On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi wrote: > > Hi, this is my first post to the list. > > I have googled a lot, and still cannot find a proper solution. I hope > someone here will be able to shed some light on my doubts. > > I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for > 100 clients, and uses two different ISPs, using the howto found at > http://lartc.org/howto/lartc.rpdb.multiple-links.html. I have *not* > patched my kernel. > > The rounting setup is taken from the howto, and it basically works, I see > packets flowing out of both WAN interfaces, and everyting seems to work > properly for packets that are generated from the firewall itself. > > I have set up NAT rules in postrouting table, this way: > > iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 > iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 > > Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and > their relative IP addresses are set as shown. WAN interfaces are > phisically different and have no aliases, only the IP shown above. > > Now, I am experiencing two issues: > > - First, I see packets with "from" address set to 83.211.205.162 that go > out of $WAN, and also packets with from address set to 217.221.234.74 that > flow out of $WAN2. This address mixup should not happen, I suppose. > looking at the packets, it seems that only NATed trafic shows this > behaviour. you have to setup your ip rule rules, which will state anything coming from 217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only goes out $WAN2, it should be part of the wiki/faq doco > > > - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that > still have the LAN from address, that is 10.0.x.x, these packets somehow > where not NATed at all. never seen this > > > Now, the questions are: > > How do I solve this? > > Do I need to patch my kernel to solve the first issue, because I need to > lock at NAT "established connections" tables to make routing decisions? Is > it impossible to have equal cost multipath and SNAT together without > patching the kernel? If so, what patch do I need exactly? > > Is there something wrong with my kernel version, that has a broken NAT > support? (this could explain why I get some packets that do not get NATed > at all) > > > Thanks a lot for the time you took reading this. > > -- > > Fabio "Kurgan" Muzzi > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
