LARTC - Jan 2007 - Questions about mutiple providers

Hi, this is my first post to the list.

I  have  googled  a  lot,  and still cannot find a proper solution. I hope
someone here will be able to shed some light on my doubts.

I  have  set  up a firewall using kernel 2.6.15 (Debian) that does NAT for
100  clients,  and  uses  two  different  ISPs,  using  the howto found at
http://lartc.org/howto/lartc.rpdb.multiple-links.html.    I   have   *not*
patched my kernel.

The  rounting setup is taken from the howto, and it basically works, I see
packets  flowing  out  of both WAN interfaces, and everyting seems to work
properly for packets that are generated from the firewall itself.

I have set up NAT rules in postrouting table, this way:

iptables -t nat -A POSTROUTING -o $WAN  -j SNAT -s 10.0.0.0/16 --to-source
217.221.234.74
iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source
83.211.205.162

Local  net  is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and
their  relative  IP  addresses  are  set  as  shown.  WAN  interfaces  are
phisically different and have no aliases, only the IP shown above.

Now, I am experiencing two issues:

-  First,  I see packets with "from" address set to 83.211.205.162
that go
out of $WAN, and also packets with from address set to 217.221.234.74 that
flow  out  of  $WAN2.  This  address  mixup  should not happen, I suppose.
looking   at  the  packets,  it  seems  that  only NATed trafic shows this
behaviour.


-  Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that
still  have  the LAN from address, that is 10.0.x.x, these packets somehow
where not NATed at all.


Now, the questions are:

How do I solve this?

Do  I  need to patch my kernel to solve the first issue, because I need to
lock at NAT "established connections" tables to make routing
decisions? Is
it  impossible  to  have  equal  cost  multipath and SNAT together without
patching the kernel? If so, what patch do I need exactly?

Is  there  something  wrong  with my kernel version, that has a broken NAT
support?  (this could explain why I get some packets that do not get NATed
at all)


Thanks a lot for the time you took reading this.

-- 

  Fabio "Kurgan" Muzzi

On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi
wrote:
> 
> Hi, this is my first post to the list.
> 
> I  have  googled  a  lot,  and still cannot find a proper solution. I hope
> someone here will be able to shed some light on my doubts.
> 
> I  have  set  up a firewall using kernel 2.6.15 (Debian) that does NAT for
> 100  clients,  and  uses  two  different  ISPs,  using  the howto found at
> http://lartc.org/howto/lartc.rpdb.multiple-links.html.    I   have   *not*
> patched my kernel.
> 
> The  rounting setup is taken from the howto, and it basically works, I see
> packets  flowing  out  of both WAN interfaces, and everyting seems to work
> properly for packets that are generated from the firewall itself.
> 
> I have set up NAT rules in postrouting table, this way:
> 
> iptables -t nat -A POSTROUTING -o $WAN  -j SNAT -s 10.0.0.0/16 --to-source
217.221.234.74
> iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source
83.211.205.162
> 
> Local  net  is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and
> their  relative  IP  addresses  are  set  as  shown.  WAN  interfaces  are
> phisically different and have no aliases, only the IP shown above.
> 
> Now, I am experiencing two issues:
> 
> -  First,  I see packets with "from" address set to
83.211.205.162 that go
> out of $WAN, and also packets with from address set to 217.221.234.74 that
> flow  out  of  $WAN2.  This  address  mixup  should not happen, I suppose.
> looking   at  the  packets,  it  seems  that  only NATed trafic shows this
> behaviour.
you have to setup your ip rule  rules, which will state anything coming from
217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only
goes out $WAN2, it should be part of the wiki/faq doco
> 
> 
> -  Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that
> still  have  the LAN from address, that is 10.0.x.x, these packets somehow
> where not NATed at all.
never seen this
> 
> 
> Now, the questions are:
> 
> How do I solve this?
> 
> Do  I  need to patch my kernel to solve the first issue, because I need to
> lock at NAT "established connections" tables to make routing
decisions? Is
> it  impossible  to  have  equal  cost  multipath and SNAT together without
> patching the kernel? If so, what patch do I need exactly?
> 
> Is  there  something  wrong  with my kernel version, that has a broken NAT
> support?  (this could explain why I get some packets that do not get NATed
> at all)
> 
> 
> Thanks a lot for the time you took reading this.
> 
> -- 
> 
>   Fabio "Kurgan" Muzzi
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc