Re: Masq+IPs+server

From: James Deptuck <jdeptuck_at_no.spam.please>
Date: Mon Mar 26 2001 - 19:09:38 CST

I have the same situation and I know it does not work.
The client in Internet land will freak out because the packet is not coming
from the IP that it is expecting it to come from. It will be expecting it to
come from eth0 but it's not, it's coming from eth1.

Here's the configuration we tried at our office.....

Two Internet connections.
1 - Shaw Highspeed
1 - GT/Shaw Fiberlink

The goal was, to serve web requests for all our clients over the GT
connection, while using the Shaw Highspeed for casual surfing by our staff.
All machines on our network have the linux firewall as their default
gateway.
IP Port forwarding is set, forwarding port 80 for incoming traffic on the GT
connection to our web servers.

This results in two possibilities....

1) Default gateway on linux box set to GT router (default gateway). - In
this situation, everything works, except no traffic uses the Shaw Highspeed
because it's not set as the default gateway.

2) Default gateway on linux box set to Shaw Highspeed default gateway - In
this situation all traffic goes out the cable modem as desired. However, if
a web request comes in over the GT connection, the linux box will masq the
server's reply and send it out the Shaw Highspeed. The client in internet
land does not like this.

I've theorized a solution for this problem which lies in Source Based
Routing. With source based routing, I can configure the linux box to
forward all traffic, coming from the internal web server, out the GT
connection.
But I haven't implemented this yet :)

Our temporary solution has been to install a second router/firewall and vary
the default gateway IP's of the internal machines.

james

----- Original Message -----
From: "Steven Kurylo" <slug@sfr.myip.org>
To: <linux@slg.org>
Sent: Saturday, March 24, 2001 12:46 PM
Subject: Masq+IPs+server

> I have had a question bothering me for a while now, and I am wondering if
> any one here can explain it to me.
>
> Below is a description of the setup. I randomly chose port 1000, if that
> makes a difference I can look up which port the machine is actually using.
>
> client is the user off in internet land making a request.
> eth0 is the nic that ISP #1 is connected to on the linux masq machine.
> eth1 is the nic that ISP #2 is connected to on the linux masq machine.
> server is the machine that is listening for requests.
>
>
> Request coming in
>
> client -> eth0:1000 (forwarded to) -> server:1000
>
> Now the request coming back out
>
> server:1000 -> default gateway (masq machine) -> eth0:1000 -> client
>
> So eth1 would look like
>
> client -> eth1:1000 (forwarded to) -> server:1000
> server:1000 -> default gateway (masq machine) -> eth0:1000 -> client
>
> So would the above diagram work? Two seperate IPs, both forwarding port
> 1000 to a server that is listening and sending replies back out.
>
>
> We were told (actually I wasn't there so I got the synopsis "it doesn't
> work") that getting a second external net connection wouldn't work, as
> shown in the diagrams above.
>
> I can't figure why not. The only hang up I can see is that requests
coming
> in on eth1 are being sent back out on eth0 (because of the default
> gateway). However in the wide world of the net, the packet should be able
> to find its way home, yes?
>
> Is there something am I missing? Could there be something in the software
> on the server that would choke on this? Did the person who told this to
us
> be mistaken?
>
> Thanks,
>
> Steven
>
> --
> Saskatoon Linux Group Mailing List.
> "Ein zuviel an Ordnung ruft in uns unweigerlich den Wunsch auf Totschlag
> hervor."
> --
> To unsubscribe, send mail to
> 'linux-request@slg.org' with
> 'unsubscribe' in the body.
>

--
Saskatoon Linux Group Mailing List.
"Ein zuviel an Ordnung ruft in uns unweigerlich den Wunsch auf Totschlag
hervor."
--
To unsubscribe, send mail to
'linux-request@slg.org' with
'unsubscribe' in the body.
Received on Mon Mar 26 19:09:38 2001

This archive was generated by hypermail 2.1.8 : Sun Jan 09 2005 - 13:54:01 CST