From: Nikita Vinokurov <vinokurov@mail.ru>
To: lartc@vger.kernel.org
Subject: [LARTC] Two ISP load balancing + One ISP' subnet explicit routing
Date: Mon, 19 Jan 2004 14:07:58 +0000 [thread overview]
Message-ID: <400BE4BE.8020404@mail.ru> (raw)
Hello!
I have a problem. May be here exist anyone who has encountered with the following problem.
I have a router which is connected to 2 ISP from external side and one LAN internal
interface. The feature is that the one ISP allocates a subnet xxx.xxx.xxx.160/28 for me
but I split it into two subnets xxx.xxx.xxx.160/29 and xxx.xxx.xxx.168/29 and assign the
latter to the internal interface. Also I have organiezed an DNAT+SNAT so all internet
requests is DNATted to and SNATted from xxx.xxx.xxx.170 (which is a second firewall
running Microsoft ISA).
So
ip route list:
y.y.y.96/30 dev eth1 proto kernel scope link src y.y.y.98
x.x.x.168/29 dev eth0 proto kernel scope link src x.x.x.169
x.x.x.160/29 dev eth2 proto kernel scope link src x.x.x.162
Also loadbalancing between eth1 and eth2 is organized with the 'ip' tool:
ip route list table 222
default table 222 proto static
nexthop via y.y.y.97 dev eth1 weight 1
nexthop via x.x.x.161 dev eth2 weight 10
SNAT was set to:
iptables -t nat -L POSTROUTING -o eth2 -j SNAT --to-destination x.x.x.162
iptables -t nat -L POSTROUTING -o eth1 -j SNAT --to-destination y.y.y.98
But now I have to establish VPN channel to connect a given external machine with known IP (z.z.z.z) to
my ISA firewall, but avoiding NAT. I have tried to implement it the such way:
ip route list:
y.y.y.96/30 dev eth1 proto kernel scope link src y.y.y.98
x.x.x.168/29 dev eth0 proto kernel scope link src x.x.x.169
x.x.x.160/28 dev eth2 proto kernel scope link src x.x.x.162
and SNAT is test to:
iptables -t nat -L POSTROUTING -o eth2 -d ! z.z.z.z -j SNAT --to-destination x.x.x.162
But when I try to access from z.z.z.z, for example, the x.x.x.170 address, it does not reply.
Where is a mistake?
--
Nikita Vinokurov
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
reply other threads:[~2004-01-19 14:07 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=400BE4BE.8020404@mail.ru \
--to=vinokurov@mail.ru \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.