After many many hours of frustration and failures I''m almost to the point that I don''t think this is even currently possible with Linux. With out going in to too much detail, I am effectively wanting to do the following. I want to be able to take traffic in from a local LAN on eth0 and route it out eth1 to a default gateway with a static IP. I want said default gateway with the static IP to be assigned to eth2. I then want to route and masquerade traffic that came in eth2 out eth3. (Enter ASCII art) --------------+ Context 0 | +------+ +-----------+ +---+ eth0 |------+ Local LAN | | +------+ +-----------+ | | | +------+ +---+ eth1 +---+ +------+ | | | ==============|===|== Context 1 | | +------+ | +---+ eth2 +---+ | +------+ | | | +------+ +----------+ +---+ eth3 +------+ Internet | +------+ +----------+ | --------------+ I want the ""router in context 0 to effectively (for the sake of discussion) do basic static NAT routing for the local LAN. This router will have two static IP addresses, LAN facing and upstream router facing. I want the ""router in context 1 to effectively (for the sake of discussion) do basic MASQUERADing for the equipment behind it. This router will have one static IP facing the LAN and one dynamic IP facing its upstream provider. I have followed Julian Anastasov''s directions (http://www.ssi.bg/~ja/send-to-self.txt) and applied his Send-to-Self patch (http://www.ssi.bg/~ja/send-to-self-2.6.22-1.diff) to a stock 2.6.22 kernel and I am able to ping the IP address assigned to eth2 from eth1 with out any problems. However I don''t think Julian''s patch covers routing traffic through (not terminating at or originating locally) the cross over cable. I have also done some experimenting on my own to see if this is even remotely possible to do by altering the routing tables in the kernel. The closest that I can come is to remove all references to eth2 from the kernel''s ''local'' routing table so that the kernel is not aware that the IP address in question is local to the system thus making it think that it needs to send the traffic out eth1 which is on the same subnet as the target IP assigned to eth2. I can tell from packet counters that this does indeed send the traffic like it is suppose to do. However when the packet arrives in eth2 the kernel does not know what to do with it as it does not see the IP in question as being bound to any thing any where and drops the packet. To this end I have re-added the entries from the ''local'' routing table to a new routing table ''local_new'' and set up an ''ip rule'' that indicates that any traffic coming in the eth2 interface should use this ''local_new'' routing table. However I have no way to know if this is doing any good or not as I can not progress further. I have also tried with out success to use the CONNMARKing in conjunction with (packet) MARKing to use an additional ''ip rule'' to specify that any traffic that would be leaving the system should also use the ''local_new'' routing table. However all of this is to no avail. If I stick more with Julian''s ''Send-to-Self'' document and just alter source IPs for different destinations (per the end of said document) I can get the traffic to flow through the system, but not as I want it to. To the best of my knowledge traffic will come in eth0 and go directly out eth3 while somehow in the return path passing through eth2, but never touching eth1. If I can not get this to work the way that I need / want it to I will have to fall back to UML routers to fulfill the role of the context 1 ""router. So any help that any one could provide would be _*GREATLY*_ appreciated. Thanks in advance for any and all help that any one can provide, Grant. . . .
After more Googleing and searching through mailing lists with ever widening search terms I think I may have come across something that has some potential. If I understand it correctly the "Linux Virtual Router and Forwarding" project (http://linux-vrf.sourceforge.net/) that has a LOT of potential. I think it might even help me. (More to come.) Grant. . . .
Hello, On Tue, 21 Aug 2007, Grant Taylor wrote:> I want to be able to take traffic in from a local LAN on eth0 and route > it out eth1 to a default gateway with a static IP. I want said default > gateway with the static IP to be assigned to eth2. I then want to route > and masquerade traffic that came in eth2 out eth3. > > (Enter ASCII art) > > --------------+ > Context 0 | > +------+ +-----------+ > +---+ eth0 |------+ Local LAN | > | +------+ +-----------+ > | | > | +------+ > +---+ eth1 +---+ > +------+ | > | | > ==============|===|==> Context 1 | | > +------+ | > +---+ eth2 +---+ > | +------+ > | | > | +------+ +----------+ > +---+ eth3 +------+ Internet | > +------+ +----------+ > | > --------------+ > > I want the ""router in context 0 to effectively (for the sake of > discussion) do basic static NAT routing for the local LAN. This router > will have two static IP addresses, LAN facing and upstream router facing. > > I want the ""router in context 1 to effectively (for the sake of > discussion) do basic MASQUERADing for the equipment behind it. This > router will have one static IP facing the LAN and one dynamic IP facing > its upstream provider. > > I have followed Julian Anastasov''s directions > (http://www.ssi.bg/~ja/send-to-self.txt) and applied his Send-to-Self > patch (http://www.ssi.bg/~ja/send-to-self-2.6.22-1.diff) to a stock > 2.6.22 kernel and I am able to ping the IP address assigned to eth2 from > eth1 with out any problems. However I don''t think Julian''s patch covers > routing traffic through (not terminating at or originating locally) the > cross over cable.Yes, patch works for output routes only. May be you can try to forward traffic with ip rules with iif parameter. Make sure you have rules and routes for both directions. Of course, there must be some IP addresses because routes work only for devices with IPs. SNAT should be able to assign non-local external IP address, not possible for MASQUERADE, you have to use SNAT everywhere. That is, don''t configure the SNAT addresses. Then you should not see local IPs in the traffic. Not sure for other pitfalls. Regards -- Julian Anastasov <ja@ssi.bg>
> Yes, patch works for output routes only. May be you can try to > forward traffic with ip rules with iif parameter. Make sure you have > rules and routes for both directions. Of course, there must be some > IP addresses because routes work only for devices with IPs. SNAT > should be able to assign non-local external IP address, not possible > for MASQUERADE, you have to use SNAT everywhere. That is, don''t > configure the SNAT addresses. Then you should not see local IPs in > the traffic. Not sure for other pitfalls.Thank you for taking the time to reply to me. Do to time constraints I ended up falling back to the old tried and true stand by of using a User Mode Linux system to do the routing that I needed to. My system currently has the main routing context and multiple UML routers to that each have another routing context. Again, thank you and have a nice day. Grant. . . .