This is a multi-part message in MIME format.
------=_NextPart_000_001F_01C2F3D5.719578C0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I am trying to set up a network that can accept tcp connections over two
different isp connection. The ultimate goal is to facilitate the
migration from one ISP to another ISP. I decided to delve into the
world of Linux Advanced Routing, so I poured over all of the
documentation on the internet. I have it set up in what I believe to be
the case where it should work, but I can't understand why it doesn't.
Here is the drawing:
------------------------ --------------------------
| WAN Router 1 | | WAN Router 2 |
------------------------ --------------------------
\ /
\ /
\ /
---------------------
| WAN Switch |
----------------------
/ \
/ \
----------------------- ------------------------
| Firewall 1 | | Firewall 2 |
----------------------- ------------------------
\ /
\ /
\ /
-----------------------
| DMZ Switch |
-----------------------
|
|
*---*---*---*---*---*---*
| Linux Router |
*---*---*---*---*---*---*
|
|
------------------------
| Linux Server |
------------------------
Here is what I have going. The router has a single interface that I
have given an IP address on the network space assigned by each ISP. It
is performing NAT using two DNAT iptables rules for the Linux Server
that is sitting behind it. The linux router takes $WAN1_IP ->
10.0.2.205 and takes $WAN2_IP -> 10.0.2.206. I then set up a second
routing table so that I can have two default gateways depending on which
IP I want to take out. Here are the exact commands I have issued:
iptables -t nat -A PREROUTING -j DNAT -dst $WAN1_IP to 10.0.2.205
iptables -t nat -A PREROUTING -j DNAT -dst $WAN2_IP to 10.0.2.205
ip route show table main | grep -Ev ^default \
> | while read ROUTE ; do
> ip route add table 4 $ROUTE
> done
ip route add default via $FIREWALL2_IP
ip route add default via $FIREWALL1_IP table 4
ip rule add from $WAN1_SUBNET table 4
After completing this setup, I am able to traceroute -s $WAN1_IP and
see it go out the WAN1 side and traceroute -s $WAN2_IP and see it go out
WAN2. I am also able to use the ip route get command and everything
works as I expect it to work. My first failure occurred when I tried to
create a tcp connection from the internet. It works coming in on
$WAN2_IP and fails using $WAN1_IP. The problem is that when I watch a
dump of the outgoing packets while trying to bring up a tcp connection
to $WAN1_IP, I see the packets coming in and then I see the reply going
out to the MAC address of $FIREWALL2 instead of the MAC address of
$FIREWALL1 as it should and thus the connection fails. Any ideas?
Thanks in advance.
Bryan
Bryan Goodgion
Cognitive Solutions, Inc.
813.286.4000 ext 103
------=_NextPart_000_001F_01C2F3D5.719578C0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DProgId content=3DWord.Document>
<meta name=3DGenerator content=3D"Microsoft Word 10">
<meta name=3DOriginator content=3D"Microsoft Word 10">
<link rel=3DFile-List
href=3D"cid:filelist.xml@01C2F3D5.7119B910">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:DoNotRelyOnCSS/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:SpellingState>Clean</w:SpellingState>
<w:GrammarState>Clean</w:GrammarState>
<w:DocumentKind>DocumentEmail</w:DocumentKind>
<w:EnvelopeVis/>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
</w:Compatibility>
<w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel>
</w:WordDocument>
</xml><![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;
mso-font-charset:2;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:0 268435456 0 0 -2147483648 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-parent:"";
margin:0in;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:"Times New Roman";
mso-fareast-font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;
text-underline:single;}
span.EmailStyle17
{mso-style-type:personal-compose;
mso-style-noshow:yes;
mso-ansi-font-size:10.0pt;
mso-bidi-font-size:10.0pt;
font-family:Arial;
mso-ascii-font-family:Arial;
mso-hansi-font-family:Arial;
mso-bidi-font-family:Arial;
color:windowtext;}
span.SpellE
{mso-style-name:"";
mso-spl-e:yes;}
span.GramE
{mso-style-name:"";
mso-gram-e:yes;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;
mso-header-margin:.5in;
mso-footer-margin:.5in;
mso-paper-source:0;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:750665837;
mso-list-type:hybrid;
mso-list-template-ids:-777093060 1581261506 67698691 67698693 67698689 =
67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0D8;
mso-level-tab-stop:39.0pt;
mso-level-number-position:left;
margin-left:39.0pt;
text-indent:-21.0pt;
font-family:Wingdings;
mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
<!--[if gte mso 10]>
<style>
/* Style Definitions */=20
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple =
style=3D'tab-interval:.5in'>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I am trying to set up a network that can accept <span
class=3DSpellE>tcp</span> connections over two different <span =
class=3DSpellE><span
class=3DGramE>isp</span></span> connection. <span
style=3D'mso-spacerun:yes'> </span>The ultimate goal is to =
facilitate the migration
from one ISP to another ISP.<span style=3D'mso-spacerun:yes'> =
</span>I
decided to delve into the world of Linux Advanced Routing, so I poured =
over all
of the documentation on the internet. <span
style=3D'mso-spacerun:yes'> </span>I have it set up in what I
=
believe to be
the case where it should work, but I can’t understand why it =
doesn’t.<span
style=3D'mso-spacerun:yes'> </span>Here is the =
drawing:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>------------------------<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>--------------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>| WAN Router 1 |<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>|<span style=3D'mso-spacerun:yes'>
</span>WAN Router =
2 |<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>------------------------<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>--------------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> &nbs=
p;</span>\<span
style=3D'mso-spacerun:yes'> </span><span
style=3D'mso-spacerun:yes'> &nbs=
p; </span>/<o:p></o:p></sp=
an></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> &nbs=
p; </span>\
<span
style=3D'mso-spacerun:yes'> &nbs=
p; </span>/<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> &nbs=
p; </span>\<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>/<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>---------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>| WAN Switch
|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>----------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;  =
;
</span>/<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>\<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>/<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>\<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-----------------------<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span =
style=3D'mso-spacerun:yes'> </span>------------------------<o:p></o:=
p></span></font></p>
<p class=3DMsoNormal><span class=3DGramE><font size=3D2 =
face=3DArial><span
style=3D'font-size:10.0pt;font-family:Arial'>|<span
style=3D'mso-spacerun:yes'> =
</span>Firewall</span></font></span><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> 1<span
style=3D'mso-spacerun:yes'>
</span>|<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> </span>|<span
style=3D'mso-spacerun:yes'> </span>Firewall
2<span
style=3D'mso-spacerun:yes'>
=
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>-----------------------<span
style=3D'mso-spacerun:yes'>
=
</span><span
style=3D'mso-spacerun:yes'> </span>---=
---------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>\<span
style=3D'mso-spacerun:yes'> &nbs=
p;  =
;
</span><span =
style=3D'mso-spacerun:yes'> </span>/<o:p></o:p></span></=
font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>\<span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> </sp=
an>/<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>\<span =
style=3D'mso-spacerun:yes'>
</span><span
style=3D'mso-spacerun:yes'> &nbs=
p; </span>/<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>-----------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span class=3DGramE>|<span
style=3D'mso-spacerun:yes'> =
</span>DMZ</span>
Switch<span style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>-----------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:2'>  =
; =
</span><span
style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:2'>  =
; =
</span><span
style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:1'>  =
; </span><span
style=3D'mso-spacerun:yes'>
=
</span>*---*---*---*---*---*---*<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span>|<span style=3D'mso-spacerun:yes'>
</span><span
style=3D'mso-spacerun:yes'> </span>Linux Router
<span
style=3D'mso-spacerun:yes'> </span><span
style=3D'mso-spacerun:yes'> </span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:1'>  =
; </span><span
style=3D'mso-spacerun:yes'>
=
</span>*---*---*---*---*---*---*<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:2'>  =
; =
</span><span
style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:2'>  =
; =
</span><span
style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span
style=3D'mso-spacerun:yes'> &nbs=
p;
</span><span
style=3D'mso-spacerun:yes'> </sp=
an>------------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:1'>  =
; </span><span
style=3D'mso-spacerun:yes'>
</span>| Linux
Server<span style=3D'mso-spacerun:yes'> =
</span>|<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><span =
style=3D'mso-tab-count:1'>  =
; </span><span
style=3D'mso-spacerun:yes'>
</span>------------------------<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Here is what I have going.<span
style=3D'mso-spacerun:yes'> </span>The router has a single =
interface that I
have given an IP address on the network space assigned by each ISP. =
<span
style=3D'mso-spacerun:yes'> </span>It is performing NAT using
two =
DNAT <span
class=3DSpellE>iptables</span> rules for the Linux Server that is =
sitting behind
it. <span style=3D'mso-spacerun:yes'> </span>The <span =
class=3DSpellE>linux</span>
router takes $WAN1_IP –> 10.0.2.205 and takes $WAN2_IP =
–> 10.0.2.206.<span
style=3D'mso-spacerun:yes'> </span>I then set up a second
routing =
table so
that I can have two default gateways depending on which IP I want to =
take out.<span
style=3D'mso-spacerun:yes'> </span>Here are the exact
commands I =
have
issued:<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>iptables</span></font></span=
></span><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> –t <span
class=3DSpellE>nat</span> –A PREROUTING –j DNAT
–<span
class=3DSpellE>dst</span> $WAN1_IP to =
10.0.2.205<o:p></o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>iptables</span></font></span=
></span><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> –t <span
class=3DSpellE>nat</span> –A PREROUTING –j DNAT
–<span
class=3DSpellE>dst</span> $WAN2_IP to =
10.0.2.205<o:p></o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>ip</span></font></span></spa=
n><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> route show
table main | <span class=3DSpellE>grep</span> –<span =
class=3DSpellE>Ev</span>
^default \<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>><span =
style=3D'mso-spacerun:yes'>
</span>| while read <span class=3DGramE>ROUTE ;</span> =
do<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>><span
style=3D'mso-spacerun:yes'>
=
</span><span
class=3DSpellE><span class=3DGramE>ip</span></span> route
add table 4 =
$ROUTE<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>>
done<o:p></o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>ip</span></font></span></spa=
n><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> route add
default via
$FIREWALL2_IP<o:p></o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>ip</span></font></span></spa=
n><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> route add
default via $FIREWALL1_IP table
4<o:p></o:p></span></font></p>
<p class=3DMsoNormal><span class=3DSpellE><span
class=3DGramE><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'>ip</span></font></span></spa=
n><font
size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'> rule add
from $WAN1_SUBNET table
4<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>After completing this setup<span
class=3DGramE>,<span
style=3D'mso-spacerun:yes'> </span>I</span> am able to
<span =
class=3DSpellE>traceroute</span>
–s $WAN1_IP and see it go out the WAN1 side and <span =
class=3DSpellE>traceroute</span>
–s $WAN2_IP and see it go out WAN2.<span =
style=3D'mso-spacerun:yes'>
</span>I am also able to use the <span
class=3DSpellE>ip</span> route =
get command
and everything works as I expect it to work. <span
style=3D'mso-spacerun:yes'> </span>My first failure occurred
when I =
tried to
create a <span class=3DSpellE>tcp</span> connection from the =
internet.<span
style=3D'mso-spacerun:yes'> </span>It works coming in on
$WAN2_IP =
and fails
using $WAN1_IP. <span
style=3D'mso-spacerun:yes'> </span>The =
problem is that
when I watch a dump of the outgoing packets while trying to bring up a =
<span
class=3DSpellE>tcp</span> connection to $WAN1_IP, I see the packets =
coming in and
then I see the reply going out to the MAC address of $FIREWALL2 instead =
of the
MAC address of $FIREWALL1 as it should and thus the connection =
fails.<span
style=3D'mso-spacerun:yes'> </span><span
class=3DGramE>Any =
ideas?</span><span
style=3D'mso-spacerun:yes'> </span>Thanks in =
advance.<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Bryan
<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New
Roman"><span =
style=3D'font-size:
12.0pt;mso-no-proof:yes'> <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New
Roman"><span =
style=3D'font-size:
12.0pt;mso-no-proof:yes'> <o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier
New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New";mso-no-proof:yes'>Bryan =
Goodgion</span></font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier
New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New";mso-no-proof:yes'>Cognitive Solutions, =
Inc.</span></font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p>
<p class=3DMsoNormal><font size=3D2 face=3D"Courier
New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier
New";mso-no-proof:yes'>813.286.4000 ext =
103</span></font><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New
Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_001F_01C2F3D5.719578C0--
Hi Bryan,
[ please post any follow up messages in plain text. HTML messages don't
archive well, contain lots of strangely escaped characters, and....
well, you probably know all of this...so keep it in plain text! ]
I presume you have a single service on your internal network ("Linux
Server") you wish to publish. It's not clear to me as I read your
description exactly what the IP addressing of the various machines is.
: I am trying to set up a network that can accept tcp connections over
: two different isp connection.
And, I trust you have read the following?
http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html
: The ultimate goal is to facilitate the
: migration from one ISP to another ISP. I decided to delve into the
: world of Linux Advanced Routing, so I poured over all of the
: documentation on the internet.
What did you pour all over the documentation on the Internet? ;) Did it
get in your pores?
: I have it set up in what I believe to be the case where it should
: work, but I can't understand why it doesn't. Here is the drawing:
<diagram snipped>
: Here is what I have going. The router has a single interface that I
: have given an IP address on the network space assigned by each ISP.
: It is performing NAT using two DNAT iptables rules for the Linux Server
: that is sitting behind it. The linux router takes $WAN1_IP ->
: 10.0.2.205 and takes $WAN2_IP -> 10.0.2.206. I then set up a second
: routing table so that I can have two default gateways depending on
: which IP I want to take out. Here are the exact commands I have
: issued:
OK....that's what you should be doing, but that's not what you appear
to be doing here:
: iptables -t nat -A PREROUTING -j DNAT -dst $WAN1_IP to 10.0.2.205
: iptables -t nat -A PREROUTING -j DNAT -dst $WAN2_IP to 10.0.2.205
Here, the target IP is the same....10.0.2.205, for both links. Try this
instead:
iptables -t nat -A PREROUTING -j DNAT -dst $WAN2_IP to 10.0.2.206
(keep reading...)
: ip route show table main | grep -Ev ^default \
: > | while read ROUTE ; do
: > ip route add table 4 $ROUTE
: > done
:
: ip route add default via $FIREWALL2_IP
: ip route add default via $FIREWALL1_IP table 4
Yep! And everything should look dandy in table 4:
# ip route show table 4
: ip rule add from $WAN1_SUBNET table 4
Now, you'll also want to add an entry to make sure that the packets
associated with connections to 10.0.2.205 go via table 4:
# ip rule add from 10.0.2.205 table 4
: After completing this setup, I am able to traceroute -s $WAN1_IP and
: see it go out the WAN1 side and traceroute -s $WAN2_IP and see it go
: out WAN2.
These are locally generated packets, and the "ip rule add from
$WAN1_SUBNET" will ensure you get the correct route.
: I am also able to use the ip route get command and everything works as
: I expect it to work. My first failure occurred when I tried to create
: a tcp connection from the internet. It works coming in on $WAN2_IP and
: fails using $WAN1_IP.
This confirms my diagnosis.
: The problem is that when I watch a dump of the outgoing packets while
: trying to bring up a tcp connection to $WAN1_IP, I see the packets
: coming in and then I see the reply going out to the MAC address of
: $FIREWALL2 instead of the MAC address of $FIREWALL1 as it should and
: thus the connection fails. Any ideas? Thanks in advance.
And one other thing! Make sure you have turned off reverse path
filtering:
# echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
and the other interfaces.
Good luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
Thanks for the help Martin. I was under the impression that DNAT altered the packets on the PREROUTING chain going both ways. :What did you pour all over the documentation on the Internet? ;) Did it :get in your pores? I actually studied it so intently that I was sweating. :) :And one other thing! Make sure you have turned off reverse path :filtering This wasn't on, though I am not exactly sure what it does. Needless to say, everything is working well now. Thanks again. -Bryan -----Original Message----- From: Martin A. Brown [mailto:mabrown-lartc@securepipe.com] Sent: Wednesday, March 26, 2003 8:56 PM To: Bryan Goodgion Cc: lartc@mailman.ds9a.nl; Dave Salvador Subject: Re: [LARTC] Simple Mulitple Link Scenario Hi Bryan, [ please post any follow up messages in plain text. HTML messages don't archive well, contain lots of strangely escaped characters, and.... well, you probably know all of this...so keep it in plain text! ] I presume you have a single service on your internal network ("Linux Server") you wish to publish. It's not clear to me as I read your description exactly what the IP addressing of the various machines is. : I am trying to set up a network that can accept tcp connections over : two different isp connection. And, I trust you have read the following? http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbo und http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html : The ultimate goal is to facilitate the : migration from one ISP to another ISP. I decided to delve into the : world of Linux Advanced Routing, so I poured over all of the : documentation on the internet. What did you pour all over the documentation on the Internet? ;) Did it get in your pores? : I have it set up in what I believe to be the case where it should : work, but I can't understand why it doesn't. Here is the drawing: <diagram snipped> : Here is what I have going. The router has a single interface that I : have given an IP address on the network space assigned by each ISP. : It is performing NAT using two DNAT iptables rules for the Linux Server : that is sitting behind it. The linux router takes $WAN1_IP -> : 10.0.2.205 and takes $WAN2_IP -> 10.0.2.206. I then set up a second : routing table so that I can have two default gateways depending on : which IP I want to take out. Here are the exact commands I have : issued: OK....that's what you should be doing, but that's not what you appear to be doing here: : iptables -t nat -A PREROUTING -j DNAT -dst $WAN1_IP to 10.0.2.205 : iptables -t nat -A PREROUTING -j DNAT -dst $WAN2_IP to 10.0.2.205 Here, the target IP is the same....10.0.2.205, for both links. Try this instead: iptables -t nat -A PREROUTING -j DNAT -dst $WAN2_IP to 10.0.2.206 (keep reading...) : ip route show table main | grep -Ev ^default \ : > | while read ROUTE ; do : > ip route add table 4 $ROUTE : > done : : ip route add default via $FIREWALL2_IP : ip route add default via $FIREWALL1_IP table 4 Yep! And everything should look dandy in table 4: # ip route show table 4 : ip rule add from $WAN1_SUBNET table 4 Now, you'll also want to add an entry to make sure that the packets associated with connections to 10.0.2.205 go via table 4: # ip rule add from 10.0.2.205 table 4 : After completing this setup, I am able to traceroute -s $WAN1_IP and : see it go out the WAN1 side and traceroute -s $WAN2_IP and see it go : out WAN2. These are locally generated packets, and the "ip rule add from $WAN1_SUBNET" will ensure you get the correct route. : I am also able to use the ip route get command and everything works as : I expect it to work. My first failure occurred when I tried to create : a tcp connection from the internet. It works coming in on $WAN2_IP and : fails using $WAN1_IP. This confirms my diagnosis. : The problem is that when I watch a dump of the outgoing packets while : trying to bring up a tcp connection to $WAN1_IP, I see the packets : coming in and then I see the reply going out to the MAC address of : $FIREWALL2 instead of the MAC address of $FIREWALL1 as it should and : thus the connection fails. Any ideas? Thanks in advance. And one other thing! Make sure you have turned off reverse path filtering: # echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter and the other interfaces. Good luck, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
Bryan, : Thanks for the help Martin. I was under the impression that DNAT : altered the packets on the PREROUTING chain going both ways. Yes, connection tracking is a tricky little beast to understand.... : :What did you pour all over the documentation on the Internet? ;) : : Did it get in your pores? : I actually studied it so intently that I was sweating. :) Heh! : :And one other thing! Make sure you have turned off reverse path : :filtering : This wasn't on, though I am not exactly sure what it does. Needless to : say, everything is working well now. Thanks again. Great! Glad to hear it. Here's a tidbit on rp_filter (reverse path filtering): http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616 -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com