On 27/12/2015 22:49, Gordon Messmer wrote:> While that's true, you still have to select the default route using "ip > rule". And since you can do that using the source address for outgoing > packets, there's no reason to mark them. It's completely redundant.Can you match the MAC address?? in ip rule? If so it's much simpler then I was estimating. Eliezer
On 12/27/2015 07:49 PM, Eliezer Croitoru wrote:> On 27/12/2015 22:49, Gordon Messmer wrote: >> While that's true, you still have to select the default route using "ip >> rule". And since you can do that using the source address for outgoing >> packets, there's no reason to mark them. It's completely redundant. > Can you match the MAC address?? in ip rule? > If so it's much simpler then I was estimating.No, but you don't have to. In the scenario presented, two links with two IP addresses in different broadcast domains, traffic that is sent in response to requests received on the second link/IP address will have the second IP address in the source address field. You can use that as the rule. Remember that Ethernet and IP are separate technologies. You can make routing policies entirely in the IP layer without mixing in Ethernet stuff like MAC addresses.
I still do not understand something. The thread started with: i have a server with 2 public ips on 2 devices. I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device Could i realize this with firewalld? Or directly iptables? ##END OF QUOTE Which means he has 1 server with two gateway devices which each has it's own broadcast space\network. It's not clear to me if there are two gateways in the same broadcast\network or not. if it's on the same network then he must have some routing rules and the issue is not about a specific src address but about a connection.. Now with both of these devices there he has an issue. He sure needs to use basic routing skills to make it work using some metrics if he wants a static routing setup... but when it becomes almost asymmetric it is possible to have a "reverse-path" routing situation which is because the server has two default gateways and not one. For this situation he cannot utilize the source address but only the source mac address unless these 2 devices are some sort reverse proxies which in this case do not require any routing settings at all and not even a default gateway or direct Internet access. So from what I understood he will need to do some connection marking by the MAC address if these two devices are two routers which does NAT. Eliezer On 28/12/2015 09:22, Gordon Messmer wrote:> No, but you don't have to. In the scenario presented, two links with > two IP addresses in different broadcast domains, traffic that is sent in > response to requests received on the second link/IP address will have > the second IP address in the source address field. You can use that as > the rule. > > Remember that Ethernet and IP are separate technologies. You can make > routing policies entirely in the IP layer without mixing in Ethernet > stuff like MAC addresses.
On 12/28/2015 01:19 AM, ????????? ???????? wrote:> Are you sure? You assume the destination of the incoming traffic is > the gateway. What if it isn't?Can you explain what you mean? Not only am I not assuming that, I can hardly conceive of any situation in which a host will receive traffic for its own gateway.
On 28/12/2015 22:47, Gordon Messmer wrote:> Can you explain what you mean? Not only am I not assuming that, I can > hardly conceive of any situation in which a host will receive traffic > for its own gateway.... Basic 1:1 NAT ... you have two gateways while you have two ip addresses or one on the interface. Just to illustrate the issue: AWS instance with two interfaces which have two ip addresses NATTED to them by AWS front tier using some kind of virtual gateway. Eliezer * Now I am sure that you didn't understood the situation\network as I am!