From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert Felber Date: Thu, 21 Nov 2002 00:04:51 +0000 Subject: Re: [LARTC] routing to two interfaces Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org On Wed, Nov 20, 2002 at 05:45:29PM -0600, Martin A. Brown wrote: > There's a problem with your solution! > > fwmark; transient > - - - - - - - - - - - > The structure of the packet as it passes through the firewall/router > contains the fwmark. As soon as the packet leaves the box, it no longer > has the fwmark. > > Your solution handles the packets inbound from the outside world, but > neglects to handle the outbound packets from the internal network. > > SNAT; sets the correct source IP (for outbound connections) > - - - - - - - - - - - - - - - - > Even if using SNATs as you suggest, there is still has no way to tell if a > packet belongs to a session inbound over eth1 or eth2. This is the > statelessness of IP routing! > > In order to make any recommendation, we would need to know what the IP > address ranges are and specifically why/how Paco envisions using these > two links. Yes, true. I admit i didn't think long enough about it. Well actually, i think he just wants the packets coming in eth1 will go out eth1 again, and the same for eth2. Nothing more nothing less. I had kind of the same problem but with the restriction that i had one extranet device with a limited set of subnets and one internet device and one lan device so it was easy because i could set proper routes for the affected intranet subnets. Well, anyway. I suggest to setup a virtual eth0:1 device. Packets from eth1 leave then at eth0:0 and packets from eth2 leave at eth0:1. Then he should be able to set proper gateways and nats for eth0:x device. -- rob _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/