Re: Changing default route causes packet drop

["John Meissen" <john@meissen.org>]

> Hello,
> 
> John Meissen a écrit :
> > 
> > I had a traditional setup with two ethernet interfaces on my Linux box 
> > (WAN=eth0/LAN=eth1), and NATing the traffic that was forwarded between them.
> > 
> > I added another interface (eth2), and simply want to change the default
> > routing to go through it. I'm leaving various services listening on all
> > interfaces.
> > 
> > If I change the default route to use eth2, I can route from the internal
> > network to the outside just fine, and I can connect from the internal net
> > to services on the system fine. But incoming connections on the original
> > WAN (eth0) don't complete. They hang at SYN_RECV, as if I had a DROP rule.
> 
> 1) Check that source validation by reverse path is disabled for eth0
> (sysctl net.ipv4.conf.{all,eth0}.rp_filter=0).
> 
> 2) If you don't setup some routing policy (such as source address based
> routing), packets sent in reply to packets received on eth0 will now be
> sent through eth2 by default because of the new default route, but still
> with the source address of eth0. Such traffic may be considered as
> spoofing and discarded by the ISP eth2 is connected to.

Yes, I should learn to not post to mailing lists at 3AM, that a good night's
sleep is generally better for solving problems. :-P

I realized I was thinking of the problem in terms of interfaces, not routing.
Once I slept on it I realized the problem was 2), and that I couldn't really
do what I was proposing. Relocating the new connection and making a minor
change to the DHCP server to specify the new default route for the rest of
the network solved the problem.

Thanks.

john-