dual wan routing, looking from the outside...

dual wan routing, looking from the outside...

[Brian Austin]

Hi,
after some problems with attempt #1 at dual wan routing I have decided 
to start afresh. Unfortunately I have put the router in production so I 
need to be pretty careful now with what I do, so thought to ask the 
clever people for some thoughts.

for my second attempt

I have my kernel 2.6.25.15 patched with http://www.ssi.bg/~ja/#routes.

I have two isp connections and I advertise my mail server (smtp & imap) 
on my first ISP connection, and my vpn connection on the other isp 
connection.

mail - isp1 --adslmodem1---192.168.20.x
imaps                          |
                           dual wan router    --192.168.41.x-- mail 
imaps server is behind the wan router
                           is also vpn server
                            and smtp server     
                               |
vpn  - isp2 --adslmodem2---192.168.19.x

I port forward through the adsl modems to the wan router, adslmodem1 
port forwards mail 25,993 ports, adslmodem2 forwards openvpn port.

openvpn is served up by the dual wan router, as is smtp.

the imap mail is served up by the mail server behind the wan router, 
like this
iptables -A PREROUTING -d 192.168.20.253 -i eth20 -p tcp -m tcp --dport 
993 -j DNAT --to-destination 192.168.41.5:993

 
Now the problem I have at the moment is.

 From the outside, I can only access services from one isp connection at 
a time. So if I VPN in, then I cant access my imaps mail,

do I need to do some sort of packet marking to achieve this? So that 
packets from the same internet host can route out both wan connections 
simultaniously?

Pointers to example scripts or the right information to study appreciated

regards

Brian

Re: dual wan routing, looking from the outside...

[Grant Taylor]

On 07/10/08 19:18, Brian Austin wrote:
> From the outside, I can only access services from one isp connection at 
> a time. So if I VPN in, then I cant access my imaps mail,

Hum...

> do I need to do some sort of packet marking to achieve this? So that 
> packets from the same internet host can route out both wan connections 
> simultaniously?

Possibly.

> Pointers to example scripts or the right information to study appreciated

I wonder if you are not falling victim to route caching.  How quickly 
after you finish using (close) one service can you use the other?  If it 
is not immediately I think your dual wan router has a route to your 
client's source IP cached and thus not looking up / using the route for 
the other service but rather continuing to use the cached route that it 
was just using a moment ago.

You can easily test this by flushing your routing cache after you 
disconnect the first service before you start using the second service.


If this does work, I think you will need to mark your packets so that 
you can use different routing tables depending on the interface the 
traffic comes in on, thus forcing the routing that you want.



Grant. . . .

Re: dual wan routing, looking from the outside...

[Brian]

Hi Again,

well I'm doing some more investigation...

I add the iptables rule
iptables -t mangle -A PREROUTING -i eth20 -j MARK --set-mark 2

which is meant to mark connections coming in on eth20 (192.168.20.253)  
with the number 2.

yet looking at the connections after making a connection to the box...

cat /proc/net/ip_conntrack
....
tcp      6 431997 ESTABLISHED src=60.242.51.252 dst=192.168.20.253 
sport=2158 dport=25 packets=2 bytes=88 src=192.168.20.253 
dst=60.242.51.252 sport=25 dport=2158 packets=1 bytes=48 [ASSURED] 
mark=0 secmark=0 use=1
....

mark=0 ????!  what am I doing wrong?

regards

Brian

p.s.

kernel compiled with
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y




Brian Austin wrote:
> Hi,
> after some problems with attempt #1 at dual wan routing I have decided 
> to start afresh. Unfortunately I have put the router in production so 
> I need to be pretty careful now with what I do, so thought to ask the 
> clever people for some thoughts.
>
> for my second attempt
>
> I have my kernel 2.6.25.15 patched with http://www.ssi.bg/~ja/#routes.
>
> I have two isp connections and I advertise my mail server (smtp & 
> imap) on my first ISP connection, and my vpn connection on the other 
> isp connection.
>
> mail - isp1 --adslmodem1---192.168.20.x
> imaps                          |
>                           dual wan router    --192.168.41.x-- mail 
> imaps server is behind the wan router
>                           is also vpn server
>                            and smtp server     
>                               |
> vpn  - isp2 --adslmodem2---192.168.19.x
>
> I port forward through the adsl modems to the wan router, adslmodem1 
> port forwards mail 25,993 ports, adslmodem2 forwards openvpn port.
>
> openvpn is served up by the dual wan router, as is smtp.
>
> the imap mail is served up by the mail server behind the wan router, 
> like this
> iptables -A PREROUTING -d 192.168.20.253 -i eth20 -p tcp -m tcp 
> --dport 993 -j DNAT --to-destination 192.168.41.5:993
>
>
> Now the problem I have at the moment is.
>
> From the outside, I can only access services from one isp connection 
> at a time. So if I VPN in, then I cant access my imaps mail,
>
> do I need to do some sort of packet marking to achieve this? So that 
> packets from the same internet host can route out both wan connections 
> simultaniously?
>
> Pointers to example scripts or the right information to study appreciated
>
> regards
>
> Brian
>
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html