Local server unreachable by remote lan in dual isp configuration

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hi all,
i have this situation:

               isp1
                  |
dmz ----- FW linux  ----- isp2
                  |----------------------------------- vpn
concentrator  ----- various ipsec lan-2-lan
                  |
                LAN


In lan i have "pc zone" and "server zone", same network.

Dmz and server zone browse internet through isp1, lan use isp2, and
remote lan too (connected with vpn concentrator) using squid proxy
installed on linux firewall.

My problem: server zone and firewall are unreachable by remote lan,
but a pc in a remote lan can ping/rdp/smb/vnc/ecc all the other pc in
local lan.

Firewall linux is the default gw, and it have a routing rules to route
connections from lan to remote lan to vpn concentrator.

If i use only one isp, all works fine, so the problem was in my iproute setup.

If i set a static route in servers bypassing the default gw (firewall
linux) that point directly vpn concentrator, the remote lan can
connect the server.

Some details.

cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
100     isp2
101     isp1
#
# local
#
#1      inr.ruhep


This is the iproute script:

ISP1_NET="x.x.x.192/29"
ISP1_IP="x.x.x.195"
ISP1_GW="x.x.x.193"
ISP1_IF="bad0"

ISP2_NET="x.x.x.96/29"
ISP2_IP="x.x.x.98"
ISP2_GW="x.x.x.97"
ISP2_IF="bad1"

DMZ_NET="192.168.0.0/24"
DMZ_IF="dmz0"

LAN_NET="10.0.0.0/24"
LAN_IF="lan0"

SERVER_MAIL="10.0.0.50"
SERVER_1="10.0.0.10"
SERVER_2="10.0.0.2"
SERVER_3="10.0.0.3"


/sbin/ip rule add fwmark 100 table ISP2
/sbin/ip rule add fwmark 101 table ISP1

/sbin/ip route add $ISP1_NET dev $ISP1_IF src $ISP1_IP table 1
/sbin/ip route add default via $ISP1_GW table 101
/sbin/ip route add $ISP2_NET dev $ISP2_IF src $ISP2_IP table 2
/sbin/ip route add default via $ISP2_GW table 100


/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_1 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_2 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_3 -j
MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $LAN_IF -s $SERVER_MAIL
-j MARK --set-mark 101
/usr/sbin/iptables -t mangle -A PREROUTING -i $DMZ_IF -s $DMZ_NET -j
MARK --set-mark 101

/sbin/ip route add default dev bad1 table ISP2
/sbin/ip route add default dev bad0 table ISP1


for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
/bin/echo 1 > /proc/sys/net/ipv4/route/flush

/sbin/ifconfig dummy0 1.2.3.4
/sbin/ip route add default dev dummy0



Can somebody help me?

best regards
bizza
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux