On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi
wrote:>
> Hi, this is my first post to the list.
>
> I have googled a lot, and still cannot find a proper solution. I hope
> someone here will be able to shed some light on my doubts.
>
> I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for
> 100 clients, and uses two different ISPs, using the howto found at
> http://lartc.org/howto/lartc.rpdb.multiple-links.html. I have *not*
> patched my kernel.
>
> The rounting setup is taken from the howto, and it basically works, I see
> packets flowing out of both WAN interfaces, and everyting seems to work
> properly for packets that are generated from the firewall itself.
>
> I have set up NAT rules in postrouting table, this way:
>
> iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source
217.221.234.74
> iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source
83.211.205.162
>
> Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and
> their relative IP addresses are set as shown. WAN interfaces are
> phisically different and have no aliases, only the IP shown above.
>
> Now, I am experiencing two issues:
>
> - First, I see packets with "from" address set to
83.211.205.162 that go
> out of $WAN, and also packets with from address set to 217.221.234.74 that
> flow out of $WAN2. This address mixup should not happen, I suppose.
> looking at the packets, it seems that only NATed trafic shows this
> behaviour.
you have to setup your ip rule rules, which will state anything coming from
217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only
goes out $WAN2, it should be part of the wiki/faq doco
>
>
> - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that
> still have the LAN from address, that is 10.0.x.x, these packets somehow
> where not NATed at all.
never seen this
>
>
> Now, the questions are:
>
> How do I solve this?
>
> Do I need to patch my kernel to solve the first issue, because I need to
> lock at NAT "established connections" tables to make routing
decisions? Is
> it impossible to have equal cost multipath and SNAT together without
> patching the kernel? If so, what patch do I need exactly?
>
> Is there something wrong with my kernel version, that has a broken NAT
> support? (this could explain why I get some packets that do not get NATed
> at all)
>
>
> Thanks a lot for the time you took reading this.
>
> --
>
> Fabio "Kurgan" Muzzi
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc