Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html. I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with "from" address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT "established connections" tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio "Kurgan" Muzzi _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
