thr3ads.net - LARTC - Local server unreachable by remote lan in dual isp configuration [Sep 2007]

If this information is useful, please help other people find it:
Share via:

Marco Bizzantino

2007-Sep-25 18:51 UTC

Local server unreachable by remote lan in dual isp configuration

hi all,
i have this situation:

               isp1
                  |
dmz ----- FW linux  ----- isp2
                  |----------------------------------- vpn
concentrator  ----- various ipsec lan-2-lan
                  |
                LAN


In lan i have "pc zone" and "server zone", same network.

Dmz and server zone browse internet through isp1, lan use isp2, and
remote lan too (connected with vpn concentrator) using squid proxy
installed on linux firewall.

My problem: server zone and firewall are unreachable by remote lan,
but a pc in a remote lan can ping/rdp/smb/vnc/ecc all the other pc in
local lan.

Firewall linux is the default gw, and it have a routing rules to route
connections from lan to remote lan to vpn concentrator.

If i use only one isp, all works fine, so the problem was in my iproute setup.

If i set a static route in servers bypassing the default gw (firewall
linux) that point directly vpn concentrator, the remote lan can
connect the server.

Some details.

cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
100     isp2
101     isp1
#
# local
#
#1      inr.ruhep


This is the iproute script:

ISP1_NET="x.x.x.192/29"
ISP1_IP="x.x.x.195"
ISP1_GW="x.x.x.193"
ISP1_IF="bad0"

ISP2_NET="x.x.x.96/29"
ISP2_IP="x.x.x.98"
ISP2_GW="x.x.x.97"
ISP2_IF="bad1"

DMZ_NET="192.168.0.0/24"
DMZ_IF="dmz0"

LAN_NET="10.0.0.0/24"
LAN_IF="lan0"

SERVER_MAIL="10.0.0.50"
SERVER_1="10.0.0.10"
SERVER_2="10.0.0.2"
SERVER_3="10.0.0.3"


/sbin/ip rule add fwmark 100 table ISP2
/sbin/ip rule add fwmark 101 table ISP1

/sbin/ip route add $ISP1_NET dev $ISP1_IF src $ISP1_IP table 1
/sbin/ip route add default via $ISP1_GW table 101
/sbin/ip route add $ISP2_NET dev $ISP2_IF src $ISP2_IP table 2
/sbin/ip route add default via $ISP2_GW table 100


/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_1 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_2 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_3 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_MAIL
-j MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $DMZ_IF -s $DMZ_NET -j
MARK --set-mark 101

/sbin/ip route add default dev bad1 table ISP2
/sbin/ip route add default dev bad0 table ISP1


for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
/bin/echo 1 > /proc/sys/net/ipv4/route/flush

/sbin/ifconfig dummy0 1.2.3.4
/sbin/ip route add default dev dummy0



Can somebody help me?

best regards
bizza

Marco Bizzantino

2007-Sep-26 13:35 UTC

head link

Re: Local server unreachable by remote lan in dual isp configuration

On 9/25/07, Marco Bizzantino <bizzam@gmail.com>
wrote:> hi all,
> i have this situation:[...]

forget my first mail, now all works fine.

Best regards
bizza

Possibly Parallel Threads

Search for more maybe matching threads

LARTC - Sep 2007 - Local server unreachable by remote lan in dual isp configuration

Local server unreachable by remote lan in dual isp configuration

Re: Local server unreachable by remote lan in dual isp configuration

Possibly Parallel Threads