|
I am trying to set up a network that can accept tcp connections over two different isp connection. The ultimate goal is to facilitate the migration
from one ISP to another ISP. I
decided to delve into the world of Linux Advanced Routing, so I poured over all
of the documentation on the internet. I have it set up in what I believe to be
the case where it should work, but I can’t understand why it doesn’t. Here is the drawing: ------------------------
-------------------------- | WAN Router 1 |
| WAN Router 2 | ------------------------
--------------------------
\ /
\
/
\
/
---------------------
| WAN Switch |
----------------------
/
\
/
\ -----------------------
------------------------ | Firewall 1 |
| Firewall 2 | ----------------------- ------------------------
\
/
\
/
\
/
-----------------------
| DMZ
Switch |
----------------------- | | *---*---*---*---*---*---*
| Linux Router | *---*---*---*---*---*---* | |
------------------------ | Linux
Server |
------------------------ Here is what I have going. The router has a single interface that I
have given an IP address on the network space assigned by each ISP. It is performing NAT using two DNAT iptables rules for the Linux Server that is sitting behind
it. The linux
router takes $WAN1_IP –> 10.0.2.205 and takes $WAN2_IP –> 10.0.2.206. I then set up a second routing table so
that I can have two default gateways depending on which IP I want to take out. Here are the exact commands I have
issued: iptables –t nat –A PREROUTING –j DNAT –dst $WAN1_IP to 10.0.2.205 iptables –t nat –A PREROUTING –j DNAT –dst $WAN2_IP to 10.0.2.205 ip route show
table main | grep –Ev
^default \ >
| while read ROUTE ; do > ip route add table 4 $ROUTE > done ip route add
default via $FIREWALL2_IP ip route add
default via $FIREWALL1_IP table 4 ip rule add
from $WAN1_SUBNET table 4 After completing this setup, I am able to traceroute
–s $WAN1_IP and see it go out the WAN1 side and traceroute
–s $WAN2_IP and see it go out WAN2.
I am also able to use the ip route get command
and everything works as I expect it to work. My first failure occurred when I tried to
create a tcp connection from the internet. It works coming in on $WAN2_IP and fails
using $WAN1_IP. The problem is that
when I watch a dump of the outgoing packets while trying to bring up a tcp connection to $WAN1_IP, I see the packets coming in and
then I see the reply going out to the MAC address of $FIREWALL2 instead of the
MAC address of $FIREWALL1 as it should and thus the connection fails. Any ideas? Thanks in advance. Bryan Bryan Goodgion Cognitive Solutions, Inc. 813.286.4000 ext 103 |
