort (0.0.0.0) for targets labeled "Any" [there should only be one "Any"/"route of last resort"; dead gateway is not supported in this script implementation...)

[/list]
The script generates an HTML formatted log in Astaro's web publishing directory. This log can be accessed from the webadmin by using a url of:

https://your_webadmin_url/routes.htm

This software is neither expressly endorsed nor supported by Astaro.

Although reasonable efforts of software quality assurance have been made, this free software implies no obligations of support or liability by SecurityAppraisers.

Trivial sanity checking of data is performed by this script; but routing and interface misconfigurations are NOT handled (e.g., two interfaces having the same address, or overlapping networks, etc.).

For extra details read the comments in the script.

Note: From a troubleshooting, reliability, and security perspective, it is almost always preferable to use static IP addressing on your vital Internet gateways, as opposed to DHCP. Having said that, we understand the constraints that many people may be working under that requires them to employ DHCP on their gateway addressing...

0 pablito over 22 years ago

I've been meaning to try this script on a site I manage. A crazy summer in Toronto has prevented extra value like this script from being done. Now that is supports DHCP I'll be another step closer to making it easy. Wondering if a PPPoE interface can also work.
The site I want to run this on has a cable modem (DHCP) and ADSL (PPPoE).
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SecApp over 22 years ago

Updated: thr route flush leaves ipsec and ppp interface routes intact...

New MD5 is:

501a3f4d4b6360a10f841a0695857e6a
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 pablito over 22 years ago in reply to SecApp

This is looking better all the time.  Once I can get onsite to the server that can really benefit I'm going to try it.  This storm is making a mess today so I'll wait.  But today would be a day where one line could go down and be a good test [:)]

My issue is that with two dynamic interfaces to the internet I need/prefer the ADSL to be the primary gateway but since it comes up later than the DHCP line I usually have to manually switch default GW one time.  This script might fix that.  I'm not sure why the DSL will always be second on a boot but assume it is the timing of activation/authentication.  The NICs PCI order would take care of this on static interfaces but these are both dynamic.

Thanks so much for this project.  I hope to provide feedback soon.  I'm sure others will appreciate the effort once it is complete and covers the situations out there.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SecApp over 22 years ago in reply to pablito

Thanks for the kudos!

I should think big shops using multiple routers and doing departmental firewalling would REALLY appreciate it.

I think it's a testament to the software architecture and philosphy of Astaro that you can adapt it to your needs IF you are careful, responsible, and know what you're doing; appliances, given time, become doorstops. We can focus on what ideosyncratic functionality we or somebody we work with needs right away, and Astaro can take care that every other important component works for us.

I am quite confident it is rock; the only area for improvement might be adapting VPN sessions to the new routing configurations...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Biffa over 22 years ago in reply to SecApp

How does this compare to something like backroute?

That was what I was going to suggest that ASL include in the next version.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SecApp over 22 years ago in reply to Biffa

The Backroute functionality is covered by what we call our "Dead Gateway Detector" (not published). This simply will implement a routing table with gateways for each of the NICs (a building block needed for the Dead Gateway Detector). This script takes its marching orders from what you put in the routesdata file. The big convenience of the script is that you can specify, through the "Any" route, which interface is to be route of last resort (Internet).

If you are in a shop doing departmental firewalling, and each NIC should talk to different routers for each LAN, this will make it work; without it, the interfaces will not 'talk' to each LAN's router (each LAN route will have a gateway of 0.0.0.0)...

Once you have this, you could hack backroute to make dead gateway work; but as I said, our scripts take their orders from routesdata, and dead-gateway is engineered to be operating from a jail (since the ICMP protocol is open to anybody generating packets). They also have some fancy polish features like uptime, more than one backup gateway, override configuration file settings to determine whether to use ICMP or ping for gateway detection, etc.

If you want really fancy fallover functionality (the dead gateway simply sees if a gateway died, then goes down a list; BGP can determine ongoing line quality and make routing decisions based on that), load sBGP and have fun.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SecApp over 22 years ago in reply to SecApp
New Version at

http://www.securityappraisers.net/downloads/routes.tar

md5sum is 1e38109ec86e7fb99910f7b4dbc59d36

Following is added:

Added netdata, itf.conf, ifconfig, and routesdata to the HTM log to simplify troubleshooting

Enabled routing for ideosyncratic routes

More bulletproofing

Cleaned up trivial script conventions
[/list]
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 donavan over 22 years ago

Steve,

Will this routing script work in the following configuration?  (Please ignore all the dots, they are place holders.


..............................Internet Side
DHCP....................................................Static
...|................................................................|
...|................................................................|
...|................................................................|
...|................................................................|
...|................................................................|
..+++++++++...astaro..+++++++++++++
...............................|
...............................|
...............................|
Internal Side  (web and smtp server)

Where a port forwarded web server and smtp server exist on the internal size?  I.E., will it properly send the data back through the correct gateway depending upon where the request originated from the internet?

Will it also provide _basic_ failover for outgoing requests from the internal network if one of the Internet connections fails?

Thanks Very Much,

.dn
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 SecApp over 22 years ago in reply to donavan

It will not do fallover (we did another script for hire called the "Dead Gateway Detector" [not published] that does this; Astaro is working on a general purpose and extensible one too for inclusion in one of the next releases). As suggested above, you could use this+hack backroute (made by a fellow in Switzerland) to take it's marching orders from /etc/wfe/conf/routesdata (as opposed to the hardcoded Bash script variables that backroute uses).

You can designate the route of last resort through an "Any" route definition (e.g., you could choose to have your Internet go out one interface, and then by redefining that same Any route, it will then go out another interface).

[The Dead Gateway Detector uses this, by periodically testing gateways with ICMP and then rewriting the Any route in /etc/wfe/conf/routesdata should it see that a gateway died; upon alteration of routesdata, this routing script gets automatically reinvoked by Astaro (by having been placed in a special directory location that Astaro checks) and -presto! new gateway to the 'net; so hack backroute and you could have the same thing -and you will get better at writing a Bash script! cf., Advanced Bash Scripting Guide]

Ideosyncratic destination routes can be added, and it will pass it out the appropriate interface you designated. As for incoming packets (DNAT), it should work, though I will be honest and say it hasn't been tested for that case yet (you can see why Astaro doesn't always make this stuff available right away; but I found we needed that functionality desperately for certain applications). Try it; it generates a quite thorough routing configuration log for the webadmin, so you can send it to me offline if you should have any problems, and I should have all the info I need to figure things out. It's really simple to use (IF you know what routing you want to do)...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel