load balanced between tunnel VPN and an Normal Link Internet

Linux Netfilter discussions
 help / color / mirror / Atom feed

* load balanced between tunnel VPN and an Normal Link Internet
@ 2011-04-10 18:55 Usuário do Sistema
  2011-04-11 19:21 ` Andrew Beverley
  0 siblings, 1 reply; 3+ messages in thread
From: Usuário do Sistema @ 2011-04-10 18:55 UTC (permalink / raw)
  To: netfilter

disregard my previous menssage because it's was without subject

Hello everyone, I'm new in this maillist and I would like receive help
about my problem......

I have a Firewall ( with fwbuider - Red-Hat 5.6 ) in my branch office
connected to my head office by openvpn. I'm with a problem when flow
data is to destination port 80 from my branch office to my head
office.

in my branch office firewall has 3 device Ethernet:

eth0 - inside network 192.100.100.0/24
eth1 - wan 1 VPN
eth2 - wan 2 only for Internet Traffic

I'm marking all traffic for port 80 go out upon wan 2 - eth2. but,
it's a problem because when an user tries access an service at the
port 80 in my head office it isen't work!

the firewall toward to eth2 insted to VPN the traffic from inside
network to my head office when destinatio is port 80.  I've try solve
this with rule below but it isen't work.occur the same problem.

my head office inside network is 128.2.0.0/16 where I have my web
servers at the port 80.

rules created in firewall branch office

/sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp
--dport 80 -j MARK --set-mark 1
ip rule del fwmark 1
ip route flush table internet
ip rule add fwmark 1 table internet prio 20
ip route add default via 200.108.139.1 table internet ( it's eth2 )
ip route flush cache

part from my route main table

128.2.0.0       192.168.200.101 255.255.0.0     UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth3
0.0.0.0         190.128.173.97  0.0.0.0         UG    0      0
0 eth1 > where is my VPN

any Tip ?? I wish that packages from inside networ 192.100.100.0/24 to
128.2.0.0/16 port 80 go out for tun0 insted by eth2

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: load balanced between tunnel VPN and an Normal Link Internet
  2011-04-10 18:55 load balanced between tunnel VPN and an Normal Link Internet Usuário do Sistema
@ 2011-04-11 19:21 ` Andrew Beverley
  2011-04-11 20:20   ` Usuário do Sistema
  0 siblings, 1 reply; 3+ messages in thread
From: Andrew Beverley @ 2011-04-11 19:21 UTC (permalink / raw)
  To: Usuário do Sistema; +Cc: netfilter

On Sun, 2011-04-10 at 15:55 -0300, UsuÃ¡rio do Sistema wrote:
> Hello everyone, I'm new in this maillist and I would like receive help
> about my problem......
> 

Welcome.

> 
> I have a Firewall ( with fwbuider - Red-Hat 5.6 ) in my branch office
> connected to my head office by openvpn. I'm with a problem when flow
> data is to destination port 80 from my branch office to my head
> office.
> 
> in my branch office firewall has 3 device Ethernet:
> 
> eth0 - inside network 192.100.100.0/24
> eth1 - wan 1 VPN
> eth2 - wan 2 only for Internet Traffic
> 
> I'm marking all traffic for port 80 go out upon wan 2 - eth2.

Why are you doing this? The default route should do this for you.

>  but,
> it's a problem because when an user tries access an service at the
> port 80 in my head office it isen't work!
> 
> the firewall toward to eth2 insted to VPN the traffic from inside
> network to my head office when destinatio is port 80.  I've try solve
> this with rule below but it isen't work.occur the same problem.
> 
> my head office inside network is 128.2.0.0/16 where I have my web
> servers at the port 80.
> 
> rules created in firewall branch office
> 
> /sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp
> --dport 80 -j MARK --set-mark 1
> ip rule del fwmark 1
> ip route flush table internet
> ip rule add fwmark 1 table internet prio 20
> ip route add default via 200.108.139.1 table internet ( it's eth2 )
> ip route flush cache

You shouldn't need to do any of the above. If you had your routing
tables correct, then any traffic for your head office network should go
out on the VPN (eth1) and all other traffic (default) should go out on
eth2.

> part from my route main table
> 
> 128.2.0.0       192.168.200.101 255.255.0.0     UG    0      0        0 tun0
> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth3
> 0.0.0.0         190.128.173.97  0.0.0.0         UG    0      0
> 0 eth1 > where is my VPN
> 

If think it would help if you could post a diagram of your setup (with
IP addresses) and your full routing table. I don't fully understand that
table above. For example, what is 192.168.200.101, what is eth3, and
what is 190.128.173.97? I assume that 200.108.139.1 is your public IP
address?

> 
> any Tip ?? I wish that packages from inside networ 192.100.100.0/24 to
> 128.2.0.0/16 port 80 go out for tun0 insted by eth2

Surely you want *any* traffic to 128.2.0.0/16 to go to tun0?

Andy



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: load balanced between tunnel VPN and an Normal Link Internet
  2011-04-11 19:21 ` Andrew Beverley
@ 2011-04-11 20:20   ` Usuário do Sistema
  0 siblings, 0 replies; 3+ messages in thread
From: Usuário do Sistema @ 2011-04-11 20:20 UTC (permalink / raw)
  To: Andrew Beverley; +Cc: netfilter

Thank for all tips!

now it's working!

maybe I wasn't very clear in my question.

I have two ISPs in my branch office. one only for VPN ( ISP1 ) and
other ( ISP2 ) for Traffic Internet ( include port 80 )

my firewall gateway is the ISP1  where is my VPN.so to reach my aim
has been necessary created more one table route with iproute2. thus
it's possible forward packages to destination is port 80 by ISP2. the
rule below makes this.

/sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp
--dport 80 -j MARK --set-mark 1

ip rule del fwmark 1
ip route flush table internet
ip rule add fwmark 1 table internet prio 20
ip route add default via 200.108.139.1 table internet ( ISP2 )
ip route flush cache

when destination it's different at the 128.2.0.0/16 ( my head office
inside network where are my web servers ) would have be forward by
ISP2.

the problem it was flow data to 128.2.0.0 too had been be by ISP2
insted tunnel VPN.

I've compiled my firewall again and all it's Working..... I don't know
where it was the ERROR but now the Traffic to destination 128.2.0.0
port 80
it's be forwar to tunel VPN.


thank











Em 11 de abril de 2011 16:21, Andrew Beverley <andy@andybev.com> escreveu:
> On Sun, 2011-04-10 at 15:55 -0300, Usuário do Sistema wrote:
>> Hello everyone, I'm new in this maillist and I would like receive help
>> about my problem......
>>
>
> Welcome.
>
>>
>> I have a Firewall ( with fwbuider - Red-Hat 5.6 ) in my branch office
>> connected to my head office by openvpn. I'm with a problem when flow
>> data is to destination port 80 from my branch office to my head
>> office.
>>
>> in my branch office firewall has 3 device Ethernet:
>>
>> eth0 - inside network 192.100.100.0/24
>> eth1 - wan 1 VPN
>> eth2 - wan 2 only for Internet Traffic
>>
>> I'm marking all traffic for port 80 go out upon wan 2 - eth2.
>
> Why are you doing this? The default route should do this for you.
>
>>  but,
>> it's a problem because when an user tries access an service at the
>> port 80 in my head office it isen't work!
>>
>> the firewall toward to eth2 insted to VPN the traffic from inside
>> network to my head office when destinatio is port 80.  I've try solve
>> this with rule below but it isen't work.occur the same problem.
>>
>> my head office inside network is 128.2.0.0/16 where I have my web
>> servers at the port 80.
>>
>> rules created in firewall branch office
>>
>> /sbin/iptables -t mangle -A PREROUTING -s 0/0 -d ! 128.2.0.0/16 -p tcp
>> --dport 80 -j MARK --set-mark 1
>> ip rule del fwmark 1
>> ip route flush table internet
>> ip rule add fwmark 1 table internet prio 20
>> ip route add default via 200.108.139.1 table internet ( it's eth2 )
>> ip route flush cache
>
> You shouldn't need to do any of the above. If you had your routing
> tables correct, then any traffic for your head office network should go
> out on the VPN (eth1) and all other traffic (default) should go out on
> eth2.
>
>> part from my route main table
>>
>> 128.2.0.0       192.168.200.101 255.255.0.0     UG    0      0        0 tun0
>> 169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth3
>> 0.0.0.0         190.128.173.97  0.0.0.0         UG    0      0
>> 0 eth1 > where is my VPN
>>
>
> If think it would help if you could post a diagram of your setup (with
> IP addresses) and your full routing table. I don't fully understand that
> table above. For example, what is 192.168.200.101, what is eth3, and
> what is 190.128.173.97? I assume that 200.108.139.1 is your public IP
> address?
>
>>
>> any Tip ?? I wish that packages from inside networ 192.100.100.0/24 to
>> 128.2.0.0/16 port 80 go out for tun0 insted by eth2
>
> Surely you want *any* traffic to 128.2.0.0/16 to go to tun0?
>
> Andy
>
>
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2011-04-11 20:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-10 18:55 load balanced between tunnel VPN and an Normal Link Internet Usuário do Sistema
2011-04-11 19:21 ` Andrew Beverley
2011-04-11 20:20   ` Usuário do Sistema

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox