On Wed, 25 Sep 2002, David H. Lynch Jr. wrote: > Mostly things work, and I have read the > http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN261 pages and > implemented them. *blink*, nice to hear that. :) > I appear to have full access to the extent that my iptables rules > allow to any services running on the router/firewall. Good. > I appear to have outgoing internet access NATed correctly and > running the way I want. Good. > However I have problems with the servers/services that are being > DNATed to behind the firewall. Not so good. [snip] > It is my guess that the inbound packet manages its way to my > server just fine, but on the return trip it decides to head back out the > cable modem as that is the best route back to the client, and since the > client sees a response coming from the wrong source it discards it, but > I could easily be wrong. No, you are most probably right. Unfortunately, there is no real solution to your problem, for as soon as the packet has ben DNATed to the service behind the firewall you lose all information as to which route the packet took to get to your firewall. This means that any return packet can only take the `obvious' short route directly to the remote machine, and not the less-obvious route the long way round but with the correct source address. > I believe I am only having problems with DNATed services behind > the firewall, and I believe it is only when the client is local to the > external interface opposite the one they are coming in on. But I could > easily be wrong. regardless the problem is most ly reproducible - though > it has been know to go away for days at a time on its own, and mostly > limited to a small subset of all clients. Sounds as if there's routes flapping for a subset of your clients. I can see only one real solution: have some sort of application-level proxies run on your firewall host to plug the connections through to the services behind it. One way to do so would be to use socks in listening mode. Another would be to use netcat... Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don't need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there's nobody watching _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
