Re: Routing via 2 providers both with NAT

From: Tjardick van der Kraan (tjardick_at_vanderkraan.net)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 14:56:37 +0200

I figured out that MASQ doesn't work but Source NAT does.

New question now is, how can i set a portmap (DNAT) on both connections
to the same server.

So one server 192.168.2.2 is the mailserver running smtp on port 25.

Now i would like to be able to map port 25 both on 217.x.x.2 and on
81.x.x.74 and route request comming in from both lines back from where
they came from.

As currently one of the two works, depending on the ip rule from
192.168.2.2.

Any ideas ?

Regards,

Tjar***

Tjar*** van der Kraan wrote:
> Hello,
>
> We have a debian router/firewall which currently does masq via iptables
> over a leased line and we want to add an ADSL line for non priority
> traffic like occasional surfing etc.
>
> the interfaces are defined as followed:
>
> 217.x.x.0/28 dev eth0 proto kernel scope link src 217.x.x.2
> 192.168.0.0/22 dev eth1 proto kernel scope link src 192.168.0.1
> 82.x.x.72/29 dev eth3 proto kernel scope link src 82.x.x.74
>
> With 217.x.x.1 as the gateway on eth0 and
> with 82.x.x.73 as the gateway on eth1
>
> The leased line on 217 is allready working properly for some time now
> but the adsl has been connected last week and now i am having
> difficulties getting traffic from certain internal hosts to route out
> over it.
>
> In IPtables both eth0 & eth3 are set to do postroute masq.
>
> ip route (apart from the above 3 networks) shows a default route:
>
> default via 217.x.x.1 dev eth0
>
> I have added to tables to the iproute2 config name leased and adsl.
>
> ~# ip route show table adsl
> 82.x.x.72/29 dev eth3 scope link
> 192.168.0.0/22 dev eth1 scope link
> 127.0.0.0/8 dev lo scope link
> default via 82.x.x.73 dev eth3
>
> ~# ip route show table leased
> 217.x.x.0/28 dev eth0 scope link
> 192.168.0.0/22 dev eth1 scope link
> 127.0.0.0/8 dev lo scope link
> default via 217.x.x.1 dev eth0
>
> i added the 2 rules based on the from to the ip rule:
>
> ~# ip rule
> 0: from all lookup local
> 32764: from 217.x.x.2 lookup leased
> 32765: from 82.x.x.74 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
>
>
> For testing i wanted all traffice to still go over the leased line but
> traffic from ip 192.168.1.247 to go over the adsl.
>
> i tried both:
>
> ~# ip rule
> 0: from all lookup local
> 32763: from 192.168.1.247 lookup adsl
> 32764: from 217.x.x.2 lookup leased
> 32765: from 82.x.x.74 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
>
> and
>
> ~# ip rule
> 0: from all lookup local
> 32763: from 192.168.1.247 lookup adsl map-to 82.x.x.74
> 32764: from 217.x.x.2 lookup leased
> 32765: from 82.x.x.74 lookup adsl
> 32766: from all lookup main
> 32767: from all lookup default
>
> From external locations i can ssh in to the box via both the leased
> line (217.x.x.2) and the ADSL(82.x.x.74) and further more we have put a
> seperate box on the adsl connection with the 82.x.x.74 ip just to make
> sure the ADSL connection works outgoing to.
>
> So the main question what am i doing wrong/what should i change to be
> able to have NAT working on both interfaces in a way that i can choose
> via ip rule (or some other ruling system, maybe fwmark?) the outgoing
> interface.
>
> Kind regards,
>
> Tjar***