* [LARTC] 2 DSL link, DNAT & SNAT
@ 2004-09-30 9:54 Sandro Dentella
2004-09-30 13:59 ` marba
2004-09-30 14:13 ` David Hough
0 siblings, 2 replies; 3+ messages in thread
From: Sandro Dentella @ 2004-09-30 9:54 UTC (permalink / raw)
To: lartc
Sorry for the long descritpion of the problem, I'd like to know If I
misunderstand something or if I meet an intrinsic limit of my setup.
217.58.51.162 HDSL eth1 - SRV_XP: 192.168.254.10
eth0: 192.168.254.1 -----+------------------+-------
81.121.243.250 ADSL eth3 -
I want to allow incoming pptp request (port 1723) to be forwarded to
srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything works
(note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP only
if I eliminate rule 38, but at that moment I cannot enter from HDSL...
My setup
+ ip tables hdsl & adsl for the 2 dsl lines,
0: from all lookup local
30: from all fwmark 3 lookup hdsl
38: from 192.168.254.10 lookup hdsl <<= NOTE this
40: from 217.58.51.160/27 lookup hdsl
41: from 81.121.243.248/30 lookup adsl
52: from all iif eth0 lookup adsl
53: from all iif eth2 lookup adsl
32766: from all lookup main
32767: from all lookup default
+ hdsl table has default gw to HDSL line
+ adsl table has default gw to ADSL line
+ DNAT & SNAT occurring from both dsl lines
Chain PREROUTING
DNAT tcp 0.0.0.0/0 81.121.243.250 tcp dpt:1723 to:192.168.254.10
DNAT tcp 0.0.0.0/0 217.58.51.162 tcp dpt:1723 to:192.168.254.10
Chain POSTROUTING
SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:217.58.51.162
SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:81.121.243.250
SNAT tcp -- * eth0 0.0.0.0/0 192.168.254.10 tcp dpt:1723 to:192.168.254.1
[mangling occurs only on ports 3085, 5405, 5421 so that rule 30 (fwmark)
does nothing here. ]
I guess the problem is the routing table of the packet coming back from
SRV_XP: the ack packet does take a routing table different from the 1^
incoming packet.
I added SNAT thinking to avoid asymmetric routing (income via adsl, out
via hdsl), but I'm not sure it works this way. What happens to an ACK
package? does the kernel use the routing table it arrived with or
recompute it after it realize it is RELATED to a connection already open?
Is this a question for this list or for netfilter list? ;-)
Thanks for any hint for a clean solution.
sandro
*:-)
--
Sandro Dentella *:-)
e-mail: sandro@e-den.it
http://www.tksql.org TkSQL Home page - My GPL work
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] 2 DSL link, DNAT & SNAT
2004-09-30 9:54 [LARTC] 2 DSL link, DNAT & SNAT Sandro Dentella
@ 2004-09-30 13:59 ` marba
2004-09-30 14:13 ` David Hough
1 sibling, 0 replies; 3+ messages in thread
From: marba @ 2004-09-30 13:59 UTC (permalink / raw)
To: lartc
i can suggest you two different addresses on SRV_XP : external1 > dnat to internal1 & external2 > dnat to internal2 and 2 ip rules.
tell me how is this going as i am involved in a similar project right now.
----- Original Message -----
From: "Sandro Dentella" <sandro@e-den.it>
To: "lartc" <lartc@mailman.ds9a.nl>
Sent: Thursday, September 30, 2004 11:54 AM
Subject: [LARTC] 2 DSL link, DNAT & SNAT
> Sorry for the long descritpion of the problem, I'd like to know If I
> misunderstand something or if I meet an intrinsic limit of my setup.
>
>
> 217.58.51.162 HDSL eth1 - SRV_XP: 192.168.254.10
> eth0: 192.168.254.1 -----+------------------+-------
> 81.121.243.250 ADSL eth3 -
>
>
> I want to allow incoming pptp request (port 1723) to be forwarded to
> srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything works
> (note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP only
> if I eliminate rule 38, but at that moment I cannot enter from HDSL...
>
>
> My setup
>
> + ip tables hdsl & adsl for the 2 dsl lines,
> 0: from all lookup local
> 30: from all fwmark 3 lookup hdsl
> 38: from 192.168.254.10 lookup hdsl <<= NOTE this
> 40: from 217.58.51.160/27 lookup hdsl
> 41: from 81.121.243.248/30 lookup adsl
> 52: from all iif eth0 lookup adsl
> 53: from all iif eth2 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
> + hdsl table has default gw to HDSL line
> + adsl table has default gw to ADSL line
>
> + DNAT & SNAT occurring from both dsl lines
>
> Chain PREROUTING
> DNAT tcp 0.0.0.0/0 81.121.243.250 tcp dpt:1723 to:192.168.254.10
> DNAT tcp 0.0.0.0/0 217.58.51.162 tcp dpt:1723 to:192.168.254.10
>
> Chain POSTROUTING
> SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:217.58.51.162
> SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:81.121.243.250
> SNAT tcp -- * eth0 0.0.0.0/0 192.168.254.10 tcp dpt:1723 to:192.168.254.1
> [mangling occurs only on ports 3085, 5405, 5421 so that rule 30 (fwmark)
> does nothing here. ]
>
>
>
> I guess the problem is the routing table of the packet coming back from
> SRV_XP: the ack packet does take a routing table different from the 1^
> incoming packet.
>
> I added SNAT thinking to avoid asymmetric routing (income via adsl, out
> via hdsl), but I'm not sure it works this way. What happens to an ACK
> package? does the kernel use the routing table it arrived with or
> recompute it after it realize it is RELATED to a connection already open?
> Is this a question for this list or for netfilter list? ;-)
>
>
> Thanks for any hint for a clean solution.
>
> sandro
> *:-)
>
>
> --
> Sandro Dentella *:-)
> e-mail: sandro@e-den.it
> http://www.tksql.org TkSQL Home page - My GPL work
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] 2 DSL link, DNAT & SNAT
2004-09-30 9:54 [LARTC] 2 DSL link, DNAT & SNAT Sandro Dentella
2004-09-30 13:59 ` marba
@ 2004-09-30 14:13 ` David Hough
1 sibling, 0 replies; 3+ messages in thread
From: David Hough @ 2004-09-30 14:13 UTC (permalink / raw)
To: lartc
On Thu, 2004-09-30 at 13:59, marba wrote:
> > Sorry for the long descritpion of the problem, I'd like to know If I
> > misunderstand something or if I meet an intrinsic limit of my setup.
> >
> >
> > 217.58.51.162 HDSL eth1 - SRV_XP: 192.168.254.10
> > eth0: 192.168.254.1 -----+------------------+-------
> > 81.121.243.250 ADSL eth3 -
> >
> >
> > I want to allow incoming pptp request (port 1723) to be forwarded to
> > srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything works
> > (note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP only
> > if I eliminate rule 38, but at that moment I cannot enter from HDSL...
> >
> >
> > My setup
> >
> > + ip tables hdsl & adsl for the 2 dsl lines,
> > 0: from all lookup local
> > 30: from all fwmark 3 lookup hdsl
> > 38: from 192.168.254.10 lookup hdsl <<= NOTE this
> > 40: from 217.58.51.160/27 lookup hdsl
> > 41: from 81.121.243.248/30 lookup adsl
> > 52: from all iif eth0 lookup adsl
> > 53: from all iif eth2 lookup adsl
> > 32766: from all lookup main
> > 32767: from all lookup default
> > + hdsl table has default gw to HDSL line
> > + adsl table has default gw to ADSL line
> >
> > + DNAT & SNAT occurring from both dsl lines
> >
> > Chain PREROUTING
> > DNAT tcp 0.0.0.0/0 81.121.243.250 tcp dpt:1723 to:192.168.254.10
> > DNAT tcp 0.0.0.0/0 217.58.51.162 tcp dpt:1723 to:192.168.254.10
> >
> > Chain POSTROUTING
> > SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:217.58.51.162
> > SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:81.121.243.250
> > SNAT tcp -- * eth0 0.0.0.0/0 192.168.254.10 tcp dpt:1723 to:192.168.254.1
> > [mangling occurs only on ports 3085, 5405, 5421 so that rule 30 (fwmark)
> > does nothing here. ]
> >
> >
> >
> > I guess the problem is the routing table of the packet coming back from
> > SRV_XP: the ack packet does take a routing table different from the 1^
> > incoming packet.
> >
> > I added SNAT thinking to avoid asymmetric routing (income via adsl, out
> > via hdsl), but I'm not sure it works this way. What happens to an ACK
> > package? does the kernel use the routing table it arrived with or
> > recompute it after it realize it is RELATED to a connection already open?
> > Is this a question for this list or for netfilter list? ;-)
> >
> >
> > Thanks for any hint for a clean solution.
> >
> > sandro
> > *:-)
> >
> i can suggest you two different addresses on SRV_XP : external1 > dnat to internal1 & external2 > dnat to internal2 and 2 ip rules.
> tell me how is this going as i am involved in a similar project right now.
>
That does work in principle, it's how I handle two links here. I don't
need to do load balancing because one of my links is a cable modem, the
other is ISDN, so the default for locally-generated traffic is always
the cable interface.
However, reading various docs does suggest that this shouldn't be
necessary but I've never been able to get it to work properly with
single IP addresses on the internal servers.
--
Dave
So many gadgets, so little time
http://www.llondel.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-09-30 14:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-09-30 9:54 [LARTC] 2 DSL link, DNAT & SNAT Sandro Dentella
2004-09-30 13:59 ` marba
2004-09-30 14:13 ` David Hough
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.