From: Aleksander Kamenik <aleksander@krediidiinfo.ee>
To: netfilter@vger.kernel.org
Subject: 2 default routes on non router
Date: Thu, 08 Oct 2009 04:33:19 +0300 [thread overview]
Message-ID: <4ACD415F.7020402@krediidiinfo.ee> (raw)
Hi,
I have a server (srv) with two interfaces. One (IF_INT) is on an
internal /24 network with a gateway (gw) which provides net access for
the /24 lan. gw's internal interface is GW_INT.
The second (IF_EXT) is part of a public /28 network and has several IP
addresses assigned.
Coincidently gw's public interface (GW_EXT) is part of the same /28
public network as IF_EXT.
The /28 network's gateway (GW_ISP) belongs to the ISP.
,-----|GW_INT|
/ | gw |
/ |GW_EXT|-------,
/ \
/ \
/ \
|IF_INT| /------|GW_ISP|----- internet
| srv | /
|IF_EXT| /
\ /
\________________________/
I want to use GW_INT as the default route, so connections originating
from the server would leave IF_INT, go though GW_INT and have GW_EXT's
IP when connecting the internet using SNAT.
However I also want IF_EXT to be available directly from the internet.
So far it's a standard out of the box setup. I just needed the server to
be able to answer requests from the net directly through GW_ISP.
I tried to accomplish this by creating a second routing table on the
server and adding the default route for GW_ISP there.
# ip route add default via $GW_ISP_IP dev $IF_EXT table extnet
Adding a rule to use the table for fwmark 10.
# ip rule add fwmark 10 table extnet
And using iptables CONNMARK to track the incoming connections on IF_EXT
so I can assign them to extnet when the server replies.
This all works with one bigexception.
If I'm connecting to IF_EXT from an IP not listed in the main routing
table, the packet is lost at "Routing Decision" [1]. I can connect to
IF_EXT from GW_EXT or any other machine on the /28 network, but not from
behing GW_ISP.
Although the route is available as default in the extnet table I have to
add a internet located PC's route via GW_ISP to the main routing table
for the PC to be able to connect.
I don't understand why the source IP matters during the "Routing Decision".
I tried marking the incoming packets so they would use the extnet table.
For testing I tried adding the internet PC in extnet instead of main and
that would not work also.
1 - http://iptables-tutorial.frozentux.net/images/tables_traverse.jpg
What's the correct solution to this problem?
Regards,
--
Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander@krediidiinfo.ee
http://www.krediidiinfo.ee/
http://www.experiangroup.com/
next reply other threads:[~2009-10-08 1:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-08 1:33 Aleksander Kamenik [this message]
2009-10-08 20:37 ` 2 default routes on non router Aleksander Kamenik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ACD415F.7020402@krediidiinfo.ee \
--to=aleksander@krediidiinfo.ee \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.