Hi Brian, On Fri, Dec 20, 2013 at 12:05:05PM +0000, Brian Burch wrote: > The mailing list has been dormant for 2 years, so I wonder whether > anyone is still listening for new questions? You never know. ;-) > My broadband router runs PPPoA and is dynamically assigned a single > ipv4 internet address by my ISP. I have a static subnet which I host > on a linux router/firewall (called chenin). The linux firewall and > the adsl router communicate via a non-internet-addressable private > subnet. Here is the topology: > > Internet -- adsl-router-ppp0-ipv4-dynamic > -- adsl-router-eth0-172.16.101.1 > -- > -- firewall-router-eth0-172.16.101.2 > -- firewall-router-217.154.193.209 > -- > -- static-subnet-hosts-217.154.193.154.208/28 > > Each of the hosts on the static subnet use 217.154.193.209 as their > own default route. The adsl router forwards all incoming packets to > the firewall/router's eth0. The firewall/router forwards all > incoming packets to the static subnet via its own eth1. The > firewall/router does not need to perform NAT, but it implements a > simple set of iptables rules for blacklisting, etc. /All this works > perfectly./ > > My problem is that I need to download software updates (debian > apt-get http) for the firewall/router from a repository out on the > internet. > > The firewall/router can successfully ping the repo-server when I > force the source address like this: > > ping -I 217.154.193.209 163.1.221.67 > > ... but a simple "ping 163.1.221.67" (i.e. using the default source > address selection algorithm) fails. Wireshark confirms these > unanswered packets go out on eth0 with a source address of > 172.16.101.2. I see several generic ways to solve this. Use one of: 1) Use NAT for the transfer network addresses (i.e. "masquerading" for the 172.16.101.2 address) on the ADSL router. 2) Use SNAT from 172.16.101.2 to 217.154.193.209 on the firewall for packets going to the internet. 3) Use a subnet from your routable IP addresses for the transit network. 4) Terminate PPPoE on the firewall, using the ADSL router as an ADSL modem. You may be able to define the source IP to use for the update process. If so, you do not need any of the above. > I believe I should be able to resolve this problem with iproute2 > policy routing, but so far I have not been successful. I've tried > several variations, but they all give me the same "wrong" source > address. Policy routing is used _after_ deciding on the source IP address to use. > Am I trying to do the impossible here, or am I just making a mistake > in the way I am doing it? You need to change the source IP address seen on the internet, that cannot be done with policy routing. It can be done using NAT, network renumbering or software configuration. HTH, Erik -- Always use the right tool for the job. -- Rob Pike -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html