Hi Robert,
--On 10. August 2008 13:56:22 -0400 Robert Spangler
<mlists@xxxxxxxxxxxxxxxx> wrote:
- snip -
OK, I don't know this tool you are using to syn the conntracking of all
the firewalls. Could you post a link to it?
Yes, of course:
<http://www.netfilter.org/projects/conntrack-tools/index.html>
Now for the fun stuff. Why would you have many Internet connection that
do not return the same path they go out on? sounds like you really only
have one true connection with one true IP to the Internet. That would
explain why traffic leaving on interface 2 comes back on interface 1.
It is two routers that are connected to 2 upstream routers; all four use
OSPFv2 for routing between them.
I have not finetuned OSPF so far to avoid asynchronous routing - I want to
to do the connection table synchronization stuff before because I have to
do it anyway (in case of a router crash) and now I have an ideal testbed
(because of the asynchronous routing).
Without knowing your setup I'm not going to guess at this.
The setup is as follows: Every Router has
- an external interface with public ip address each resting in a small
separate subnet that connects to the upstream router
- an interface for inter router connections (private ip addresses)
- 2 additional interfaces to server LANs - both routers have an interface
to both of the 2 server LANs
both server LAN interface use shared virtual ips additionally
If you need more detailed information I could offer the OSFP configuration
(XORP).
Here is the configuration for conntrackd (I have omitted buffer sizes
etc.):
Sync {
Mode FTFW {
ResendBufferSize 262144
CommitTimeout 180
ACKWindowSize 20
}
Multicast {
IPv4_address 225.0.0.50
IPv4_interface 192.168.11.1
Interface eth1
Group 3780
}
Checksum on
CacheWriteThrough On
}
General {
HashSize 8192
HashLimit 65535
- snip -
IgnoreTrafficFor {
IPv4_address INTER_ROUTER_INTERFACE
IPv4_address EXTERNAL_INTERFACE
IPv4_address INTERNAL_INTERFACE1
IPv4_address INTERNAL_VIRTUAL_IP
IPv4_address INTERNAL_INTERFACE2
}
IgnoreProtocol {
IGMP
VRRP
}
The setup works - using "conntrackd -e" I can see the connection table
entries the other router's conntrackd has synchronized. What I cannot check
is if the receiving conntrackd writes the received entries into the kernels
connection tracking table.
Example:
udp 17 30 src=124.165.230.206 dst=93.94.81.82 sport=2040 dport=1434
[UNREPLIED] [active since 6s]
tcp 6 120 SYN_SENT src=93.185.115.91 dst=93.94.80.133 sport=4290
dport=135 [UNREPLIED] [active since 46s]
So I hope to find someone on the list have done this kind of setup before.
Thanks for your interest so far.
Dirk
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
