Re: Traffic separation on Solaris

Dear Andreas,
Thanks for your advice,
It looks like the decision of my problem
Sorry for my first tangled explanation,
you have discovered it very correctly.
I'll try to configure my ipfilter and services tomorrow,
when I'll reach my Solaris server.
I'll inform you about results.
Igor.


"""Andreas F. Borchert wrote:
"""
On 2006-11-26, Igor Malanych <ingvio@xxxxxxxxxxxxx> wrote:
I have Solaris 9 box working as gate with three nics.
One connected to local network with private addresses.
Others two nics are connected to two different service providers.
I want to separate Internet traffic to the Internet on these two nics,
being based on its contents. I.e., I want to squid should worked
through one interface (http, ftp, icq traffic, that is completely big),
but other services (sendmail, bind, apache, some others, such
as ssh) should work through other nic (other provider).
Also, I have ipfilter installed.

A possible solution comes in two steps:

(1) Bind the services to IP addresses of the network that are
associated with the provider they should use.

(2) Implement source address routing. This is supported by
ipfilter. Caspar *** has once provided following hints [1]:

ipfilter actually does allow you to route deliberately using the
source address; I have two internet connections at home and use
that feature with the two rules at the start of my ipf.conf:

pass out quick on qe0 to qe1:<qe1-router> from <qe1-address> to any
pass out quick on qe1 to qe0:<qe0-router> from <qe0-address> to any

I have two interfaces here, qe0 and qe1; in the first rule,
when a packet is seen "on qe0" with the wrong address (from
<qe*1*-address>), I send it "to qe1" but make sure to direct the
packet at "qe1-router" (the default route for the qe1 interface).

And the second rules send packets that should hav ebeen from
qe0 but appear to be on qe1 back to qe0's default route.

I'm using the same trick at home and it works perfectly well. The
only problem is that this trick doesn't appear to work well together
with stateful filtering.

Andreas.

[1] Some years ago, I've found this quoted text under
http://www.sunmanagers.org/pipermail/summaries/2002-May/003118.html
where currently just a 404 is served. www.archive.org, however,
still has the original text, see http://tinyurl.com/y4kkz9

.