From: Andrew Beverley <andy@andybev.com>
To: "Usuário do Sistema" <maiconlp@ig.com.br>
Cc: netfilter@vger.kernel.org
Subject: Re: load balanced between tunnel VPN and an Normal Link Internet
Date: Mon, 11 Apr 2011 20:21:09 +0100 [thread overview]
Message-ID: <1302549669.1551.20.camel@andybev> (raw)
In-Reply-To: <BANLkTimW+nay6YkXxWnHtP6GKv6Eopac7w@mail.gmail.com>
On Sun, 2011-04-10 at 15:55 -0300, Usuário do Sistema wrote:
> Hello everyone, I'm new in this maillist and I would like receive help
> about my problem......
>
Welcome.
>
> I have a Firewall ( with fwbuider - Red-Hat 5.6 ) in my branch office
> connected to my head office by openvpn. I'm with a problem when flow
> data is to destination port 80 from my branch office to my head
> office.
>
> in my branch office firewall has 3 device Ethernet:
>
> eth0 - inside network 192.100.100.0/24
> eth1 - wan 1 VPN
> eth2 - wan 2 only for Internet Traffic
>
> I'm marking all traffic for port 80 go out upon wan 2 - eth2.
Why are you doing this? The default route should do this for you.
> but,
> it's a problem because when an user tries access an service at the
> port 80 in my head office it isen't work!
>
> the firewall toward to eth2 insted to VPN the traffic from inside
> network to my head office when destinatio is port 80. I've try solve
> this with rule below but it isen't work.occur the same problem.
>
> my head office inside network is 128.2.0.0/16 where I have my web
> servers at the port 80.
>
> rules created in firewall branch office
>
> /sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp
> --dport 80 -j MARK --set-mark 1
> ip rule del fwmark 1
> ip route flush table internet
> ip rule add fwmark 1 table internet prio 20
> ip route add default via 200.108.139.1 table internet ( it's eth2 )
> ip route flush cache
You shouldn't need to do any of the above. If you had your routing
tables correct, then any traffic for your head office network should go
out on the VPN (eth1) and all other traffic (default) should go out on
eth2.
> part from my route main table
>
> 128.2.0.0 192.168.200.101 255.255.0.0 UG 0 0 0 tun0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
> 0.0.0.0 190.128.173.97 0.0.0.0 UG 0 0
> 0 eth1 > where is my VPN
>
If think it would help if you could post a diagram of your setup (with
IP addresses) and your full routing table. I don't fully understand that
table above. For example, what is 192.168.200.101, what is eth3, and
what is 190.128.173.97? I assume that 200.108.139.1 is your public IP
address?
>
> any Tip ?? I wish that packages from inside networ 192.100.100.0/24 to
> 128.2.0.0/16 port 80 go out for tun0 insted by eth2
Surely you want *any* traffic to 128.2.0.0/16 to go to tun0?
Andy
next prev parent reply other threads:[~2011-04-11 19:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-10 18:55 load balanced between tunnel VPN and an Normal Link Internet Usuário do Sistema
2011-04-11 19:21 ` Andrew Beverley [this message]
2011-04-11 20:20 ` Usuário do Sistema
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1302549669.1551.20.camel@andybev \
--to=andy@andybev.com \
--cc=maiconlp@ig.com.br \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.