Hello, On Tue, 21 Aug 2007, Grant Taylor wrote: > I want to be able to take traffic in from a local LAN on eth0 and route > it out eth1 to a default gateway with a static IP. I want said default > gateway with the static IP to be assigned to eth2. I then want to route > and masquerade traffic that came in eth2 out eth3. > > (Enter ASCII art) > > --------------+ > Context 0 | > +------+ +-----------+ > +---+ eth0 |------+ Local LAN | > | +------+ +-----------+ > | | > | +------+ > +---+ eth1 +---+ > +------+ | > | | > ==============|===|=== > Context 1 | | > +------+ | > +---+ eth2 +---+ > | +------+ > | | > | +------+ +----------+ > +---+ eth3 +------+ Internet | > +------+ +----------+ > | > --------------+ > > I want the ""router in context 0 to effectively (for the sake of > discussion) do basic static NAT routing for the local LAN. This router > will have two static IP addresses, LAN facing and upstream router facing. > > I want the ""router in context 1 to effectively (for the sake of > discussion) do basic MASQUERADing for the equipment behind it. This > router will have one static IP facing the LAN and one dynamic IP facing > its upstream provider. > > I have followed Julian Anastasov's directions > (http://www.ssi.bg/~ja/send-to-self.txt) and applied his Send-to-Self > patch (http://www.ssi.bg/~ja/send-to-self-2.6.22-1.diff) to a stock > 2.6.22 kernel and I am able to ping the IP address assigned to eth2 from > eth1 with out any problems. However I don't think Julian's patch covers > routing traffic through (not terminating at or originating locally) the > cross over cable. Yes, patch works for output routes only. May be you can try to forward traffic with ip rules with iif parameter. Make sure you have rules and routes for both directions. Of course, there must be some IP addresses because routes work only for devices with IPs. SNAT should be able to assign non-local external IP address, not possible for MASQUERADE, you have to use SNAT everywhere. That is, don't configure the SNAT addresses. Then you should not see local IPs in the traffic. Not sure for other pitfalls. Regards -- Julian Anastasov <ja@xxxxxx> _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc