cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1688
Views
5
Helpful
9
Replies

Dual internet access

sylvain.munaut
Level 1
Level 1

Hi,

I have a router that has two DSL connection, both with dynamic IP.

If in the routing table I have :

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 0.0.0.0 0.0.0.0 Dialer1

Then I can ping both external IP from the outside, but it seem the router doesn't have access to the internet (ie can't ping from the router, can't resolve names, ...), This probably happens if the router selects the source IP of Dialer0 and tries to route them through Dialer1 ...

If I put a different metric, then the router has internet access but only the external IP of the Dialer with the lower metric can be reached / ping from outside.

How can I make Dialer0 the default to use, but still have a route via Dialer1 for when someone tries to talk to the router via its Dialer1 IP  from outide ?

I tought about routemap, but I can't match on the source IP of dialer1 to set the next hop since it's not fixed ...

Cheers,

    Sylvain

1 Accepted Solution

Accepted Solutions

Hi,

I think VRFs will add extra complexity but it seems option 2 is a good one but you could maybe also try out Pfr(

http://www.cisco.com/en/US/docs/ios-xml/ios/pfr/configuration/15-1mt/pfr-15-1mt-book.html )

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

9 Replies 9

Hi,

Yes, I've read that. And it works fine for hosts on the LAN behind the router, but _not_ for the router itself.

Cheers,

    Sylvain

sylvain.munaut
Level 1
Level 1

Let me explain what I'm trying to achieve in the end, that might be easier :

I have a router that has:

- 2 distinct WAN access, both PPPoE dialers with dynamic IPs assigned in various ranges

- 2 distinct LAN.

I want:

- The router generated packets to use Dialer0 by default and fallback to Dialer1 if Dialer0 fails.

- The router to respond to incoming connection depending on the IP it connected to (so if I try to SSH to the Dialer1 WAN IP it must respond via Dialer 1 IP)

- The LAN 1 users to be NATed using Dialer0 and fallback to Dialer1 if Dialer0 has no connectivity

- The LAN 2 users to be NATes using Dialer1 and fallback to Dialer0 if Dialer1 has no connectivity

Hi Sylvain,

hi,

so let's suppose LAN1 is 192.168.1.0/24

and LAN2 is 192.168.2.0/24

1) the router-generated packets use dialer 0 by default and fallback to

    dialer1

ip route 0.0.0.0 0.0.0.0 dialer0

route-map LOCAL-PBR permit 10

set default interface dialer1

exit

ip local-policy route-map LOCAL-PBR

3)The LAN 1 users to be NATed using Dialer0 and fallback to Dialer1 if Dialer0 has no connectivity

4)The LAN 2 users to be NATes using Dialer1 and fallback to Dialer0 if Dialer1 has no connectivity

ip route 0.0.0.0 0.0.0.0 dialer0

access-list 198 permit 192.168.1.0 0.0.0.255 any

access-list 199 permit 192.168.2.0 0.0.0.255 any

route-map PBR-LAN1 permit 10

match ip address 198

set interface dialer0 dialer1

route-map PBR-LAN2 permit 10

match ip address 199

set interface dialer1 dialer0

exit

int vlan 1

ip policy route-map PBR-LAN1

int vlan 2

ip policy route-map PBR-LAN2

route-map NAT-DIALER0

match ip address 198 199

match interface dialer0

route-map NAT-DIALER1

match ip address 198 199

match interface dialer1

exit

ip nat inside source route-map NAT-DIALER0 interface dialer0

ip nat inside source route-map NAT-DIALER1 interface dialer1

2)The router to respond to incoming connection depending on the IP it connected to (so if I try to SSH to the Dialer1 WAN IP it must respond via Dialer 1 IP)

if this is for static NAT or PAT then it can be doable but if this is for traffic destined to the router then it will not be compatible with point 1

Tell us if this is what you want for this point and try the snippets I gave you and tell us if it works.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Thanks for taking the time to answer to me

- The first part doesn't work tough. If I add this config, the router can't ping the outside at all (without specifying explicitely the source IP to use).

My understanding of the source IP choosen by IOS "by default" is that it looks into the routing table (only routing table, it ignores PBR) to know what interface would be used to reach the destination and then it chooses that as source IP. Then it generates the packet and feed it to the local process (and then only PBR is taken into account).

So when I try to ping a random IP with this config, it looks up the destination (which would be Dialer0), and then it generates the packet, and then the PBR tell it to route it via 'Dialer 1'.

The doc says that 'set default interface dialer1' will only set the interface is there was no hit in the routing table, however in my experience, a match of the default route (0.0.0.0 / 0.0.0.0) is _not_ considered a hit and so it will use Dialer1 to send the packet.

What I can do at some other site is that the source IP when the connection IP is fixed. Imagine if Dialer0 had source ip 80.80.80.100 and Dialer1 90.90.90.100:

ip route 0.0.0.0 0.0.0.0 10 dialer0

ip route 0.0.0.0 0.0.0.0 20 dialer1

route-map LOCAL-PBR permit 10

match ip address acl_dialer0

set default interface dialer0

exit

route-map LOCAL-PBR permit 20

match ip address acl_dialer1

set default interface dialer1

exit

ip access-list extended acl dialer0

permit host 80.80.80.100 any

ip access-list extended acl dialer1

permit host 90.90.90.100 any

ip local-policy route-map LOCAL-PBR

Unfortunately if the IPs are not fixed, I can't do an ACL matching the IP.

I guess I could lookup the possible ranges and add theses if that's the only way.

- The second part of the config (for lan clients) work very nicely thanks !

However I would have liked to track (via  sla) the real connectivity of the Dialer and not only if the interface is up or down because it's quie common for the PPPoE link to be up but actual connectivity is down.

I've seen how to set the 'next hop' with verify reachability and a tracking object however:

- It doesn't seem to be available for "set ip default next-hop"  (and I can't really use "set ip next-hop" because there are other LAN routes that don't need to be natted, going to other sites via other connections, everything learned by ospf dynamically)

- It doesn't seem to be available to "set interface / set default interface" at all ...

Cheers,

    Sylvain

Hi,

you're right about the default interface which isn't working if there is no explicit route in the RIB, I had forgotten this important fact 

so try this one for 1)

ip route 0.0.0.0 0.0.0.0 dialer0

route-map LOCAL-PBR permit 10

set interface dialer0 dialer1

exit

ip local-policy route-map LOCAL-PBR

Gonna see if there is a solution for your sla need.

Regards.

Alain

Don't forget to rate helpful posts.

Hi,

I didn't get a chance to try but I don't think it would work ... for a completely different reason : When there is no PPP link, the Dialer0 is still _up_ ... and so it still tries to send packet through. (I had the issue when just having two routes set, it still tried to use Dialer0 even tough the DSL modem was off and had no IP negotiated).

The cisco doc says that indeed you need to track the "ip routing" status of the interface and not just its state.

In the end, I solved 1) & 2)  by paying an extra to have a fixed IP on the line connected to Dialer 0 and then using this config:

ip access-list extended acl_src_fix_dsl

permit ip host 80.80.80.80 any

route-map pbr-local permit 10

match ip address acl_src_fix_dsl

set default interface Dialer0

route-map pbr-local permit 20

set default interface Dialer1

ip local policy route-map pbr-local

ip sla 100

icmp-echo 8.8.8.8 source-interface Dialer0

threshold 500

frequency 5

ip sla schedule 100 life forever start-time now

ip sla 101

icmp-echo 8.8.8.8 source-interface Dialer1

threshold 500

frequency 5

ip sla schedule 101 life forever start-time now

track 100 ip sla 100 reachability

delay down 20 up 45

track 101 ip sla 101 reachability

delay down 20 up 45

ip route 0.0.0.0 0.0.0.0 Dialer0 10 track 100

ip route 0.0.0.0 0.0.0.0 Dialer1 20 track 101

For the NAT I use your config for the "ip nat inside ...". For the LAN that must use Dialer0, I don't do anything special, it just takes the same route as the router (Dialer0 and fallback to Dialer1) so that's OK.

For the LAN that must use Dialer1, I currenty do:

route-map pbr-via-guest permit 10

match ip address acl_nat_guest

set default interface Dialer1

interface Vlan2

ip policy route-map pbr-via-guest

But that doesn't include any fallback depending on my 'tracked objects'.

I have two ideas right now :

1) Use VRF to have a distinct routing table for the Vlan2 where I invert the metric for the default route and give Dialer1 the preference. Unfortunately that introduces other problems: I have some routes learned by OSPF that go through a tunnel that should be present in both VRFs ...

2) Use EEM to apply / remove the 'policy route-map' on Vlan2 depending on state of 'track101'

Cheers,

    Sylvain

Hi,

I think VRFs will add extra complexity but it seems option 2 is a good one but you could maybe also try out Pfr(

http://www.cisco.com/en/US/docs/ios-xml/ios/pfr/configuration/15-1mt/pfr-15-1mt-book.html )

Regards.

Alain.

Don't forget to rate helpful posts.

Thanks, yes, I'll go with option 2 for now and I will look into Pfr see if I can get it to work because it definitely seems an interesting path.