[LARTC] Virtual Routers would this work?

[Matthew Crocker <matthew@crocker.com>]

Hello all,

  I need a virtual firewall/router solution.  I'm thinking of a 
netscreen 1000 but I want to know if it can be done in Linux.

Here is my idea:

1 Linux box
2 GigE interfaces

1 interface setup with a public IP address ($PUBIP)
1 interface setup with 802.1q VLAN trunking with 100 vlans assigned 
($VLAN1-$VLAN100)

a /25 subnet routed to $PUBIP from my core routers

All $VLAN interfaces setup with IP 192.168.1.1/24

Inbound traffic on $VLAN gets marked with a fwmark ($VLAN1 = fw1, 
$VLAN2 = fw2)
Outbound traffic gets NAT'ed based on the fwmark to an IP in the subnet

Returning traffic gets marked based on the dest IP (one of the subnets) 
with the same fwmark for the appropriate VLAN

returning packets are 'unNAT'ed' and then routed down the correct VLAN 
based on the fwmark on the packet.

Questions:

How will Linux react if I put 192.168.1.1 on >1 interfaces?
Does the unNAT'ing of the packets destroy the fwmark?
Is there a way of handling kernel based packets (ICMP, ARP responses) 
so they go out the correct interface?
Example: an ARP (who has 192.168.1.1) from in on VLAN5,  How can I get 
the kernel to send its response on VLAN5?

I see the packet flow as something like.


Client (192.168.1.100) sends SYN to www.redhat.com:80
Client has default gw of 192.168.1.1
Client is on 802.1q VLAN10
Client puts packet on Ethernet VLAN10 with MAC address of Linux box
Packet enters Linux box on VLAN10 Source:ClientIP Dest:www.redhat.com:80
Packet gets marked by iptables rule.  FWMARK = 10
Packet gets routed out to upstream gateway
Packet gets NAT'ed to SUBNETIP10 based on FWMARK 10
Packet now looks like  src: SUBNETIP10:NATPORT  dst:REDHAT:80

Response packet from redhat flows
Packet enters Linux box src REDHAT:80 dst SUBNETIP10:NATPORT
Packet gets tagged with fwmark based on SUBNETIP to FWMARK 10
Packet gets unNAT'ed by kernel NAT table
Packet looks like src REDHAT:80 dst CLIENTIP:CLIENTPORT fwmark:10
iproute2 setup routes CLIENTIP to the correct client on the correct 
VLAN (vlan10)
arp lookup assigned correct MAC address and sends the packet to the 
switch on VLAN10

Problems I can see biting me:

ARP tables.  Can the kernel maintain seperate ARP tables for each VLAN? 
  Each VLAN can have a machine with IP 192.168.1.100

ICMPs:  What happens when a client tries to ping the linux box 
(192.168.1.1).  If I fwmark all incoming packets on a VLAN will the 
kernel respond with a packet using the same fwmark?

ARP requests:  Same as the ICMPs.  Will the kernel be able to answer an 
ARP request to 192.168.1.1

IPs :  I'm sure the kernel will bitch about assigning 192.168.1.1 on a 
bunch on Interfaces.


Any ideas?

--
Matthew Crocker
Vice President
Crocker Communications

w.  413-746-2760
f. 413-746-3704
e. matthew@crocker.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/