Yupp, this would help very much indeed because we are using a 16MBit/s ADSL-Connection for the "usual" http traffic and a 2.3MBit/s SDSL connection for mail, vpn and some other business critical stuff...
Unfortunaley, there is no "local host" network available in the network objects list so that you could route the specified traffic from the http proxy by using a policy based route to another interface... [:(]
I've managed to get this working by setting a NAT rule and a policy based rule with mostly "any" and http protocol as parameters but in my opinion this is somehow critical by security means...
The other way might be using an upstream proxy... :/
Hi AndreasL, I think you might have fiddling in places where the normal webadmin user would not go. The default and not changeable in any of the menus is the proxy goes out the default gateway.
yes i have to go to the command-line! I've done this the first time about 3 years ago and it was running smooth and wonderfull for me on V5 and V7.011.
Now with V7.100 it doesn't run anymore!
Using a second or third internet-connection ist not a rare thing! We use the default eth(4 MBit GSHDSL) for smtp and webserver, the second eth (2 MBit GSHDSL) for vpn and remote access and the third one for surfing (16 MBit ADSL).
I think it will be a good thing, if the guy from astaro make this feature usable in V7.100 - and many sysadmins have the sam need for this.
So - Astaro can you hear me!!??
WAN 1 is used for Mail,Site2Site-VPN, SSL-VPN, Webserver
WAN 2 is a cheap adsl only for internet-surfing/downloading
What's the problem?
Due to the fact that the new http-proxy on the astaro binds only on the interface with the default gateway (eth1/ip1) we are not able to use eth2/ip2 . On the older astaro with squid we have used the parameter tcp_outgoing_adress in squid.conf. This isn't possible for the new proxy
What's the solution?
After spending many time with reading pages related to ipchains, netfilter etc. i have found the following way to solve my problem. Thanks to the guys who have written many tutorials and documents about linux routing and firewalling :-)
The whole thing is based on policy-routing with fwmark in combination with some rules in the mangle table of ipchains.
Unfortunatly you have to do this on the command-line beacuse astaros webadmin is not able to create rules like this.
Note: [IP1] etc are placeholders for the actual used ip's in your system!
First add three rules to the output chain of the mangle table:
This six entry's could be placed in an /etc/init.d/ipnat.local Before this 6 entrys you have to place the corresponding delete-entrys to avoid multiple rules in case of multiple calls to ipnat.local.
Don't forget to "chown 0.0 ipnat.local" and "chmod 400 ipnat.local"
After this you have to set some routing-entrys in a new roting table:
ip route add [IP2_NET] dev eth2 scope link table 201 ip route add [IP0_NET] dev eth0 scope link table 201 ip route add default via [IP_GW_WAN2] table 201
.. then set the rules for this table
ip rule add from [IP_GW_WAN2]/32 table 201 ip rule add from all fwmark 0x7 lookup 201
This you can put in /etc/init.d/routes.local Don't forget to "chown 0.0 routes.local" and "chmod 400 routes.local"
We've just implemented a similar Dual WAN (T1 & DSL) setup using pfSense in front of Astaro. pfSense does the Dual WAN connection and loadbalancing/failover and Astaro is handling all the packet filter rules, VPN and SMTP proxying.
We send all traffic except HTTP traffic through the T1.
We send all HTTP traffic through the DSL line (has 5Mbps downstream).
If either line goes down, traffic is automatically routed out the other line.
We have the same number of IP addresses on each conection (/27) and do a 1:1 NAT to the appropriate internal servers.
We can now do round robin DNS or if manually switch DNS records to one line should the other go down for an extended period.
A BitTorrent client is able to max out both lines in both directions at the same time with the right load balance rule. [[:)]]
Took some figuring out to get it all working (NAT was a bit tricky), but seems pretty good so far.
be aware of the fact that my packets, which i want to go to the second (non-default) interface have their origin on the astaro itself. The origin-process is the astaro webproxy. The redirection of local generated packets is not possible with the web-admin based policy-routing!
Now a hint for your ftp-problem:
Be sure to make snat-rules for port 20 + 21. My FTP-Service-Definition is (1:65535 -> 20:21).
be aware of the fact that my packets, which i want to go to the second (non-default) interface have their origin on the astaro itself. The origin-process is the astaro webproxy. The redirection of local generated packets is not possible with the web-admin based policy-routing!
Now a hint for your ftp-problem:
Be sure to make snat-rules for port 20 + 21. My FTP-Service-Definition is (1:65535 -> 20:21).
I'm using my configuration on a production ASG120 and the users are surfing the Internet with the proxy and the HTTP traffic goes out to the WAN2.
I have problems only with ftp protocol.
I'll try to modify the ftp protocol definition....
i think the problem with passive mode is "correct":-(
In passive mode the client first connects port 21 of the server. This is covered by your snat and filter rules.
In step 2 the server sends a message back to the client with the port, that the server wants to use for data-transmission. This is a port in the range 1024 - 65535! After this the client connects to this port for data-transmission. This is not covered by your snat+filterrules!
If you want to make passive ftp with snat on the clientside you need a ruleset for snating and filtering (accept!) every port > 1023! This means your firewall is open for nearly every connection. This (rfc-conform) behaviour of passive ftp is the reason for your problem with passive ftp.
Have you tried to switch the connection tracking helper for ftp on Networksecurity->Packetfilter->Advanced ? Perhaps it helps for passive ftp.
I know the ftp protocol...but here the problem is the connection tracking module used by Astaro.
It is enabled (by default) in the advaced packet filter configuration and I verified that it is loaded on the kernel by lsmod
With ASG 6 there was not need to modify the FTP service definition because the connection tracking module did its job.
However I opened a troble ticket with Astaro support and now I'm waiting for an answer...I let you know.
Any news on this "issue" ? When it will be possible, to change the used outgoing interface for http proxy ?
We also are using a 2 MBps leased line (standard gateway) and a cheap 5/0.5 Mbps ADSL line which I would like to use for http traffic (but with enabled http proxy for security reasons and http filtering).
