Hi John. On 7/28/05, John McMonagle <johnm@xxxxxxxxxxx> wrote: > Find that if I ping the same site from 2 computers it may work on one > and fail on the other. > Also was surprised that some time they are going out different > interfaces at the same time. Same symptoms I had. > Have snat on both interfaces When you SNAT incoming packets, you need to do something different from what is in the HOWTO ([4]) because SNAT is done before the routing desition (check the Kernel Packet Traveling Diagram[5]). I had the same problem [1]. The solution is to use conntrack and mark packets on arrival, and then route them back using the fwmark[2]. There's no need to tell you I had a hard time with this. There should be a warning about this in the HOWTO (in this page [4]). The proposed solution I quote in [2] worked for me for the multiple uplink providers + SNAT problem. It is (Using the same variables that are in the HOWTO [4]): 1) Mark packages on arrival: iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j MARK --set-mark=1 iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j MARK --set-mark=2 And then use the mark to route the outgoing packages correctly. ip rule add fwmark 1 table T1 ip rule add fwmark 2 table T2 Regards, Nelson.- PD : I solved my problem with IPVS and multiple uplink providers (see [3]). [1] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016171.html [2] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016441.html [3] http://arhuaco.blogspot.com/2005/07/ipvs-and-conntrack.html [4] http://lartc.org/howto/lartc.rpdb.multiple-links.html [5] http://www.docum.org/docum.org/kptd/ -- Homepage : http://geocities.com/arhuaco The first principle is that you must not fool yourself and you are the easiest person to fool. -- Richard Feynman. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
