Hello,
dummy@sapmail.pg.com a écrit :
I am changing data centers and want to forward traffic hitting server A to
Server B in another data center. I was using masquerading and it was
working fine, however a problem has popped its ugly head. Server B needs
to know the IP address of the client connecting to it. If it gets
forwarded through Server A, the IP address of Server A is what is given.
I tried to make this work without masquerading but I break the port
forwarding.
The reply packets *must* go back to the forwarding box (A) by any means
in order for the DNAT to work properly. Masquerading on box A was an
easy way to achieve this, but the drawback is it hides the real source
address. Another problem may be that some router or firewall in the path
between box A's and box B drops forwarded packets with a "foreign"
source address.
The only workaround I can think of when box A and box B are not in the
same network is some tunnel or VPN between them and advanced routing on
box B set up so it sends the reply packets of forwarded connections back
to box A through the tunnel/VPN. This way, intermediate routers do not
see foreign source addresses and box B sends the reply traffic back to
box A regardless of the destination address. The advanced routing rule
may be based on the destination address (if the traffic is forwarded to
a specific address such as a private tunnel address), the protocol, the
destination port or a connection mark.
|