i can suggest you two different addresses on SRV_XP : external1 > dnat to internal1 & external2 > dnat to internal2 and 2 ip rules. tell me how is this going as i am involved in a similar project right now. ----- Original Message ----- From: "Sandro Dentella" <sandro@xxxxxxxx> To: "lartc" <lartc@xxxxxxxxxxxxxxx> Sent: Thursday, September 30, 2004 11:54 AM Subject: 2 DSL link, DNAT & SNAT > Sorry for the long descritpion of the problem, I'd like to know If I > misunderstand something or if I meet an intrinsic limit of my setup. > > > 217.58.51.162 HDSL eth1 - SRV_XP: 192.168.254.10 > eth0: 192.168.254.1 -----+------------------+------- > 81.121.243.250 ADSL eth3 - > > > I want to allow incoming pptp request (port 1723) to be forwarded to > srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything works > (note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP only > if I eliminate rule 38, but at that moment I cannot enter from HDSL... > > > My setup > > + ip tables hdsl & adsl for the 2 dsl lines, > 0: from all lookup local > 30: from all fwmark 3 lookup hdsl > 38: from 192.168.254.10 lookup hdsl <<== NOTE this > 40: from 217.58.51.160/27 lookup hdsl > 41: from 81.121.243.248/30 lookup adsl > 52: from all iif eth0 lookup adsl > 53: from all iif eth2 lookup adsl > 32766: from all lookup main > 32767: from all lookup default > + hdsl table has default gw to HDSL line > + adsl table has default gw to ADSL line > > + DNAT & SNAT occurring from both dsl lines > > Chain PREROUTING > DNAT tcp 0.0.0.0/0 81.121.243.250 tcp dpt:1723 to:192.168.254.10 > DNAT tcp 0.0.0.0/0 217.58.51.162 tcp dpt:1723 to:192.168.254.10 > > Chain POSTROUTING > SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:217.58.51.162 > SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:81.121.243.250 > SNAT tcp -- * eth0 0.0.0.0/0 192.168.254.10 tcp dpt:1723 to:192.168.254.1 > [mangling occurs only on ports 3085, 5405, 5421 so that rule 30 (fwmark) > does nothing here. ] > > > > I guess the problem is the routing table of the packet coming back from > SRV_XP: the ack packet does take a routing table different from the 1^ > incoming packet. > > I added SNAT thinking to avoid asymmetric routing (income via adsl, out > via hdsl), but I'm not sure it works this way. What happens to an ACK > package? does the kernel use the routing table it arrived with or > recompute it after it realize it is RELATED to a connection already open? > Is this a question for this list or for netfilter list? ;-) > > > Thanks for any hint for a clean solution. > > sandro > *:-) > > > -- > Sandro Dentella *:-) > e-mail: sandro@xxxxxxxx > http://www.tksql.org TkSQL Home page - My GPL work > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
