Hi list, I'm trying to setup a Linux box with a complicated source
routing and could use a hand from you.
The box has 4 NICs and lots of VLANs attached. It is a firewall and
router in the following scenario: (obs: IP addresses have being changed
for security purposes)
- eth0 holds the default route (GW: 200.1.0.1, Firewall: 200.1.0.2);
- The box is routing and sometimes source routing, with no problems;
- We got our own ASN with a IP range assigned: 101.30.0.0/20;
- We have a Cisco router responsible for BGP sessions of our ASN. This
router is already talking to our neighbors and connects to the Firewall
on eth2.887 (Router: 101.30.15.249, Firewall: 101.30.15.250);
- We have old ISP's IP addresses used on lots of VLAN interfaces, ex:
200.1.2.0/26, 200.1.3.0/24, etc;
- The default route is still pointing to our old ISP and cannot be
changed by now;
So far so good, but:
- We created a testing VLAN, eth2.6, and assigned the address
101.30.0.1/28 to the Firewall and 101.30.0.2 to a testing machine
(machine-X);
- if we create a source routing like this:
ip route add default via 101.30.15.249 table MyASN # IP of BGP router
ip rule add from 101.30.0.0/28 table MyASN
we can see the Internet and the Internet see us through our BGP router
and neighbors, BUT we cannot see hosts at IP addresses of our old ISP
(those directly connected to the Firewall). The reason is simple, table
MyASN has no entry to these old addresses. The easy way to go is to
insert static routes on MyASN, but it is a bad solution when you have
lots of subnets in use and changes occur frequently.
The old and new addresses (from my old ISP and from my ASN) must
communicate but I cannot keep updating MyASN table.
I tried some workarounds with no good results and here is where I need a
hand.
All the workarounds I tried expect that in the above scenario if a host
on old ISP's IP address, lets say 200.1.2.2, pings my testing server:
machine-X on 101.30.0.2, packets should show up on the sender host
interface and go out on machine-x interface. I expect this as the _main_
table has a route to machine-x (directly connected to the Firewall) so
the box should know where to send packets. It doesn't happen like this.
The packets goes nowhere. They come on the sender host interface but
never go out on machine-x interface. If I insert a route to 200.1.2.2 on
table MyASN I start to see traffic coming and going.
Why is this happening? Shouldn't the box just forward traffic when there
is a route in the _main_ table regardless of existing or not a route of
return? Or shouldn't it, at least, send this traffic to its default gateway?
Any comments and suggestions are appreciated.
Regards.
--------------------------------------------------------------------
Andre D. Correa, CISSP | Visite meus projetos pessoais:
andre.correa (at) pobox.com | Visit my personal projects:
http://andre.hiperlinks.com.br | - http://www.malware.com.br/
Sao Paulo / SP / Brazil | - http://www.linuximq.net/
--------------------------------------------------------------------
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
