SNAT and multiple ISP problem

All of lore.kernel.org
 help / color / mirror / Atom feed

* SNAT and multiple ISP problem
@ 2009-04-26 13:45 Maxim Koshelev
  2009-04-27 10:14 ` Vlado Drz(ík
       [not found] ` <1240817530.16720.7.camel@casper.meteor.dp.ua>
  0 siblings, 2 replies; 3+ messages in thread
From: Maxim Koshelev @ 2009-04-26 13:45 UTC (permalink / raw)
  To: netfilter

Hi all,
I have a problem that I can't find working way to do some kind of load
balance beetween two internet channels using SNAT. I've tried various
schemes to do this but in all of them kernel makes wrong routing.
For example if I try to add such rules in nat:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $ETH0IP
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPP0IP

kernel will do SNAT only according default route in table main. It is
ok. But if I try to change default routing selection (e.g. by adding
in 'mangle' table some marks and adding 'ip rules' with this marks)
kernel begins to route some packets nated to ppp0 into eth0 and
vice-versa! I can simple monitor this ugly behavior using tcpdump. It
brings to lost packets and connections drops ( because one of IP's is
192.168... but second one is real )

Is there any way to make right routing?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: SNAT and multiple ISP problem
  2009-04-26 13:45 SNAT and multiple ISP problem Maxim Koshelev
@ 2009-04-27 10:14 ` Vlado Drz(ík
       [not found] ` <1240817530.16720.7.camel@casper.meteor.dp.ua>
  1 sibling, 0 replies; 3+ messages in thread
From: Vlado Drz(ík @ 2009-04-27 10:14 UTC (permalink / raw)
  To: Maxim Koshelev; +Cc: netfilter

Maxim Koshelev  wrote / napísal(a):
> Hi all,
> I have a problem that I can't find working way to do some kind of load
> balance beetween two internet channels using SNAT. I've tried various
> schemes to do this but in all of them kernel makes wrong routing.
> For example if I try to add such rules in nat:
> 
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $ETH0IP
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPP0IP
> 
> kernel will do SNAT only according default route in table main. It is
> ok. But if I try to change default routing selection (e.g. by adding
> in 'mangle' table some marks and adding 'ip rules' with this marks)
> kernel begins to route some packets nated to ppp0 into eth0 and
> vice-versa! I can simple monitor this ugly behavior using tcpdump. It
> brings to lost packets and connections drops ( because one of IP's is
> 192.168... but second one is real )
> 
> Is there any way to make right routing?

Please post your routing table and mark setup. For me it seems that you
don't have routing tables setup up correctly (or is not doing what you
want). For example imcomming packets that are marked are using
alternative routing table and that doesn't include your internal network
routes (and so is sent outside to default route after un-NATing).

Regards,
Vlado.


^ permalink raw reply	[flat|nested] 3+ messages in thread

[parent not found: <1240817530.16720.7.camel@casper.meteor.dp.ua>]

* Re: SNAT and multiple ISP problem
       [not found] ` <1240817530.16720.7.camel@casper.meteor.dp.ua>
@ 2009-04-27 16:54   ` Vlado Držík
  0 siblings, 0 replies; 3+ messages in thread
From: Vlado Držík @ 2009-04-27 16:54 UTC (permalink / raw)
  To: 'netfilter'

Покотиленко Костик  wrote / napísal(a):
> В Вск, 26/04/2009 в 17:45 +0400, Maxim Koshelev пишет:
>> Hi all,
>> I have a problem that I can't find working way to do some kind of load
>> balance beetween two internet channels using SNAT. I've tried various
>> schemes to do this but in all of them kernel makes wrong routing.
>> For example if I try to add such rules in nat:
>>
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $ETH0IP
>> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to $PPP0IP
>>
>> kernel will do SNAT only according default route in table main. It is
>> ok. But if I try to change default routing selection (e.g. by adding
>> in 'mangle' table some marks and adding 'ip rules' with this marks)
>> kernel begins to route some packets nated to ppp0 into eth0 and
>> vice-versa! I can simple monitor this ugly behavior using tcpdump. It
>> brings to lost packets and connections drops ( because one of IP's is
>> 192.168... but second one is real )
>>
>> Is there any way to make right routing?
> 
> One hint: when dialing with connctrack you should remember that seen
> connections get remembered, and when you play with routing some
> connections had already been natted to different address. So, when you
> dinamically change routing just to make sure do "conntrack -F conntrack
> && conntrack -F expect".
> 

More precisely you have to flush route cache also after such change (if
this is problem).
# ip route flush cache

Example of route cache.
# ip route show cache
192.43.172.30 from 62.200.200.10 via 62.200.200.1 dev eth1
    cache  mtu 1500 advmss 1460 metric10 64
10.1.1.53 from 66.152.85.206 dev eth0  src 62.200.200.10
    cache  mtu 1500 advmss 1460 metric10 64 iif eth1
67.63.48.89 from 62.200.200.10 via 62.200.200.1 dev eth1
    cache  ipid 0xbb81 mtu 1500 advmss 1460 metric10 64
193.100.100.2 from 192.100.100.50 dev eth2
    cache  mtu 1500 advmss 1460 metric10 64
local 10.1.1.2 from 10.1.1.53 dev lo  src 10.1.1.2
    cache <local,src-direct>  iif eth0


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-04-27 16:54 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-04-26 13:45 SNAT and multiple ISP problem Maxim Koshelev
2009-04-27 10:14 ` Vlado Drz(ík
     [not found] ` <1240817530.16720.7.camel@casper.meteor.dp.ua>
2009-04-27 16:54   ` Vlado Držík

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.