Hacking asymmetric and symmetric lines together

August 8, 2014 Leave a comment

Here in Israel, symmetric Metro Ethernet lines are expensive. A lot more expensive than a cheap asymmetric Cable/ADSL lines.

As a tech company with lots of programmers and intensive use of upstream hogging services (Git, Dropbox, etc.), we need a reliable, fast internet connection with at least 20Mbit upstream speed.
We tried a symmetric 30/30 Metro Ethernet connection, but it just wasn’t enough for our downstream demands. A 100/3 connection just isn’t enough for our upstream demands. So, what can we do? Combine them into a 100/30 one! but how?

Office network

The idea is simple, route the packets physically through the Metro Ethernet (eth1) but NATting them through the IP address of the Cable line (eth0).
First, I had to make sure if the Cable link doesn’t enforce IP address spoofing protection. For this task I used Scapy, crafting a packet originating from a forgery IP address and sending it to a server of mine on the internet, checking with tcpdump if it arrives.
The experiment succeeded. I did see the packets on my server. The next step was to configure the router!

At the office we have a Mikrotik router with their official firmware, RouterOS. For this blog post I’ll be explaining how to achieve this with a Linux+iptables based NAT router.

First, configure NAT as you would do for one connection setup using your symmetric ISP (eth1), having the asymmetric ISP’s interface (eth0) configured with an IP address, but without a default gateway. Setting up NAT is beyond the scope of this blog post, but you can use this guide for help.

The next step would be to replace the MASQUEADE iptables target with a SNAT one, sourcing the packets with the IP address of eth0:

# iptables -t nat -I POSTROUTING 1 -o eth1 -j SNAT --to-source 80.179.1.1

Don’t forget to replace 80.179.1.1 with the IP address of your eth0 interface.

If you’ve done everything correctly, you can check your speed with speedtest.net:
Speedtest

You have to keep in mind that an outage in any of the links would cause an outage for the entire office connectivity. Keep an emergency configuration at hand (or even automate it).

Filed under Uncategorized

Leave a comment