From: Robert Felber <robtone@gmx.de>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] routing to two interfaces
Date: Thu, 21 Nov 2002 00:04:51 +0000 [thread overview]
Message-ID: <marc-lartc-103783713914034@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103783300809624@msgid-missing>
On Wed, Nov 20, 2002 at 05:45:29PM -0600, Martin A. Brown wrote:
> There's a problem with your solution!
>
> fwmark; transient
> - - - - - - - - - - -
> The structure of the packet as it passes through the firewall/router
> contains the fwmark. As soon as the packet leaves the box, it no longer
> has the fwmark.
>
> Your solution handles the packets inbound from the outside world, but
> neglects to handle the outbound packets from the internal network.
>
> SNAT; sets the correct source IP (for outbound connections)
> - - - - - - - - - - - - - - - -
> Even if using SNATs as you suggest, there is still has no way to tell if a
> packet belongs to a session inbound over eth1 or eth2. This is the
> statelessness of IP routing!
>
> In order to make any recommendation, we would need to know what the IP
> address ranges are and specifically why/how Paco envisions using these
> two links.
Yes, true. I admit i didn't think long enough about it.
Well actually, i think he just wants the packets coming in eth1
will go out eth1 again, and the same for eth2. Nothing more nothing
less. I had kind of the same problem but with the restriction that
i had one extranet device with a limited set of subnets and one
internet device and one lan device so it was easy because i could set
proper routes for the affected intranet subnets. Well, anyway.
I suggest to setup a virtual eth0:1 device. Packets from eth1 leave then
at eth0:0 and packets from eth2 leave at eth0:1. Then he should be able
to set proper gateways and nats for eth0:x device.
--
rob
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2002-11-21 0:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-20 22:55 [LARTC] routing to two interfaces Paco Brufal
2002-11-20 23:05 ` Martin A. Brown
2002-11-20 23:26 ` Robert Felber
2002-11-20 23:34 ` Robert Felber
2002-11-20 23:45 ` Martin A. Brown
2002-11-21 0:04 ` Robert Felber [this message]
2002-11-21 0:09 ` Robert Felber
2002-11-21 0:27 ` Paco Brufal
2002-11-21 0:38 ` Paco Brufal
2002-11-21 3:37 ` Martin A. Brown
2002-11-21 8:27 ` Arthur van Leeuwen
2002-11-21 18:28 ` Paco Brufal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103783713914034@msgid-missing \
--to=robtone@gmx.de \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.