Hello, dummy@xxxxxxxxxxxxxx a écrit :
I am changing data centers and want to forward traffic hitting server A to Server B in another data center. I was using masquerading and it was working fine, however a problem has popped its ugly head. Server B needs to know the IP address of the client connecting to it. If it gets forwarded through Server A, the IP address of Server A is what is given. I tried to make this work without masquerading but I break the port forwarding.
The reply packets *must* go back to the forwarding box (A) by any means in order for the DNAT to work properly. Masquerading on box A was an easy way to achieve this, but the drawback is it hides the real source address. Another problem may be that some router or firewall in the path between box A's and box B drops forwarded packets with a "foreign" source address.
The only workaround I can think of when box A and box B are not in the same network is some tunnel or VPN between them and advanced routing on box B set up so it sends the reply packets of forwarded connections back to box A through the tunnel/VPN. This way, intermediate routers do not see foreign source addresses and box B sends the reply traffic back to box A regardless of the destination address. The advanced routing rule may be based on the destination address (if the traffic is forwarded to a specific address such as a private tunnel address), the protocol, the destination port or a connection mark.
