On Fri, 2002-11-22 at 04:41, Andreas Hasenack wrote: > Em Thu, Nov 21, 2002 at 04:06:26PM -0800, William L. Thomson Jr. escreveu: > > Not necessarily. I have two lines going in completely different > > directions, different private nets, and then via different ISP/Public > > IPs. > > Do you have public servers that are accessed from the outside? Yes that's basically all I have. I have three lines, two 1.1mps SDSL and one ADSL. My ADSL line is for surfing, and is my main inbound line for normal office traffic. My SDSL lines handle all requests to and from my public servers. So most of the traffic is initiated from the outside. Very little inbound traffic, mostly allot of outbound. > How do you > respond to requests comming down one link? I suppose via the same link, or > using SNAT, otherwise you would have packets with a source IP from ISP1 > traveling through the link to ISP2, right? That's where it gets a little crazy. Each SDSL line terminates in a router that performs PAT. From the two SDSL routers doing PAT, the requests then make it to the Linux router, which does a second round of PAT, or DPAT. Now when inbound request leave then get SPAT as they leave the Linux router heading for the SDSL routers to be PAT again back to Public IPs. A little excessive, but having two firewalls back to back on either connection is nice. Pretty dam hard to get any packet through both that's is not supposed to be going through them. Now the hardest part for me to grasp, was how ipchains is able to take a single internal IP and convert it into two different internal/external IPs. Internal in my case, since I do not use Public IPs until hitting and leaving the SDSL routers. There is a particular rule that does this, but I have not found an equivalent using iptables. Although I am sure one exists, or hope one does. Now this is also where Julian's patches came into play. By using NAT and Julian's patches, the NAT cache is looked at so the choice of what IP to map the servers IP to is based on the cache. If there is nothing there in the cache, then it goes to the multipath route. Sounds simple, but was a pain for me to grasp, and get working. But it has been working perfectly ever since, or at least as good as can be expected. Since I have implemented true dead gateway detection, nor have I dialed things in specifically with cache timeouts, gcs, etc. -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
