Re: Dual WAN set-up

Re: Dual WAN set-up

[Dimitri Yioulos]

On Monday 16 January 2012 3:28:14 pm you wrote:
> On Mon, 16 Jan 2012 08:56:23 -0600, Dimitri Yioulos 
<dyioulos@onpointfc.com> wrote:
> > Before I commit this new set-up, I'd like to post the
> > ste-by-step instructions I wrote up for your kind review:
>
> I don't quite understand your network configuration, but the
> ideas we provided on split-access to uplinks should adaptable
> to any situation.
>
> > Under this set-up, don't I need to add POSTROUTING AND
> > FORWARDING rules?  Sorry for my stupidity, but I set the
> > original up a long time ago, and certainly don't know all
> > there is to know.  Your continued patience and support are
> > greatly appreciated.
>
> The PREROUTING chain of the mangle table will handle the
> marking of new connection packets as well as recovery of the
> connection mark to the packet mark.  There should be no other
> iptables stuff required to mark the packets, and "ip rule add
> fwmark..." will handle sending the marked packets to the right
> routing table.
>
> I think you are doing SNAT, which uses POSTROUTING chain.  You
> you will want to keep that.
>
> Others here are much more knowledgeable and may have more
> comments. --
> Lloyd

Thanks, Lloyd.  Sorry if I'm being a pita.  I think what I'll do 
is follow your instructions, but liven up a test server first 
(doh :-)  ).  Of course, if that works, the rest is cake.  If it 
doesn't, hopefully I'll have some error messages/more information 
to post back so that we can do some troubleshooting.  Sound 
reasonable?

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Dual WAN set-up

[Dimitri Yioulos]

Hi, folks.

Please bear with me.  I may have asked something similar in the 
way-back, but am going to ask again, because I really need to get 
this set up, have absolutely no idea how, and am pertrified at 
the prospect:

I currently have an iptables/Netfilter firewall router configured 
thusly:

                               WAN
                                  |
 (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)

OK, pretty basic.  And, it has worked well for a long time.

Now, I need to add a second WAN (provided by a second provider).  
I need it to serve specific boxes in the DMZ, both inbound and 
outbound.  Currently, all boxes in the DMZ are served by the 
single WAN connection.  I'm not sure what other information I 
need to provide you, but I'm hoping you all can help with very 
specific instructions or a very detailed how-to so I can get this 
accomplished.  And, of course, I need to get this done yesterday.

Many thanks.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Andrew Beverley]

On Thu, 2012-01-12 at 16:51 -0500, Dimitri Yioulos wrote:
> Hi, folks.
> 
> Please bear with me.  I may have asked something similar in the 
> way-back, but am going to ask again, because I really need to get 
> this set up, have absolutely no idea how, and am pertrified at 
> the prospect:
> 
> I currently have an iptables/Netfilter firewall router configured 
> thusly:
> 
>                                WAN
>                                   |
>  (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)
> 
> OK, pretty basic.  And, it has worked well for a long time.
> 
> Now, I need to add a second WAN (provided by a second provider).  
> I need it to serve specific boxes in the DMZ, both inbound and 
> outbound.  Currently, all boxes in the DMZ are served by the 
> single WAN connection.  I'm not sure what other information I 
> need to provide you, but I'm hoping you all can help with very 
> specific instructions or a very detailed how-to

If you check the list archives there's been a few discussions on this
recently (search for load balancing).

One way of doing it is marking each connection and balancing those, as
described in this excellent web page:

http://www.sysresccd.org/Sysresccd-Networking-EN-Iptables-and-netfilter-load-balancing-using-connmark

Andy

Re: Dual WAN set-up

[Dimitri Yioulos]

On Thursday 12 January 2012 5:28:39 pm Andrew Beverley wrote:
> On Thu, 2012-01-12 at 16:51 -0500, Dimitri Yioulos wrote:
> > Hi, folks.
> >
> > Please bear with me.  I may have asked something similar in
> > the way-back, but am going to ask again, because I really
> > need to get this set up, have absolutely no idea how, and am
> > pertrified at the prospect:
> >
> > I currently have an iptables/Netfilter firewall router
> > configured thusly:
> >
> >                                WAN
> >
> >  (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)
> >
> > OK, pretty basic.  And, it has worked well for a long time.
> >
> > Now, I need to add a second WAN (provided by a second
> > provider). I need it to serve specific boxes in the DMZ, both
> > inbound and outbound.  Currently, all boxes in the DMZ are
> > served by the single WAN connection.  I'm not sure what other
> > information I need to provide you, but I'm hoping you all can
> > help with very specific instructions or a very detailed
> > how-to
>
> If you check the list archives there's been a few discussions
> on this recently (search for load balancing).
>
> One way of doing it is marking each connection and balancing
> those, as described in this excellent web page:
>
> http://www.sysresccd.org/Sysresccd-Networking-EN-Iptables-and-n
>etfilter-load-balancing-using-connmark
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Thank, Andy.  I'll give it a read.  I'm not sure I'm after load 
balancing, though, but rather dedicating one WAN to a specific 
set of machines, if that's even possible.  Also, I've seen 
how-to's on the NET, but all assume that you're starting fresh, 
and adding two WAN connections.  I already have one in place, and 
working fine.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Andrew Beverley]

On Thu, 2012-01-12 at 17:48 -0500, Dimitri Yioulos wrote:
> > > Now, I need to add a second WAN (provided by a second
> > > provider). I need it to serve specific boxes in the DMZ, both
> > > inbound and outbound.  Currently, all boxes in the DMZ are
> > > served by the single WAN connection.  I'm not sure what other
> > > information I need to provide you, but I'm hoping you all can
> > > help with very specific instructions or a very detailed
> > > how-to
> >
> > If you check the list archives there's been a few discussions
> > on this recently (search for load balancing).
> >
> > One way of doing it is marking each connection and balancing
> > those, as described in this excellent web page:
> >
> > http://www.sysresccd.org/Sysresccd-Networking-EN-Iptables-and-n
> >etfilter-load-balancing-using-connmark
> >
> 
> Thank, Andy.  I'll give it a read.  I'm not sure I'm after load 
> balancing, though, but rather dedicating one WAN to a specific 
> set of machines, if that's even possible.

Ah, sorry, you did say that, I just misread your email (and original
diagram of course!)

>   Also, I've seen 
> how-to's on the NET, but all assume that you're starting fresh, 
> and adding two WAN connections.  I already have one in place, and 
> working fine.

Well that should be pretty easy to be honest. What Lloyd wrote looks
pretty spot-on, and is the way that I would approach this problem.

Andy

Re: Dual WAN set-up

[Lloyd Standish]

On Thu, 12 Jan 2012 15:51:18 -0600, Dimitri Yioulos <dyioulos@onpointfc.com> wrote:

> I currently have an iptables/Netfilter firewall router configured
> thusly:
>                               WAN
>                                   |
>  (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)
> OK, pretty basic.  And, it has worked well for a long time.
> Now, I need to add a second WAN (provided by a second provider).
> I need it to serve specific boxes in the DMZ, both inbound and
> outbound.  Currently, all boxes in the DMZ are served by the
> single WAN connection.  I'm not sure what other information I
> need to provide you, but I'm hoping you all can help with very
> specific instructions or a very detailed how-to so I can get this
> accomplished.  And, of course, I need to get this done yesterday.

Hi,

I am not highly experienced compared to most other posters here, but I'll try to help :)

Shouldn't your diagram indicate that the fw is connected to the WAN (not to the DMZ)?  I will proceed under that assumption.  If you have a netfilters firewall installed, I think all interfaces would go "through" it.


Adding a second (or more) uplink to a netfilters firewall is easy.  I suggest the following:

1. You could follow the basic information explained here, to set up split access: http://lartc.org/howto/lartc.rpdb.multiple-links.html  After reading this and understanding about using multiple routing tables to route traffic through different interfaces (uplinks), you can proceed.

2. You would set up a custom routing table for the special DMZ traffic.  Use the info in the above link to do that.  Suppose it is called "DMZSPECIAL".  You will set up routing to the new DMZ interface using the MYDMZ table, something like this:

	ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table DMZSPECIAL
	ip route add default via ${gateway} dev ${interface} table DMZSPECIAL

(You will also keep your regular routing table to your old interface.  Also of course you keep your SNAT over your existing interface, only for LAN hosts of course.)

2. You might create a custom chain for the new interface, which is supposed to serve the special DMZ hosts.  This is to mark packets for subsequent decision on routing:

	iptables -t mangle -N CONNMARK1
	iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
	iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
	iptables -t mangle -A CONNMARK1 -j ACCEPT

3. You would NEW mark all packets from the special DMZ hosts with fwmark 1, like this (repeat for each source IP or subnet to use the new interface):

	iptables -t mangle -A PREROUTING -m state --state NEW -s 10.x.x.x -j CONNMARK1
	etc.


4. You would restore the connection mark to the packet mark with a rule like this:
	iptables -t mangle -A PREROUTING -i ${dmz_if} -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark

Then add a policy routing rule, directing all traffic with the "1" mark to the new DMZ uplink:

	ip rule add fwmark 1 table MYDMZ

That should do it.  Post back if you have any trouble.
-- 
Lloyd

Re: Dual WAN set-up

[Lloyd Standish]

On Thu, 12 Jan 2012 17:08:08 -0600, Lloyd Standish <lloyd@crnatural.net> wrote:

> Shouldn't your diagram indicate that the fw is connected to the WAN (not to the DMZ)?  I will proceed under that assumption.  If you have a netfilters firewall installed, I think all interfaces would go "through" it.

PS I meant to say, the WAN is connected to the fw, not directly to the DMZ.
-- 
Lloyd

Re: Dual WAN set-up

[Dimitri Yioulos]

On Thursday 12 January 2012 6:12:20 pm Lloyd Standish wrote:
> On Thu, 12 Jan 2012 17:08:08 -0600, Lloyd Standish 
<lloyd@crnatural.net> wrote:
> > Shouldn't your diagram indicate that the fw is connected to
> > the WAN (not to the DMZ)?  I will proceed under that
> > assumption.  If you have a netfilters firewall installed, I
> > think all interfaces would go "through" it.
>
> PS I meant to say, the WAN is connected to the fw, not directly
> to the DMZ. --
> Lloyd
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Lloyd,

I should have read all your posts - correct, the WAN is connected 
to the fw.  So is the DMZ.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Dimitri Yioulos]

On Thursday 12 January 2012 6:08:08 pm Lloyd Standish wrote:
> On Thu, 12 Jan 2012 15:51:18 -0600, Dimitri Yioulos 
<dyioulos@onpointfc.com> wrote:
> > I currently have an iptables/Netfilter firewall router
> > configured thusly:
> >                               WAN
> >
> >  (192.168.x.x) LAN --  fw -- DMZ (10.x.x.x)
> > OK, pretty basic.  And, it has worked well for a long time.
> > Now, I need to add a second WAN (provided by a second
> > provider). I need it to serve specific boxes in the DMZ, both
> > inbound and outbound.  Currently, all boxes in the DMZ are
> > served by the single WAN connection.  I'm not sure what other
> > information I need to provide you, but I'm hoping you all can
> > help with very specific instructions or a very detailed
> > how-to so I can get this accomplished.  And, of course, I
> > need to get this done yesterday.
>
> Hi,
>
> I am not highly experienced compared to most other posters
> here, but I'll try to help :)
>
> Shouldn't your diagram indicate that the fw is connected to the
> WAN (not to the DMZ)?  I will proceed under that assumption. 
> If you have a netfilters firewall installed, I think all
> interfaces would go "through" it.
>
>
> Adding a second (or more) uplink to a netfilters firewall is
> easy.  I suggest the following:
>
> 1. You could follow the basic information explained here, to
> set up split access:
> http://lartc.org/howto/lartc.rpdb.multiple-links.html  After
> reading this and understanding about using multiple routing
> tables to route traffic through different interfaces (uplinks),
> you can proceed.
>
> 2. You would set up a custom routing table for the special DMZ
> traffic.  Use the info in the above link to do that.  Suppose
> it is called "DMZSPECIAL".  You will set up routing to the new
> DMZ interface using the MYDMZ table, something like this:
>
> 	ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table
> DMZSPECIAL ip route add default via ${gateway} dev ${interface}
> table DMZSPECIAL
>
> (You will also keep your regular routing table to your old
> interface.  Also of course you keep your SNAT over your
> existing interface, only for LAN hosts of course.)
>
> 2. You might create a custom chain for the new interface, which
> is supposed to serve the special DMZ hosts.  This is to mark
> packets for subsequent decision on routing:
>
> 	iptables -t mangle -N CONNMARK1
> 	iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1
> 	iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark
> 	iptables -t mangle -A CONNMARK1 -j ACCEPT
>
> 3. You would NEW mark all packets from the special DMZ hosts
> with fwmark 1, like this (repeat for each source IP or subnet
> to use the new interface):
>
> 	iptables -t mangle -A PREROUTING -m state --state NEW -s
> 10.x.x.x -j CONNMARK1 etc.
>
>
> 4. You would restore the connection mark to the packet mark
> with a rule like this: iptables -t mangle -A PREROUTING -i
> ${dmz_if} -m state --state ESTABLISHED,RELATED -j CONNMARK
> --restore-mark
>
> Then add a policy routing rule, directing all traffic with the
> "1" mark to the new DMZ uplink:
>
> 	ip rule add fwmark 1 table MYDMZ
>
> That should do it.  Post back if you have any trouble.
> --
> Lloyd
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Lloyd,

Our fw/router routes traffic to both our LAN and our DMZ.  That's 
how it was set up a long time ago and, again, it works very well.  
Given that, do your instructions (btw, did I say I'm grateful for 
your help) still work?

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Lloyd Standish]

Sorry, there are a couple of probably obvious errors in my post, aside from the bad numbering.  This is because when I first wrote this, I gave the DMZ special hosts routing table the name "MYDMZ", but then changed it to "DMZSPECIAL", for clarity. The erred lines are corrected below:

On Thu, 12 Jan 2012 17:08:08 -0600, Lloyd Standish <lloyd@crnatural.net> wrote:


> 2. You would set up a custom routing table for the special DMZ traffic.  Use the info in the above link to do that.  Suppose it is called "DMZSPECIAL".  You will set up routing to the new DMZ interface using the MYDMZ table, something like this:

I meant to say above, "...using the DMZSPECIAL table, something like this:"

<snip>

>
> Then add a policy routing rule, directing all traffic with the "1" mark to the new DMZ uplink:
>
> 	ip rule add fwmark 1 table MYDMZ
This should of course be:
ip rule add fwmark 1 table DMZSPECIAL

-- 
Lloyd

Re: Dual WAN set-up

[Andrew Beverley]

Thanks for the comprehensive answer Lloyd. A couple of minor points:

> 2. You would set up a custom routing table for the special DMZ traffic.
>   Use the info in the above link to do that.  Suppose it is called
> "DMZSPECIAL".  You will set up routing to the new DMZ interface using
> the MYDMZ table, something like this:
> 
> 	ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table DMZSPECIAL
> 	ip route add default via ${gateway} dev ${interface} table DMZSPECIAL
> 

[...]

> 3. You would NEW mark all packets from the special DMZ hosts with
> fwmark 1, like this (repeat for each source IP or subnet to use the new
> interface):

Using marks is one way to do this, and provides plenty of flexibility.
However, if all the traffic is coming from the same IP address /
interface, then you should be able to use straight iproute2 rules to
match those aspects, without even touching iptables (see ip rule).


> 	iptables -t mangle -A PREROUTING -m state --state NEW
> -s 10.x.x.x -j CONNMARK1
>

Also, if you do decide to use netfilter marks (which is certainly no bad
thing IMHO), then you probably don't need to mark connections and then
restore them. Instead just mark a packet straight away:

iptables -t mangle -A PREROUTING -s 10.x.x.x -j MARK --set-mark 1

Andy

Re: Dual WAN set-up

[Dimitri Yioulos]

On Friday 13 January 2012 2:25:45 am Andrew Beverley wrote:
> Thanks for the comprehensive answer Lloyd. A couple of minor 
points:
> > 2. You would set up a custom routing table for the special
> > DMZ traffic. Use the info in the above link to do that. 
> > Suppose it is called "DMZSPECIAL".  You will set up routing
> > to the new DMZ interface using the MYDMZ table, something
> > like this:
> >
> > 	ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table
> > DMZSPECIAL ip route add default via ${gateway} dev
> > ${interface} table DMZSPECIAL
>
> [...]
>
> > 3. You would NEW mark all packets from the special DMZ hosts
> > with fwmark 1, like this (repeat for each source IP or subnet
> > to use the new interface):
>
> Using marks is one way to do this, and provides plenty of
> flexibility. However, if all the traffic is coming from the
> same IP address / interface, then you should be able to use
> straight iproute2 rules to match those aspects, without even
> touching iptables (see ip rule).
>
> > 	iptables -t mangle -A PREROUTING -m state --state NEW
> > -s 10.x.x.x -j CONNMARK1
>
> Also, if you do decide to use netfilter marks (which is
> certainly no bad thing IMHO), then you probably don't need to
> mark connections and then restore them. Instead just mark a
> packet straight away:
>
> iptables -t mangle -A PREROUTING -s 10.x.x.x -j MARK --set-mark
> 1
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Thanks to you both.  I'll go over your suggestions, and try to 
implement this asap.  Please stand by as I may need additional 
hand-holding :-)  .

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Lloyd Standish]

On Fri, 13 Jan 2012 01:25:45 -0600, Andrew Beverley <andy@andybev.com> wrote:

> Using marks is one way to do this, and provides plenty of flexibility.
> However, if all the traffic is coming from the same IP address /
> interface, then you should be able to use straight iproute2 rules to
> match those aspects, without even touching iptables (see ip rule).
>
>> 	iptables -t mangle -A PREROUTING -m state --state NEW
>> -s 10.x.x.x -j CONNMARK1
>>

That's a good point.  In my own firewall, at one point I wanted to avoid load-balancing for certain hosts (i.e., always route through a given interface for a certain source IP), and I was unable to use "ip rule" with no packet marking.  However, I think this is because all the hosts were internal LAN hosts using SNAT, and the NAT is done before the packet hits "ip rule."  Therefore "ip rule" could not match on the source IP.  But in Dimitri's case, since there is no NAT for the DMZ hosts, this should work fine, and is simpler.  The only reason to mark packets would be to allow the possibility of later routing some of the LAN hosts through the second interface.

>Also, if you do decide to use netfilter marks (which is certainly no bad
> thing IMHO), then you probably don't need to mark connections and then
> restore them. Instead just mark a packet straight away:
>iptables -t mangle -A PREROUTING -s 10.x.x.x -j MARK --set-mark 1

Another very good point for Dimitri, Andy, which should give better efficiency.  Connection marking is only necessary for load-balancing. I guess I am in a "load-balancing" mindset.

-- 
Lloyd

Re: Dual WAN set-up

[Dimitri Yioulos]

On Friday 13 January 2012 9:17:20 am Lloyd Standish wrote:
> On Fri, 13 Jan 2012 01:25:45 -0600, Andrew Beverley 
<andy@andybev.com> wrote:
> > Using marks is one way to do this, and provides plenty of
> > flexibility. However, if all the traffic is coming from the
> > same IP address / interface, then you should be able to use
> > straight iproute2 rules to match those aspects, without even
> > touching iptables (see ip rule).
> >
> >> 	iptables -t mangle -A PREROUTING -m state --state NEW
> >> -s 10.x.x.x -j CONNMARK1
>
> That's a good point.  In my own firewall, at one point I wanted
> to avoid load-balancing for certain hosts (i.e., always route
> through a given interface for a certain source IP), and I was
> unable to use "ip rule" with no packet marking.  However, I
> think this is because all the hosts were internal LAN hosts
> using SNAT, and the NAT is done before the packet hits "ip
> rule."  Therefore "ip rule" could not match on the source IP. 
> But in Dimitri's case, since there is no NAT for the DMZ hosts,
> this should work fine, and is simpler.  The only reason to mark
> packets would be to allow the possibility of later routing some
> of the LAN hosts through the second interface.
>
> >Also, if you do decide to use netfilter marks (which is
> > certainly no bad thing IMHO), then you probably don't need to
> > mark connections and then restore them. Instead just mark a
> > packet straight away: iptables -t mangle -A PREROUTING -s
> > 10.x.x.x -j MARK --set-mark 1
>
> Another very good point for Dimitri, Andy, which should give
> better efficiency.  Connection marking is only necessary for
> load-balancing. I guess I am in a "load-balancing" mindset.
>
> --
> Lloyd
> --
> To unsubscribe from this list: send the line "unsubscribe
> netfilter" in the body of a message to
> majordomo@vger.kernel.org
> More majordomo info at 
> http://vger.kernel.org/majordomo-info.html


Lloyd,

Not to throw a proverbial wrench in the works, but in my case 
there is NAT for the DMZ hosts.

I have three NICs currently active on the fw (more are available): 
eth0 - WAN, eth1 - LAN, eth2 - DMZ.  In addition, eth0 has 
several aliases for the external addresses of the DMZ boxes.  
Then, NAT to internal addresses (10.x.x.x).

Hope I'm not muddying the waters but, rather, providing all of the 
info that you need to so kindly help me.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Dimitri Yioulos]

On Friday 13 January 2012 10:17:21 am you wrote:
> On Friday 13 January 2012 9:17:20 am Lloyd Standish wrote:
> > On Fri, 13 Jan 2012 01:25:45 -0600, Andrew Beverley
>
> <andy@andybev.com> wrote:
> > > Using marks is one way to do this, and provides plenty of
> > > flexibility. However, if all the traffic is coming from the
> > > same IP address / interface, then you should be able to use
> > > straight iproute2 rules to match those aspects, without
> > > even touching iptables (see ip rule).
> > >
> > >> 	iptables -t mangle -A PREROUTING -m state --state NEW
> > >> -s 10.x.x.x -j CONNMARK1
> >
> > That's a good point.  In my own firewall, at one point I
> > wanted to avoid load-balancing for certain hosts (i.e.,
> > always route through a given interface for a certain source
> > IP), and I was unable to use "ip rule" with no packet
> > marking.  However, I think this is because all the hosts were
> > internal LAN hosts using SNAT, and the NAT is done before the
> > packet hits "ip rule."  Therefore "ip rule" could not match
> > on the source IP. But in Dimitri's case, since there is no
> > NAT for the DMZ hosts, this should work fine, and is simpler.
> >  The only reason to mark packets would be to allow the
> > possibility of later routing some of the LAN hosts through
> > the second interface.
> >
> > >Also, if you do decide to use netfilter marks (which is
> > > certainly no bad thing IMHO), then you probably don't need
> > > to mark connections and then restore them. Instead just
> > > mark a packet straight away: iptables -t mangle -A
> > > PREROUTING -s 10.x.x.x -j MARK --set-mark 1
> >
> > Another very good point for Dimitri, Andy, which should give
> > better efficiency.  Connection marking is only necessary for
> > load-balancing. I guess I am in a "load-balancing" mindset.
> >
> > --
> > Lloyd
> > --
> > To unsubscribe from this list: send the line "unsubscribe
> > netfilter" in the body of a message to
> > majordomo@vger.kernel.org
> > More majordomo info at
> > http://vger.kernel.org/majordomo-info.html
>
> Lloyd,
>
> Not to throw a proverbial wrench in the works, but in my case
> there is NAT for the DMZ hosts.
>
> I have three NICs currently active on the fw (more are
> available): eth0 - WAN, eth1 - LAN, eth2 - DMZ.  In addition,
> eth0 has several aliases for the external addresses of the DMZ
> boxes. Then, NAT to internal addresses (10.x.x.x).
>
> Hope I'm not muddying the waters but, rather, providing all of
> the info that you need to so kindly help me.
>
> Dimitri


Er, sorry, seems like I don't even remember my own network scheme.  
internal LAN addresses are 192.168.100.0/22, and internal DMZ 
addresses are 192.168.1.0/24.  (The 10.x.x.x addresses are used 
by our VPN.)

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Dual WAN set-up

[Lloyd Standish]

On Fri, 13 Jan 2012 09:22:04 -0600, Dimitri Yioulos <dyioulos@onpointfc.com> wrote:

> Er, sorry, seems like I don't even remember my own network scheme.
> internal LAN addresses are 192.168.100.0/22, and internal DMZ
> addresses are 192.168.1.0/24.  (The 10.x.x.x addresses are used
> by our VPN.)

Again, I think you will have to use connection marking/mark restore as I detailed in a previous post.  I don't believe that "ip rule add from x.x.x.x fwmark 1" will work when nat is used.  Andy or another of the experts here may have comments on this.  Otherwise, I think you can go ahead and try implementing your multi-uplink firewall based on the advice Andy and I have offered.

-- 
Lloyd

Re: Dual WAN set-up

[Lloyd Standish]

On Mon, 16 Jan 2012 08:56:23 -0600, Dimitri Yioulos <dyioulos@onpointfc.com> wrote:

> Before I commit this new set-up, I'd like to post the ste-by-step
> instructions I wrote up for your kind review:

I don't quite understand your network configuration, but the ideas we provided on split-access to uplinks should adaptable to any situation.

> Under this set-up, don't I need to add POSTROUTING AND FORWARDING
> rules?  Sorry for my stupidity, but I set the original up a long
> time ago, and certainly don't know all there is to know.  Your
> continued patience and support are greatly appreciated.
>

The PREROUTING chain of the mangle table will handle the marking of new connection packets as well as recovery of the connection mark to the packet mark.  There should be no other iptables stuff required to mark the packets, and "ip rule add fwmark..." will handle sending the marked packets to the right routing table.

I think you are doing SNAT, which uses POSTROUTING chain.  You you will want to keep that.

Others here are much more knowledgeable and may have more comments.
-- 
Lloyd

Re: Dual WAN set-up

[Lloyd Standish]

On Fri, 13 Jan 2012 09:17:21 -0600, Dimitri Yioulos <dyioulos@onpointfc.com> wrote:

> Not to throw a proverbial wrench in the works, but in my case
> there is NAT for the DMZ hosts.


I don't have time to elaborate now, but I think you will have to use connection marking (as in my previous post).  I'll reply more in depth later.

Regards
-- 
Lloyd

Re: Dual WAN set-up

[Dimitri Yioulos]

On Friday 13 January 2012 3:00:12 pm Lloyd Standish wrote:
> On Fri, 13 Jan 2012 09:17:21 -0600, Dimitri Yioulos 
<dyioulos@onpointfc.com> wrote:
> > Not to throw a proverbial wrench in the works, but in my case
> > there is NAT for the DMZ hosts.
>
> I don't have time to elaborate now, but I think you will have
> to use connection marking (as in my previous post).  I'll reply
> more in depth later.
>
> Regards
> --
> Lloyd


Lloyd,

Excellent, and very appreciated (Andy's help, too).

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.