Hi
I have a strange problem. I have a firewall with 3 nics.
1 - lan
2 - leased line or diginet
3 - connected to adsl modem
I have 2 tables in defined in /etc/iproute2/rt_tables:
200 diginet
201 adsl
The ADSL modem has an IP of 192.168.0.1 and is configured to initiate
the PPPOE connection. I can mark packets within the network destined
for port 80 successfully:
ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip route add default via 192.168.0.1 dev eth2 table adsl
ip ru add fwmark 2 table adsl
ip ro fl ca
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
That all works and if i do a tcpdump on eth2 I can see packets for web
traffic going out via ADSL.
The problem:
If I configure the ADSL modem to no longer make the PPPOE connection
but let the firewall do it i.e pppoe-setup / pppoe then it doesn''t
work. Here''s the relevant netfilter and iproute2 steps I did.
ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip
of the cisco router
ip ro add dev ppp0 table adsl
ip ro add default via x.x.x.x table adsl #where x.x.x.x is the p-t-p
addr from the output of ifconfig ppp0
ip ru add fwmark 2 table adsl
ip ro fl ca
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80
-j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT
I have also set DEFROUTE=no and PEERDNS=no in /etc/ppp/pppoe.conf as
the diginet is still the default route but I only want web traffic out
on ADSL.
Some output from tcpdump showing this doesn''t work:
[root@firewall ~]# tcpdump -i eth0 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:43:59.501397 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219115
0,nop,wscale 0>
07:44:02.495748 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219415
0,nop,wscale 0>
07:44:08.496618 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6220015
0,nop,wscale 0>
07:44:20.498324 IP 192.168.1.222.2867 > 66.249.93.104.80: S
2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6221215
0,nop,wscale 0>
If anyone can shed some light on what I''m doing wrong or missing
I''d
really appreciate it.
Michael
