I've got a rather complex beast of a network that I've beeing trying to get
properly routed for some time now. I've come really close, in that inbound
traffic gets where it's supposed to, and outbound traffic goes where it's
supposed to, but outbound packets are all apparently going over the wrong
link.
The system is currently configured as a "router on a stick" using a VLAN
trunk over GigE to a managed switch. For various reasons, we require
certain network segments to be fully routed through specific uplink
providers.
To the best of my ASCII Network Diagramming abilities, this is how it's all
wired up:
+---------------------------+
LAN 1 --------|-- eth0.1 --\ |
| \-- eth0.11 --|------- T-1 Provider 1
LAN 2 --------|-- eth0.2 --\ |
| \-- eth0.12 --|------- T-1 Provider 2
LAN N --------|-- eth0.N ---/ |
+---------------------------
Linux 2.4 firewall/router
Basically, I need outbound traffic from LAN 1 to always go via Provider 1
and LAN 2-N through Provider 2.
I followed the directions from the LARTC HowTo in section 4.2, but all my
outbound traffic is still going via Provider 1, and none through Provider
2.
I've set up additional routing tables for each provider, plus a fourth
routing table to handle traffic that needs to go over the IPSec links to
remote offices.
I've created a shell script that should be generating all the proper
commands, just like in the HowTo (only more of them, since we're also
NAT'ing a large number of hosts, too...)
I'm really wondering, though, how much of this is due to the fact that we're
NAT'ing hosts. Servers are done with full NAT, desktops are all MASQ'ed to
the firewall/router's external IP address.
Am I falling victim to interplay between routing and NAT? All my routing
tables and rules are using the post-NAT IP addresses as the "from" spec,
since I've been told that routing decisions are all made post-NAT.
Should I be using pre-NAT IP addresses? Should I ditch NAT entirely and
configure all the Internet-accessible systems with real external IP
addresses and switch the firewall away from NAT and use proxyarp instead
(which would probably solve some confusion but possible introduce even more
routing issues?) Would it be better to completely seperate firewalling
from routing?
I'm more than a little confused. Both the script that generates the routes
and rules, as well as the actual commands generated by the script (since a
lot of it depends on the live state of the machine) can be furnished upon
request, and any help is greatly appreciated.
TIA,
Gregory
--
Gregory K. Ruiz-Ade <gkade@xxxxxxxxxxxxxx>
OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
