Re[2]: [LARTC] simple dual Internet connection setup not sending return packets on correct interface

Re[2]: [LARTC] simple dual Internet connection setup not sending return packets on correct interface

[diab]

BJM> Which is irrelevant.  I have just put a third NIC in the machine to put
BJM> the PPPoE and Cable connections on different NICs and still the same
BJM> problem.  Packets have PPPoE's source address, but are sent physically
BJM> on Cable connected NIC.

iirc, to have two working internet connections on one (nat'ing)
computer you basically need two things (in my example its eth0 and
eth1)

1) SNAT to the right source address, like
iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\
         --to-source source.addr.of.eth0
iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\
         --to-source source.addr.of.eth1

2) two routing tables, like
 ip route add default via eth0.gateway.ip.address dev eth0 table 1
 ip route add default via eth1.gateway.ip.address dev eth1 table 2
maybe you dont even need the "via xx" thing, the dev xxx is enough.

then you can classify packets to use the connection you want using
 ip rule add WHATEVER lookup N (whatever could be "to x.x.x.x" or "from
 x.x.x.x", same as in the SNAT example, N could be 1 or 2)

if you want the router to respond to packets correcty (ie. to answer
ping on both interfaces) you need to
 ip rule add iif eth0 lookup 1
 ip rule add iif eth1 lookup 2
so packets coming from eth0/eth1 are routed using the correct routing
table.

i wrote all this from scratch so accept my apologies for any errors i
might have done but in my understanding this is how it should work in
general.

-
diab








_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re[2]: [LARTC] simple dual Internet connection setup not sending return packets on correct interface

[diab]

>> 1) SNAT to the right source address, like
>> iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\
>>          --to-source source.addr.of.eth0

BJM> Surely you mean -t nat -j SNAT?
sorry, yeah it was -t nat -j SNAT.. i double checked now :)

BJM> But these two iptables rules conflict with each other.  If -s
BJM> "from.where" is my internal lan and the same in both rules, they are
BJM> both trying to do the SNATting of the same packets.  In my two rules, I
BJM> added a -o <iface> (where <iface> is the interface matching the
BJM> source.addr.of.<iface>).
yes they are conflicting with each other.. i thought that you could
select which connection the packets should be using either based on
the address the packets are coming FROM (-s some.ip.on.the.lan) or
going TO (-d wan.destination.address.).

BJM> I have:
BJM> ip rule add from 66.11.173.224 lookup 1
BJM> ip rule add from 24.235.240.15 lookup 2
anyways, you can "name" routing tables in /etc/iproute2/rt_tables
then it makes a bit more sense ("ip rule" also displays/uses them so eg.
if you name 1 to "abcd" then
ip rule add from x.x.x.x lookup abcd
also works.

iif is the interface packets are coming in (there is also oif).. if
it's not a static ip address it might be convenient not having to use
the IP of the connection but the interface. (same goes for the "via
XX when you are doing "ip route add default dev XY table N")

if you do "man ip" it reads (ip rule add/ip rule del):

iif NAME
  select  the  incoming  device  to match.  If the interface is
  loopback, the rule only matches packets originating from
  this host.  This means that you may create separate routing tables for
  forwarded and local packets  and,  hence,  com­
  pletely segregate them.

-
diab


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/