Don Cohen
2002-Sep-27 16:22 UTC
RE: Help: Multiple internet connections (David H. Lynch Jr.)
> >> However I have problems with the servers/services that are being> >> DNATed to behind the firewall. > > >> It is my guess that the inbound packet manages its way to my > server > >> just fine, but on the return trip it decides to head back out the > >> cable modem as that is the best route back to the client, and since > >> the client sees a response coming from the wrong source it discards > >> it, but I could easily be wrong. > > >No, you are most probably right... I don''t see it. The way to find out what''s really going on is to record the relevant packets on both sides of the firewall. Here''s my understanding of what should be happening: Your firewall has two public IP addresses, say 9.9.9.9 and 8.8.8.8. client 1.2.3.4 (say, port 1234) on internet sends request to your IP address, say 8.8.8.8 port 80. This arrives at your firewall where your dnat rule (= port forwarding) translates 1.2.3.4:1234->8.8.8.8:80 to 1.2.3.4:1234->10.0.1.2:80, then forwards the request to your internal server 10.0.1.2. This creates an entry in the firewall NAT table which will cause replies 10.0.1.2:80->1.2.3.4:1234 to translate back to 8.8.8.8:80->1.2.3.4:1234, which is what you want. Your server now sees a packet 1.2.3.4:1234->10.0.1.2:80, replies with a packet 10.0.1.2:80->1.2.3.4:1234, which your firewall translates to 8.8.8.8:80->1.2.3.4:1234 and sends out to 1.2.3.4. It doesn''t even matter which interface this goes out, *unless* one of your providers is doing the ingress filtering that he really ought to. As far as I know, nobody actually does this, but if they do they should be willing to make an exception for you. So, above is at least one (unlikely) possible cause. In that case you could solve the problem by making sure packets with source address 8.8.8.8 route out the 8.8.8.8 interface. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/