From: Andrew Beverley <andy@andybev.com>
To: Dimitri Yioulos <dyioulos@onpointfc.com>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: Dual WAN setup redux
Date: Wed, 01 Feb 2012 20:35:04 +0000 [thread overview]
Message-ID: <1328128504.1891.38.camel@andy-laptop> (raw)
In-Reply-To: <201201271803.19071.dyioulos@onpointfc.com>
On Fri, 2012-01-27 at 18:03 -0500, Dimitri Yioulos wrote:
> I want to use WAN2 for a new Web server and test server living in the
> DMZ.
>
> I created a new routing table called WAN2. Here's the output of "ip route show
> table WAN2":
>
> 75.x.x.24/29 dev eth3 scope link src 75.x.x.25
> default via 75.x.x.30 dev eth3
In which case you need to force traffic from/to your new webserver to
use the routing table above.
> 75.x.x.24 * 255.255.255.248 U 0 0 0 eth3
This is saying any traffic for 75... should go via eth3.
> 65.x.x.160 * 255.255.255.224 U 0 0 0 eth0
> 10.8.0.0 vpn.mydomain.c 255.255.255.0 UG 0 0 0 eth2
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
> 192.168.100.0 * 255.255.252.0 U 0 0 0 eth1
Likewise for these.
> default 65.x.x.161. 0.0.0.0 UG 0 0 0 eth0
And anything else should go via 65...
So, at the moment, there's nothing making traffic use eth3, unless it
happens to be on that same subnet.
> The following are probably stupid noob questions, but here goes:
>
> I can ping the WAN2 gateway address from our firewall/router, but not from any
> other network device (I can ping the gateway address of WAN1 just fine).
See point above.
> Don't
> I have to be able to do that first?
Yes.
> I'm not sure what internal ip addresses to give the new Web server and test
> server (192.100.1.x, or 75.x.x.26-29.
You could do either. If you've been issued with a 'spare' public IP
address, then you might as well use that, as it saves SNAT.
If you're not using 75.x.x.26-29 then you could use one of these. But
you should not be assigning them all to eth3 as aliases (as per your
diagram). You only need one there.
In summary, if I understand your setup correctly, you should be able to
assign *one* of your public IP addresses to eth3, and then assign
another one to the web server, assuming they're all in the same subnet
and you get the subnets correct.
Once you've done that, as long as IP forwarding is enabled and you
ACCEPT the packets in iptables then it should work.
Andy
next prev parent reply other threads:[~2012-02-01 20:35 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-27 23:03 Dual WAN setup redux Dimitri Yioulos
2012-01-31 1:50 ` Lloyd Standish
2012-01-31 17:15 ` Andrew Beverley
2012-02-01 16:51 ` Dimitri Yioulos
2012-02-01 18:49 ` Andrew Beverley
2012-02-01 19:46 ` Dimitri Yioulos
2012-02-01 20:25 ` Andrew Beverley
2012-02-01 20:35 ` Andrew Beverley [this message]
2012-02-01 22:08 ` Dimitri Yioulos
2012-02-01 23:32 ` Andrew Beverley
2012-02-02 7:35 ` Andrew Beverley
-- strict thread matches above, loose matches on Subject: below --
2012-02-02 17:52 Dimitri Yioulos
2012-02-02 23:11 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1328128504.1891.38.camel@andy-laptop \
--to=andy@andybev.com \
--cc=dyioulos@onpointfc.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox