Advanced routing, two ISP's
in [Linux Networking]
|
Prev: New to Networking
Next: Network to Network IPSec VPN using RHEL/CentOS: separate VPNRouter and LAN Gateway
From: Dariusz Malec on 12 May 2010 20:03 Hi, I have a scenario, where my linux gateway has access to internet via to ISP connections. I've prepared source routing for my private networks based on static routing tables. I have a server behind NAT and i'm using DNAT to access it, but it's only avalible via ISP connection selected as default. Is there possible to have the DNATed server accessible using both ISP connections? Maybe there is a way with connmark or something. Waiting for yours suggestions. It's a pity that none of my ISPs provides BGP protocol :( -- Regards Dariusz Malec dariusz.malec(a)gmail.com
From: Mart Frauenlob on 13 May 2010 01:09 On 13.05.2010 02:03, Dariusz Malec wrote: > Hi, > I have a scenario, where my linux gateway has access to internet via to > ISP connections. I've prepared source routing for my private networks > based on static routing tables. > I have a server behind NAT and i'm using DNAT to access it, but it's > only avalible via ISP connection selected as default. > Is there possible to have the DNATed server accessible using both ISP > connections? Maybe there is a way with connmark or something. > Waiting for yours suggestions. > It's a pity that none of my ISPs provides BGP protocol :( > http://www.mentby.com/Group/netfilter-list/iptables-2-isp-dnat-problem.html provided by g00gle...
From: Pascal Hambourg on 13 May 2010 05:26 Hello, Mart Frauenlob a �crit : > On 13.05.2010 02:03, Dariusz Malec wrote: >> Hi, >> I have a scenario, where my linux gateway has access to internet via to >> ISP connections. I've prepared source routing for my private networks >> based on static routing tables. >> I have a server behind NAT and i'm using DNAT to access it, but it's >> only avalible via ISP connection selected as default. >> Is there possible to have the DNATed server accessible using both ISP >> connections? Maybe there is a way with connmark or something. >> Waiting for yours suggestions. >> It's a pity that none of my ISPs provides BGP protocol :( I don't see how BGP would help here. > http://www.mentby.com/Group/netfilter-list/iptables-2-isp-dnat-problem.html Thanks for digging this out, I don't need to repeat myself. :-)
From: Dariusz Malec on 15 May 2010 08:03 Mart Frauenlob pisze: > On 13.05.2010 02:03, Dariusz Malec wrote: >> Hi, >> I have a scenario, where my linux gateway has access to internet via to >> ISP connections. I've prepared source routing for my private networks >> based on static routing tables. >> I have a server behind NAT and i'm using DNAT to access it, but it's >> only avalible via ISP connection selected as default. >> Is there possible to have the DNATed server accessible using both ISP >> connections? Maybe there is a way with connmark or something. >> Waiting for yours suggestions. >> It's a pity that none of my ISPs provides BGP protocol :( >> > > http://www.mentby.com/Group/netfilter-list/iptables-2-isp-dnat-problem.html > > provided by g00gle... Well i had some problems but i figured it out :) I've found out that DNAT works ok when using ISP connection which is set as default gateway in main routing table. When using the second one i figured it out that the packers passes PREROUTING chain in mangle table and PREROUTING in nat table, and then they are dropped. I found out that disabling rp_filter on public interfaces solves the problem. echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter -- Regards Dariusz Malec
From: Pascal Hambourg on 16 May 2010 06:18
Dariusz Malec a �crit : > > Well i had some problems but i figured it out :) > I've found out that DNAT works ok when using ISP connection which is set > as default gateway in main routing table. When using the second one i > figured it out that the packers passes PREROUTING chain in mangle table > and PREROUTING in nat table, and then they are dropped. > I found out that disabling rp_filter on public interfaces solves the > problem. > echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter > echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter This problem is well known and not specific to DNAT. It affects all incoming and outgoing connections going through the non-default interface. |