We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

Router setting change request


alvaroag
20-02-2016, 07:17
Oh, it's Windows....Then, what you were partially true: It IS possible to separate outgoing traffic, but not in a transparent way as in Linux; in Windows, the separation has to be done by the application, using winsock API; that means, it's almost impossible, as most applications won't have such option.

The other part, that such configuration has to be done in the router is also partially true: As windows cannot separate the traffic, you need another, more network capable device, which will do the traffic separation for Windows. That can be a Linux box that will do the same I explained on the previous post, but for other machines rather than itself; it could also be a specialized router. However, OVH does not offers such service: you can route multiple IPs to a server, but OVH will not divert the traffic for you. However, you have two alternatives:

1. Use Linux as the host operating system, so you can separate the NATed outgoing traffic for the VM using a procedure similar to the previously explained.
2. Add another VM on Hyper-V with Linux, assign all the IPs to that VM, create a private network between both VMs, and configure the Linux VM as a NAT with traffic separation.

amartin99
20-02-2016, 05:42
this isn't linux though
im using windows HyperV

I sell RDP
and I am currently offering all OVH countries by setting up many VPS on one server and putting one IP per VPS
I wan to switch that to just one VPS using all IP's

I was told there is no way to separate the outgoing traffic by IP in windows
that it has to be done at the router by the DC

alvaroag
20-02-2016, 05:24
A Linux box with multiple IPs is quite complex.... It's possible, and works smoothly when you only need to use the multiple IPs for incoming connections, but don't need them for outgoing traffic.

When you configure Linux with multiple IPs, all the traffic, by default, will go through the first configured IP (eth0 or eth0:0). You can divert outgoing traffic into multiple IPs, but that has a restriction: you can only set certain traffic to use specific IPs, while all non-matching traffic will use your default IP.

The procedure is, in brief:

1. Write down your rules: For example: "traffic for tcp port 25 will go out with IP A.B.C.D; traffic for tcp port 80 will go out withIP E.F.G.H; all other traffic will go out with default IP I.J.K.L"
2. Create a separate routing table for each outgoing IP; it should only have the default route. You can do so by running "ip -4 r a 0.0.0.0/0 table TABLE_ID via GATEWAY src IPADDR", replacing "TABLE_ID" with a number between 1 and 254 (I usually start with 250 and counting down), "GATEWAY" with your gateway IP (main IP, changing last component with 254, it's the same gateway for all IPs), and "IPADDR" with the outgoing IP that will be used for that table. Remember the match between Table ID and IP Address.
3. Create the diverting rules. These rules will send some marked packets through a non-default routing table. For each IP, run "ip -4 rule add fwmark TABLE_ID table TABLE_ID", replacing "TABLE_ID" with the previously assigned TABLE ID.
4. Here comes the complex part: netfilter "mangle" rules, which will mark matching packets so they get diverted to the corresponding table. This is actually possible with the "iptables" command, but I'm not familiar with that way of doing it, and it's recommended to use a statefull firewall. I'll explain it with Shorewall, as I'm really familiar with it. Your base configuration files for shorewall should look like these ones:

zones
fw firewall
net ipv4
interfaces
net eth0
policy
fw all ACCEPT
net fw DROP
rules (You may want to add more rules to these one. These are the minimal ones so you won't lose connection to your server)
ACCEPT net fw icmp
ACCEPT net fw tcp 22
Not the trick: The "mangle" file. Each entry might be like: "MARK(TABLE_ID) fw DESTINATION PROTO PORT", replacing "TABLE_ID" with the required Table ID; Destination with the destination address or CIDR, or "0.0.0.0/0" if you want it to be non-sensitive to destination address. "PROTO" and "PORT" are both optional; "PROTO" can be "tcp" or "udp" (or even "icmp"), while "PORT" most be a port number on the specified protocol. Even when you can just put "tcp" without a port, you most probably would want to filter for only some ports. Example:

MARK(250) fw 0.0.0.0/0 tcp 25
After that, run "shorewall try ." from "/etc/shorewall"

That should work; at least, it works for me. Of course, all of these changes will go away when you reboot; making them persistent depends on the Linux distribution you use.

amartin99
20-02-2016, 02:27
I want a VPS to communicate both in and out from more then one IP
at the moment I can set it to receive info on multiple IP's but it only sends back out from one default IP
I need the IP's to work completely independently

alvaroag
20-02-2016, 00:22
Can you explain your issue in a more detailed way?

amartin99
19-02-2016, 22:43
Can you please set the Routerís on serverís ns313701 and ns324011
So in/out traffic must use the same IP

I need to apply more than one IP to a VPS and I donít want it defaulting to just one IP
They need to work independently but on the same VPS