I have a problem. May be here exist anyone who has encountered with the following problem.
I have a router which is connected to 2 ISP from external side and one LAN internal interface. The feature is that the one ISP allocates a subnet xxx.xxx.xxx.160/28 for me but I split it into two subnets xxx.xxx.xxx.160/29 and xxx.xxx.xxx.168/29 and assign the latter to the internal interface. Also I have organiezed an DNAT+SNAT so all internet requests is DNATted to and SNATted from xxx.xxx.xxx.170 (which is a second firewall running Microsoft ISA). So
ip route list:
y.y.y.96/30 dev eth1 proto kernel scope link src y.y.y.98 x.x.x.168/29 dev eth0 proto kernel scope link src x.x.x.169 x.x.x.160/29 dev eth2 proto kernel scope link src x.x.x.162
Also loadbalancing between eth1 and eth2 is organized with the 'ip' tool:
ip route list table 222
default table 222 proto static nexthop via y.y.y.97 dev eth1 weight 1
nexthop via x.x.x.161 dev eth2 weight 10
SNAT was set to:
iptables -t nat -L POSTROUTING -o eth2 -j SNAT --to-destination x.x.x.162 iptables -t nat -L POSTROUTING -o eth1 -j SNAT --to-destination y.y.y.98
But now I have to establish VPN channel to connect a given external machine with known IP (z.z.z.z) to my ISA firewall, but avoiding NAT. I have tried to implement it the such way:
ip route list:
y.y.y.96/30 dev eth1 proto kernel scope link src y.y.y.98 x.x.x.168/29 dev eth0 proto kernel scope link src x.x.x.169 x.x.x.160/28 dev eth2 proto kernel scope link src x.x.x.162
and SNAT is test to:
iptables -t nat -L POSTROUTING -o eth2 -d ! z.z.z.z -j SNAT --to-destination x.x.x.162
But when I try to access from z.z.z.z, for example, the x.x.x.170 address, it does not reply.
Where is a mistake?
-- Nikita Vinokurov
_______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/