Linux Advanced Routing and Traffic Control list
 help / color / mirror / Atom feed
* [LARTC] Two ISP load balancing + One ISP' subnet explicit routing
@ 2004-01-19 14:07 Nikita Vinokurov
  0 siblings, 0 replies; only message in thread
From: Nikita Vinokurov @ 2004-01-19 14:07 UTC (permalink / raw)
  To: lartc

Hello!

I have a problem. May be here exist anyone who has encountered with the following problem.

I have a router which is connected to 2 ISP from external side and one LAN internal
interface.  The feature is that the one ISP allocates a subnet xxx.xxx.xxx.160/28 for me
but I split it into two subnets xxx.xxx.xxx.160/29 and xxx.xxx.xxx.168/29 and assign the
latter to the internal interface. Also I have organiezed an DNAT+SNAT so all internet
requests is DNATted to and SNATted from xxx.xxx.xxx.170 (which is a second firewall
running Microsoft ISA).
So


ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/29 dev eth2  proto kernel  scope link  src x.x.x.162


Also loadbalancing between eth1 and eth2 is organized with the 'ip' tool:

ip route list table 222

default  table 222  proto static 
        nexthop via y.y.y.97  dev eth1 weight 1
        nexthop via x.x.x.161  dev eth2 weight 10


SNAT was set to:

iptables -t nat -L POSTROUTING -o eth2 -j SNAT --to-destination x.x.x.162
iptables -t nat -L POSTROUTING -o eth1 -j SNAT --to-destination y.y.y.98



But now I have to establish VPN channel to connect a given external machine with known IP (z.z.z.z) to 
my ISA firewall, but avoiding NAT. I have tried to implement it the such way:

ip route list:
y.y.y.96/30 dev eth1  proto kernel  scope link  src y.y.y.98 
x.x.x.168/29 dev eth0  proto kernel  scope link  src x.x.x.169 
x.x.x.160/28 dev eth2  proto kernel  scope link  src x.x.x.162

and SNAT is test to:

iptables -t nat -L POSTROUTING -o eth2 -d ! z.z.z.z -j SNAT --to-destination x.x.x.162

But when I try to access from z.z.z.z, for example, the x.x.x.170 address, it does not reply.

Where is a mistake?

--
Nikita Vinokurov



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2004-01-19 14:07 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-19 14:07 [LARTC] Two ISP load balancing + One ISP' subnet explicit routing Nikita Vinokurov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox