On Thursday, November 07, 2013 05:03:06 PM Eliezer Croitoru wrote: > OK so the next scenario: > Client: 192.168.1.1/24 > > Lan Router: 192.168.1.254/24 > Lan Router wan side:192.168.100.254/24 > > Wan Router 1:192.168.100.1/24 > Wan Router 1-wanip: 3.3.3.3 > > Wan Router 1:192.168.100.2/24 > Wan Router 1-wanip: 4.4.4.4 This should be Wan Router 2? > > Simple HTTP\SMTP\SSH\TCP server: 6.6.6.6 > > Client -> SYN --> Lan ROUTER: --> *WAN-router1*(which does NAT) --> BIG > INTERNET --> TCP server > > TCP server SYN-ACK --> BIG INTERNET -> *WAN-router1*(NAT) --> Lan ROUTER > --> Client > > Client -> ACK --> Lan ROUTER: --> *WAN-router2*(which does NAT) --> BIG > INTERNET --> TCP server > > OK so now stop and feel the TCP server FW: > "Hmm what is this strange packet?? I think it's an invalid packet and > the sentence for this one is *DROP*" > In the application level it will be almost the same: > "Hmm I do not recall any existing connection from this IP so > *DROP*\ignore that" > In order for you to do what you want to (balance the load--to arbitrary internet hosts--across two links), don't you need a single NAT with a single public address, and BGP (or equivalent) to inform the internet routers that your single IP can be reached via either route? With the setup as described, can you only load balance at the conn level, not at the packet level? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
