On Wed, May 11, 2005 at 08:00:30AM +0200, Hamish Whittal wrote:
> Hi all,
> I have the following configuration:
> _______
> +------------+ /
> diginet link | | |
> +-------------+ Provider 1 +-------
> __ | | | /
> ___/ \_ +------+-------+ +------------+ |
> _/ \__(eth0)| eth1 (stat) | /
> / \ 254| | |
> | Local network -----+ Linux router | | Internet
> \192.168.1.x __/ | | |
> \__ __/ | eth2 (dyn) | \
> \___/ +------+-------+ +------------+ |
> 254| |ppp0 | | \
> (eth3)| +-------------+ Telecomms +-------
> | adsl link | ADSL | |
> ___ | +------------+ \________
> _/ \__ |
> __/ \___ |
> / \----+
> | Local Network |
> \__172.16.1.x__/
> \__ ___/
> \_/
>
> In words:
> Two local LAN's (172.16.1.x) and (192.168.1.x). They service different
> parts of the organisation. The point is, the client does not want
> traffic from the 172.16.1.x network going over the ADSL link otherwise
> the cap will be reached in hours (iterally). The Router is also the mail
> server, so mail is delivered to the eth1 interface via a static IP
> address (eth1 in the diagram) - it is a 196.xx.xx.xx address.
> The ADSL is not a static address - 165.146.yy.yy.
> The LAN interface from the 192.168.1.x network on the router is
> 192.168.1.254. The LAN interface on the other network is 172.16.1.254.
> The 10.x.x.x network is an IP I have assigned to the eth2 interface to
> ensure that I can still talk to my adsl router, but the ppp0 link is a
> pppoe connection to the telecomms provider.
>
> So, with some assistance, I have set up the following:
> Table main:
> 165.146.128.1 dev ppp0 proto kernel scope link src 165.146.yy.yy
> 196.xx.xx.xx/nn dev eth1 proto kernel scope link src 196.xx.xx.xx
> 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.254
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.254
> default via 196.xx.xx.xx dev eth1
> (the default route here is going out through the diginet link -
> 196.xx.xx.xx in this table)
>
> table adsl:
> 10.0.0.0/24 dev eth2 scope link
> 192.168.1.0/24 dev eth0 scope link
> 127.0.0.0/8 dev lo scope link
> default via 165.146.yy.yy dev ppp0
>
> the rules:
> 0: from all lookup local
> 90: from all to 192.168.1.0/24 lookup main
> 100: from 192.168.1.0/24 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
You need to have another rule
100: from {adsladdress}/32 lookup adsl
because your packets is getting MASQ and then rehitting the routing
table, which says roue out the default link which is actually the digi
link, most isp don;t allow asym routing of packets (ie will not allow
you to send a packet with a source address not in their address space),
it will probably still have the 172 address on it (not sure)
You should be able to confirm this by tcpdump'ing on eth1
>
> ip route add default via 165.146.yy.yy dev ppp0 table adsl
> Now here it croaks. When I add this route, the continuous ping to a host
> on the internet from a machine on the Local Network (192) stops, which
> tells me it cannot get out via the ADSL link. In order to check whether
> the ADSL was working, I tried swapping the routes around so that the
> default traffic uses to ADSL link, and this worked - so it's not a
> problem with the physical ADSL link to the Internet.
>
> I have tested the following:
> 1) From a PC on the 192 net, I can ping the Telcomms ADSL gateway on the
> remote side (in my case, this is 165.146.128.1), but not further.
> 2) From the Linux router, I can ping to the 165.146.128.1 and beyond.
> 3) I know the firewall rules are not blocking traffic since I am logging
> any traffic that is blocked by the firewall and nothing is showing up in
> the logs.
>
> My NAT firewall rules are as follows:
>
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth1 -j SNAT --to-source
> 196.xx.xx.xx
>
> So, what's so hard about that! And yet, the minute I add a default route
> to the adsl table, things go pear shaped. Take that out, and the people
> on the LAN (192 net) can talk to everything on the Internet.
>
> So, what am I doing wrong here? I hope this is sufficient information to
> assist me in my routing woes.
> Any help.....yadda yadda.
> Cheers
> H
>
> _______________________________________________
> LARTC mailing list
> LARTC@xxxxxxxxxxxxxxx
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
