Been running this for quite a while and noticed that have intermittent
problems getting out.
Find that if I ping the same site from 2 computers it may work on one
and fail on the other.
Also was surprised that some time they are going out different
interfaces at the same time.
Seems to work all the time from the firewall.
Running 2.6.10 kernel with the multipath routing patches on a debian
sarge system.
# ip rule
0: from all lookup local
60: from all lookup main
200: from all lookup 200
201: from 216.170.136.0/24 lookup isp1
201: from 24.196.120.28/30 lookup isp2
222: from all lookup multi
222: from all lookup multi
32766: from all lookup main
32767: from all lookup default
cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
1 inr.ruhep
201 isp1
202 isp2
222 multi
root@fonroute:~# ip route list table 200
192.168.0.0/16 via 192.168.2.254 dev eth0
root@fonroute:~# ip route list table 201
default via 216.170.136.1 dev eth1 proto static src 216.170.136.82
prohibit default proto static metric 1
root@fonroute:~# ip route list table 202
default via 24.196.120.29 dev eth2 proto static src 24.196.120.30
prohibit default proto static metric 1
root@fonroute:~# ip route list table 222
default proto static
nexthop via 216.170.136.1 dev eth1 weight 1
nexthop via 24.196.120.29 dev eth2 weight 4
using shorewall to setup rules.
iptable -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
net_dnat all -- anywhere anywhere
net_dnat all -- anywhere anywhere
loc_dnat all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
eth1_masq all -- anywhere anywhere
eth2_masq all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain eth1_masq (1 references)
target prot opt source destination
masq2 all -- 192.168.2.0/24 anywhere
Chain eth2_masq (1 references)
target prot opt source destination
masq1 all -- 192.168.2.0/24 anywhere
Chain loc_dnat (1 references)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:www
redir ports 3128
Chain masq1 (1 references)
target prot opt source destination
RETURN all -- anywhere 192.168.0.0/16
RETURN all -- fonroute.advocap.org anywhere
SNAT all -- anywhere anywhere
to:24.196.120.30
Chain masq2 (1 references)
target prot opt source destination
RETURN all -- anywhere 192.168.0.0/16
RETURN all -- fonroute.advocap.org anywhere
SNAT all -- anywhere anywhere
to:216.170.136.73
Chain net_dnat (2 references)
target prot opt source destination
DNAT tcp -- !192.168.0.0/16 anywhere multiport
dports ssh,www to:192.168.2.1
DNAT tcp -- !192.168.0.0/16 anywhere multiport
dports smtp,imaps,https to:192.168.2.10
DNAT tcp -- !192.168.0.0/16 anywhere tcp
dpt:2525 to:192.168.2.10:25
DNAT tcp -- !192.168.0.0/16 anywhere tcp
dpt:8000 to:192.168.2.12:443
DNAT tcp -- !192.168.0.0/16 anywhere tcp
dpt:9000 to:192.168.2.12:22
REDIRECT tcp -- anywhere anywhere tcp
dpt:1022 redir ports 22
Have snat on both interfaces
Have rules to keep vpn traffic from getting snated.
Any solution?
Any way to troubleshoot?
John
begin:vcard
fn:John McMonagle
n:McMonagle;John
org:Advocap Inc
adr;dom:;;2929 Harrison St;Oshkosh;WI;54936
email;internet:johnm@xxxxxxxxxxx
title:IT Manager
tel;work:920-426-0150
x-mozilla-html:FALSE
url:http://www.advocap.org
version:2.1
end:vcard
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
