[LARTC] Questions about mutiple providers

To:	lartc@mailman.ds9a.nl
Subject:	[LARTC] Questions about mutiple providers
From:	Fabio Muzzi <liste@kurgan.org>
Date:	Mon, 29 Jan 2007 13:17:03 +0100
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Reply-to:	Fabio Muzzi <liste@kurgan.org>
Sender:	lartc-bounces@mailman.ds9a.nl

Hi, this is my first post to the list.

I  have  googled  a  lot,  and still cannot find a proper solution. I hope
someone here will be able to shed some light on my doubts.

I  have  set  up a firewall using kernel 2.6.15 (Debian) that does NAT for
100  clients,  and  uses  two  different  ISPs,  using  the howto found at
http://lartc.org/howto/lartc.rpdb.multiple-links.html.    I   have   *not*
patched my kernel.

The  rounting setup is taken from the howto, and it basically works, I see
packets  flowing  out  of both WAN interfaces, and everyting seems to work
properly for packets that are generated from the firewall itself.

I have set up NAT rules in postrouting table, this way:

iptables -t nat -A POSTROUTING -o $WAN  -j SNAT -s 10.0.0.0/16 --to-source 
217.221.234.74
iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 
83.211.205.162

Local  net  is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and
their  relative  IP  addresses  are  set  as  shown.  WAN  interfaces  are
phisically different and have no aliases, only the IP shown above.

Now, I am experiencing two issues:

-  First,  I see packets with "from" address set to 83.211.205.162 that go
out of $WAN, and also packets with from address set to 217.221.234.74 that
flow  out  of  $WAN2.  This  address  mixup  should not happen, I suppose.
looking   at  the  packets,  it  seems  that  only NATed trafic shows this
behaviour.


-  Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that
still  have  the LAN from address, that is 10.0.x.x, these packets somehow
where not NATed at all.


Now, the questions are:

How do I solve this?

Do  I  need to patch my kernel to solve the first issue, because I need to
lock at NAT "established connections" tables to make routing decisions? Is
it  impossible  to  have  equal  cost  multipath and SNAT together without
patching the kernel? If so, what patch do I need exactly?

Is  there  something  wrong  with my kernel version, that has a broken NAT
support?  (this could explain why I get some packets that do not get NATed
at all)


Thanks a lot for the time you took reading this.

-- 

  Fabio "Kurgan" Muzzi

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] Questions about mutiple providers, Fabio Muzzi <= Re: [LARTC] Questions about mutiple providers, Alex Samad

Previous by Date:	[LARTC] Bridging multiple vlans on linux router, Ivan Vladimirov
Next by Date:	Re: [LARTC] Questions about mutiple providers, Alex Samad
Previous by Thread:	[LARTC] Bridging multiple vlans on linux router, Ivan Vladimirov
Next by Thread:	Re: [LARTC] Questions about mutiple providers, Alex Samad
Indexes:	[Date] [Thread] [Top] [All Lists]