Discussion:
exporting service on multiple wan
Fabio Marcone
2007-10-18 14:27:37 UTC
Permalink
Hi all,
I've a routing problem. I'm setting up a router based on debian (kernel
2.4).

I need to setup routing to export an ftp service (ftp server is in dmz)
to 2 wan (both).

I setup prerouting ad forward rule with no problem.

The problem is that reply packet use default gateway (default wan) even
though they are enter using the other wan.

I solved it marking packets in input from the dmz iface and force to use
another gateway (iproute2), but in this way I don't export ftp service
on default wan.

how I can setup routing to export ftp service on both iface?

Thanks in advance,
Fabio
--
Dott. Fabio Marcone

2T srl
Telefono +39 - 0871- 540154
Fax +39 - 0871- 571594
Email fabio.marcone(AT)duet.it
Indirizzo Viale B. Croce 573
66013 Chieti Scalo (CH)
GNU/Linux registered user #400424
Mohan Sundaram
2007-10-19 02:19:01 UTC
Permalink
Post by Fabio Marcone
Hi all,
I've a routing problem. I'm setting up a router based on debian (kernel
2.4).
I need to setup routing to export an ftp service (ftp server is in dmz)
to 2 wan (both).
I setup prerouting ad forward rule with no problem.
The problem is that reply packet use default gateway (default wan) even
though they are enter using the other wan.
I solved it marking packets in input from the dmz iface and force to use
another gateway (iproute2), but in this way I don't export ftp service
on default wan.
how I can setup routing to export ftp service on both iface?
Thanks in advance,
Fabio
One way to do this:
1. Assign 2 private domain IP addresses to the ftp server and listen to
both for ftp. IP1 and IP2
2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2
3. On the Linux machine, set policy routing based on src IP of reply
packet i.e. src IP1 goes thro' WAN1 and src IP2 goes thro' WAN2.

Mohan
Salim S I
2007-10-19 02:32:36 UTC
Permalink
How about conn-marking the (NEW state)packets in POSTROUTING?

-----Original Message-----
From: lartc-***@mailman.ds9a.nl
[mailto:lartc-***@mailman.ds9a.nl] On Behalf Of Mohan Sundaram
Sent: Friday, October 19, 2007 10:19 AM
To: LARTC
Subject: Re: [LARTC] exporting service on multiple wan
Post by Fabio Marcone
Hi all,
I've a routing problem. I'm setting up a router based on debian (kernel
2.4).
I need to setup routing to export an ftp service (ftp server is in dmz)
to 2 wan (both).
I setup prerouting ad forward rule with no problem.
The problem is that reply packet use default gateway (default wan) even
though they are enter using the other wan.
I solved it marking packets in input from the dmz iface and force to use
another gateway (iproute2), but in this way I don't export ftp service
on default wan.
how I can setup routing to export ftp service on both iface?
Thanks in advance,
Fabio
One way to do this:
1. Assign 2 private domain IP addresses to the ftp server and listen to
both for ftp. IP1 and IP2
2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2
3. On the Linux machine, set policy routing based on src IP of reply
packet i.e. src IP1 goes thro' WAN1 and src IP2 goes thro' WAN2.

Mohan
Mohan Sundaram
2007-10-19 04:09:02 UTC
Permalink
Post by Salim S I
How about conn-marking the (NEW state)packets in POSTROUTING?
Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE
directive for packets coming from LAN to make sure packet goes out from
the same interface it came on.

Mohan
Salim S I
2007-10-19 05:36:13 UTC
Permalink
Sorry, I forgot for a moment it was DMZ.

In mangle PREROUTING

-j CONNMARK restore-mark
-m mark --mark 0x0 -i WAN1 -j CONNMARK --set-mark 0x1
-m mark --mark 0x0 -i WAN2 -j CONNMARK --set-mark 0x2

Two routing tables, one for each mark.

-----Original Message-----
From: lartc-***@mailman.ds9a.nl
[mailto:lartc-***@mailman.ds9a.nl] On Behalf Of Mohan Sundaram
Sent: Friday, October 19, 2007 12:09 PM
To: 'LARTC'
Subject: Re: [LARTC] exporting service on multiple wan
Post by Salim S I
How about conn-marking the (NEW state)packets in POSTROUTING?
Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE
directive for packets coming from LAN to make sure packet goes out from
the same interface it came on.

Mohan

Loading...