On Wed, Nov 20, 2002 at 05:45:29PM -0600, Martin A. Brown wrote: > There's a problem with your solution! > > fwmark; transient > - - - - - - - - - - - > The structure of the packet as it passes through the firewall/router > contains the fwmark. As soon as the packet leaves the box, it no longer > has the fwmark. > > Your solution handles the packets inbound from the outside world, but > neglects to handle the outbound packets from the internal network. > > SNAT; sets the correct source IP (for outbound connections) > - - - - - - - - - - - - - - - - > Even if using SNATs as you suggest, there is still has no way to tell if a > packet belongs to a session inbound over eth1 or eth2. This is the > statelessness of IP routing! > > In order to make any recommendation, we would need to know what the IP > address ranges are and specifically why/how Paco envisions using these > two links. Yes, true. I admit i didn't think long enough about it. Well actually, i think he just wants the packets coming in eth1 will go out eth1 again, and the same for eth2. Nothing more nothing less. I had kind of the same problem but with the restriction that i had one extranet device with a limited set of subnets and one internet device and one lan device so it was easy because i could set proper routes for the affected intranet subnets. Well, anyway. I suggest to setup a virtual eth0:1 device. Packets from eth1 leave then at eth0:0 and packets from eth2 leave at eth0:1. Then he should be able to set proper gateways and nats for eth0:x device. -- rob _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
