From mboxrd@z Thu Jan 1 00:00:00 1970 From: guillaume Date: Mon, 06 Sep 2004 09:28:10 +0000 Subject: Re: [LARTC] Slipt 2 ISP strange routing problem Message-Id: <413C9023.2070907@vslitc.com> List-Id: References: <41370397.4080407@vslitc.com> In-Reply-To: <41370397.4080407@vslitc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org guillaume wrote: > Robert Kurjata wrote: > >> Hello guillaume, >> >> Saturday, September 4, 2004, 12:44:04 PM, you wrote: >> >> g> guillaume wrote: >> >> >> >>>> Robert Kurjata wrote: >>>> >>>> >>>> >>>>> Cytowanie guillaume : >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> Dear all Lartc, >>>>>> I try to split my Internet access to my 2 ISP with 1 linux >>>>>> (GNU/Debian sarge) 3 NIC router, >>>>>> I want all my users conneted with ISP1 and just some IP connected >>>>>> with ISP2 >>>>>> Here is my configuration: >>>>>> >>>>>> >>>>> >>>>> [cut out a part] >>>>> >>>>> I would suggest slight change in fw rules below >>>>> >>>>> # special rules for some IPs to go on second ISP >>>>> iptables -t mangle -A PREROUTING -s 10.117.71.1 -j MARK --set-mark 34 >>>>> >>>>> # SNAT RULES >>>>> >>>>> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 1.2.3.4 >>>>> iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 5.6.7.8 >>>>> >>>>> and trying the script below. It was taken from my Multipath/Policy >>>>> routing case >>>>> by wipeing out a multipath part, so its is lsightly too much, but I >>>>> suppose (I >>>>> didn't check) it should work. It is supposed to seamlesly integrate >>>>> with multipath routing that's why so big, >>>>> the idea behind is: >>>>> 1. remove default routing from main table, >>>>> 2. take care of routing from correct interface (correctness of source >>>>> IP/ source >>>>> interface pair), >>>>> 3. policy routing of selected clients (table 210) >>>>> 4. default routing of the others (table 211) >>>>> Of course you can leave it for the main table, but for the sake of >>>>> example >>>>> i left it this way. >>>>> >>>>> Hope it can help. >>>>> >>>>> >>>>> >>>> >>>> [cut out a part] >>>> >>>> >>>> Dear Robert, >>>> >>>> I try this script (adapted for my network) and I get the same problem: >>>> >>>> All my IP routed on my first ISP, no problem >>>> With my 10.117.71.1 routed on my second ISP, >>>> I can connect to my ISP network (I can connect to the gateway website >>>> on 5.6.7.9) but >>>> I cannot ping any external IP addresses. >>>> >>> >> >> g> I also test a DNAT rule to access to my internal network with my >> second >> g> ISP external >> g> IP ... And it works fine, no problem ... >> >> g> iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j >> DNAT >> g> --to 10.117.71.2:80 # my web server >> >> g> I don't know how to make this work for Inside -> outside >> connection ... >> >> g> Guillaume >> g> _______________________________________________ >> g> LARTC mailing list / LARTC@mailman.ds9a.nl >> g> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: >> http://lartc.org/ >> >> Of course I have the patches from Julian Anastasov applied >> http://www.ssi.bg/~ja/#routes , maybe that's the point >> >> >> > In a first time no, > but now, yes I have apply the routes-2.6.8-10.diff find on > http://www.ssi.bg/~ja/#routes-2.6 > > by patch "patch -p1 < route-2.6.8-10.diff" there is no differences ... > I could not access to Internet with our without the pach, > > How can I be sure that this pach is on my current kernel ? > > I will try to re-apply the pach and recompile my kernel. > > Thank you, > Guillaume > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > In fact, now, I am very close to the solution, I try this: ip rule add from 10.117.71.190 lookup 5 ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 5 ip route add 0/0 via 5.6.7.9 dev eth2 table 5 And, it works (with of course the corresponding POSTROUTING nat rule on eth2) ! I can access to showmyip.com from 10.117.71.190 and the web site show me 5.6.7.8 ... I do not see where is the problem with: ip rule add fwmark 5 table 5 It's not working with the packet MARK .... Now I have a solution, I search for this just because i would like to know why with fwmark packet it's not working Guillaume _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/