lartc@interlinx.bc.ca
2003-Jan-19 11:00 UTC
Enabling source routing to force packets back through router?
Hi all. I am hoping somebody here has a bright idea how to solve my problem. I have several solutions that I have come up with but don''t like for various reasons. I have this scneario: Internet / \ | | R1 R2 | | | | +----+-----+ | |---------Lan via switches/hubs | Wan-----R3 Where currently, routers R2 and R3 are in place. R3 (legacy router) is the default route for all of the hosts on the Lan. When traffic is Wan-bound it routes it to the Wan, but otherwise default routes to R2, which default routes to the Internet. I am adding a new Linux-based Internet router, R1 (different provider) which is going to have specific Internet uses (vs. R2 which is for general Internet use). Lan is RFC1812 space and both R2 and R1 provide NAT services. If R1 provides an "inbound" NAT service of some kind (i.e. Internet user gets NATted to Lan host), obviously I need to make sure those inbound-NATted packets from the Lan hosts are routed back through R1. Also, if R1 provides IPSEC tunnelling for Internet users (where an Internet IPSEC user is a single IP address, not a network), I need to ensure packets that came in on the IPSEC tunnel go back out on the tunnel, via R1. To solve, I have thought that I could: 1. Leave R3 as Lan default route. Have R3 default route to R1, and have R1 route all traffic that is not part of "sessions" through R1 to R2. This makes R1 a very bad single point of failure, as well as increasing traffic loads unnecessarily. 2. Have R1 add source routes to traffic heading for the Lan. Source routing would be dis-allowed on the Internet interface of R1, but R1 would add itself as a source-routing hop for traffic which successfully passes through it to the Lan. 3. Do some kind of IP-in-IP tunnelling between R1 and R3. Seems over-complicated. I am not sure how to do #2, or if it can even be done. Any other suggestions would be much welcome. Thanx, b. -- Brian J. Murrell