All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Two ISP load balancing + One ISP' subnet explicit routing
@ 2004-01-19 14:07 Nikita Vinokurov
  0 siblings, 0 replies; only message in thread
From: Nikita Vinokurov @ 2004-01-19 14:07 UTC (permalink / raw)
  To: lartc

Hello!

I have a problem. May be here exist anyone who has encountered with the following problem.

I have a router which is connected to 2 ISP from external side and one LAN internal
interface.  The feature is that the one ISP allocates a subnet xxx.xxx.xxx.160/28 for me
but I split it into two subnets xxx.xxx.xxx.160/29 and xxx.xxx.xxx.168/29 and assign the
latter to the internal interface. Also I have organiezed an DNAT+SNAT so all internet
requests is DNATted to and SNATted from xxx.xxx.xxx.170 (which is a second firewall
running Microsoft ISA).
So


ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/29 dev eth2  proto kernel  scope link  src x.x.x.162


Also loadbalancing between eth1 and eth2 is organized with the 'ip' tool:

ip route list table 222

default  table 222  proto static 
        nexthop via y.y.y.97  dev eth1 weight 1
        nexthop via x.x.x.161  dev eth2 weight 10


SNAT was set to:

iptables -t nat -L POSTROUTING -o eth2 -j SNAT --to-destination x.x.x.162
iptables -t nat -L POSTROUTING -o eth1 -j SNAT --to-destination y.y.y.98



But now I have to establish VPN channel to connect a given external machine with known IP (z.z.z.z) to 
my ISA firewall, but avoiding NAT. I have tried to implement it the such way:

ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/28 dev eth2  proto kernel  scope link  src x.x.x.162

and SNAT is test to:

iptables -t nat -L POSTROUTING -o eth2 -d ! z.z.z.z -j SNAT --to-destination x.x.x.162

But when I try to access from z.z.z.z, for example, the x.x.x.170 address, it does not reply.

Where is a mistake?

--
Nikita Vinokurov



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2004-01-19 14:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-19 14:07 [LARTC] Two ISP load balancing + One ISP' subnet explicit routing Nikita Vinokurov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.