LARTC - Jan 2004 - Two ISP load balancing + One ISP'' subnet explicit routing

Hello!

I have a problem. May be here exist anyone who has encountered with the
following problem.

I have a router which is connected to 2 ISP from external side and one LAN
internal
interface.  The feature is that the one ISP allocates a subnet
xxx.xxx.xxx.160/28 for me
but I split it into two subnets xxx.xxx.xxx.160/29 and xxx.xxx.xxx.168/29 and
assign the
latter to the internal interface. Also I have organiezed an DNAT+SNAT so all
internet
requests is DNATted to and SNATted from xxx.xxx.xxx.170 (which is a second
firewall
running Microsoft ISA).
So


ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/29 dev eth2  proto kernel  scope link  src x.x.x.162


Also loadbalancing between eth1 and eth2 is organized with the
''ip'' tool:

ip route list table 222

default  table 222  proto static 
        nexthop via y.y.y.97  dev eth1 weight 1
        nexthop via x.x.x.161  dev eth2 weight 10


SNAT was set to:

iptables -t nat -L POSTROUTING -o eth2 -j SNAT --to-destination x.x.x.162
iptables -t nat -L POSTROUTING -o eth1 -j SNAT --to-destination y.y.y.98



But now I have to establish VPN channel to connect a given external machine with
known IP (z.z.z.z) to
my ISA firewall, but avoiding NAT. I have tried to implement it the such way:

ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/28 dev eth2  proto kernel  scope link  src x.x.x.162

and SNAT is test to:

iptables -t nat -L POSTROUTING -o eth2 -d ! z.z.z.z -j SNAT --to-destination
x.x.x.162

But when I try to access from z.z.z.z, for example, the x.x.x.170 address, it
does not reply.

Where is a mistake?

--
Nikita Vinokurov



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/