I think I said something wrong in my last message. You DNAT incoming packets and then SNAT them when they come back if your Linux router has some server behind it. I don't know if this is your case (having servers behind the router). (I needed to top-post here --- maybe not). On 7/28/05, Nelson Castillo <nelsoneci@xxxxxxxxx> wrote: > Hi John. > > On 7/28/05, John McMonagle <johnm@xxxxxxxxxxx> wrote: > > > Find that if I ping the same site from 2 computers it may work on one > > and fail on the other. > > Also was surprised that some time they are going out different > > interfaces at the same time. > > Same symptoms I had. > > > Have snat on both interfaces > > When you SNAT incoming packets, you need to do something different > from what is in the HOWTO ([4]) because SNAT is done before the > routing desition (check the Kernel Packet Traveling Diagram[5]). > > I had the same problem [1]. The solution is to use conntrack and mark > packets on arrival, and then route them back using the fwmark[2]. > > There's no need to tell you I had a hard time with this. There should > be a warning about this in the HOWTO (in this page [4]). > > The proposed solution I quote in [2] worked for me for the > multiple uplink providers + SNAT problem. > > It is (Using the same variables that are in the HOWTO [4]): > > 1) Mark packages on arrival: > > iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j > MARK --set-mark=1 > iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j > MARK --set-mark=2 > > And then use the mark to route the outgoing packages correctly. > > ip rule add fwmark 1 table T1 > ip rule add fwmark 2 table T2 > > Regards, > Nelson.- > > PD : I solved my problem with IPVS and multiple uplink providers (see [3]). > > [1] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016171.html > [2] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016441.html > [3] http://arhuaco.blogspot.com/2005/07/ipvs-and-conntrack.html > [4] http://lartc.org/howto/lartc.rpdb.multiple-links.html > [5] http://www.docum.org/docum.org/kptd/ > > -- > Homepage : http://geocities.com/arhuaco > > The first principle is that you must not fool yourself > and you are the easiest person to fool. > -- Richard Feynman. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
