From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Crocker Date: Sat, 01 Mar 2003 15:27:13 +0000 Subject: [LARTC] Virtual Routers would this work? Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hello all, I need a virtual firewall/router solution. I'm thinking of a netscreen 1000 but I want to know if it can be done in Linux. Here is my idea: 1 Linux box 2 GigE interfaces 1 interface setup with a public IP address ($PUBIP) 1 interface setup with 802.1q VLAN trunking with 100 vlans assigned ($VLAN1-$VLAN100) a /25 subnet routed to $PUBIP from my core routers All $VLAN interfaces setup with IP 192.168.1.1/24 Inbound traffic on $VLAN gets marked with a fwmark ($VLAN1 = fw1, $VLAN2 = fw2) Outbound traffic gets NAT'ed based on the fwmark to an IP in the subnet Returning traffic gets marked based on the dest IP (one of the subnets) with the same fwmark for the appropriate VLAN returning packets are 'unNAT'ed' and then routed down the correct VLAN based on the fwmark on the packet. Questions: How will Linux react if I put 192.168.1.1 on >1 interfaces? Does the unNAT'ing of the packets destroy the fwmark? Is there a way of handling kernel based packets (ICMP, ARP responses) so they go out the correct interface? Example: an ARP (who has 192.168.1.1) from in on VLAN5, How can I get the kernel to send its response on VLAN5? I see the packet flow as something like. Client (192.168.1.100) sends SYN to www.redhat.com:80 Client has default gw of 192.168.1.1 Client is on 802.1q VLAN10 Client puts packet on Ethernet VLAN10 with MAC address of Linux box Packet enters Linux box on VLAN10 Source:ClientIP Dest:www.redhat.com:80 Packet gets marked by iptables rule. FWMARK = 10 Packet gets routed out to upstream gateway Packet gets NAT'ed to SUBNETIP10 based on FWMARK 10 Packet now looks like src: SUBNETIP10:NATPORT dst:REDHAT:80 Response packet from redhat flows Packet enters Linux box src REDHAT:80 dst SUBNETIP10:NATPORT Packet gets tagged with fwmark based on SUBNETIP to FWMARK 10 Packet gets unNAT'ed by kernel NAT table Packet looks like src REDHAT:80 dst CLIENTIP:CLIENTPORT fwmark:10 iproute2 setup routes CLIENTIP to the correct client on the correct VLAN (vlan10) arp lookup assigned correct MAC address and sends the packet to the switch on VLAN10 Problems I can see biting me: ARP tables. Can the kernel maintain seperate ARP tables for each VLAN? Each VLAN can have a machine with IP 192.168.1.100 ICMPs: What happens when a client tries to ping the linux box (192.168.1.1). If I fwmark all incoming packets on a VLAN will the kernel respond with a packet using the same fwmark? ARP requests: Same as the ICMPs. Will the kernel be able to answer an ARP request to 192.168.1.1 IPs : I'm sure the kernel will bitch about assigning 192.168.1.1 on a bunch on Interfaces. Any ideas? -- Matthew Crocker Vice President Crocker Communications w. 413-746-2760 f. 413-746-3704 e. matthew@crocker.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/