[LARTC] Enabling source routing to force packets back through router?

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

--pWJxWxNlJUNgDlXi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi all.  I am hoping somebody here has a bright idea how to solve my
problem.  I have several solutions that I have come up with but don't
like for various reasons.

I have this scneario:


        Internet
       /        \
      |          |
      R1         R2
      |          |
      |          |
      +----+-----+
           |
           |---------Lan via switches/hubs
           |
   Wan-----R3

Where currently, routers R2 and R3 are in place.  R3 (legacy router)
is the default route for all of the hosts on the Lan.  When traffic is
Wan-bound it routes it to the Wan, but otherwise default routes to R2,
which default routes to the Internet.

I am adding a new Linux-based Internet router, R1 (different provider)
which is going to have specific Internet uses (vs. R2 which is for
general Internet use).

Lan is RFC1812 space and both R2 and R1 provide NAT services.

If R1 provides an "inbound" NAT service of some kind (i.e. Internet
user gets NATted to Lan host), obviously I need to make sure those
inbound-NATted packets from the Lan hosts are routed back through R1.
Also, if R1 provides IPSEC tunnelling for Internet users (where an
Internet IPSEC user is a single IP address, not a network), I need to
ensure packets that came in on the IPSEC tunnel go back out on the
tunnel, via R1.

To solve, I have thought that I could:

1. Leave R3 as Lan default route.  Have R3 default route to R1, and
   have R1 route all traffic that is not part of "sessions" through
   R1 to R2.

   This makes R1 a very bad single point of failure, as well as
   increasing traffic loads unnecessarily.

2. Have R1 add source routes to traffic heading for the Lan.  Source
   routing would be dis-allowed on the Internet interface of R1, but
   R1 would add itself as a source-routing hop for traffic which
   successfully passes through it to the Lan.

3. Do some kind of IP-in-IP tunnelling between R1 and R3.  Seems
   over-complicated.

I am not sure how to do #2, or if it can even be done.

Any other suggestions would be much welcome.

Thanx,
b.

--=20
Brian J. Murrell

--pWJxWxNlJUNgDlXi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+KoVPl3EQlGLyuXARAuilAKC+kgZgZGSCftVCIP1gsx4MdrRrewCeLl/a
kXQjVEMtiV1/l0eX5Y28Grc=
=EycL
-----END PGP SIGNATURE-----

--pWJxWxNlJUNgDlXi--
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux