[Klug-general] Multiple routes out
Mike
kentlug at norgie.net
Tue Dec 7 11:22:30 UTC 2010
On Mon, Dec 06, 2010 at 04:27:32PM +0000, Alan Buchel wrote:
> Hi All,
>
> I have a slightly complicated situation with a routing requirement, have
> RTFM's till my brain hurts and hope someone can help...
>
> We have a Server inside a private network which routes out through a
> WLAN switch as it's main uplink to the internet. It syncs with other
> servers over this network. For reasons beyond my control, the server is
> only allowed 1 IP address. Now we want to expose some of the services on
> this server such as www (80) to the outside world via a broadband line,
> and such a facility is unavailable via the WLAN.
>
> So I thought: just put in a smoothwall box, RED NIC on the ADSL, GREEN
> on the same IP subnet as the Server, forward the required ports to
> Server and job done. Oh no, not a bit...
>
OK, so the problem that you have here is that the Smoothwall will do a
port forward ie. translate the destination address and port of the
incoming packet but the source address will remain the same. Consider
this scenario:
Client 1.2.3.4 connections to the smoothie on the red interface (let's
say that interface has an IP address of 90.90.90.90). Smoothwall
translations the destination address from 90.90.90.90 to the internal
address of the server (let's say 192.168.0.50). So, the server receives
a packet that has a source of 1.2.3.4 and a destination of 192.168.0.50.
It then responds with the customary syn/ack and since the source of
90.90.90.90 is outside of it's local subnet, it sends the packet to its
default gateway (in this case, the WLAN). The client 1.2.3.4 then
recieves the syn/ack from 192.168.0.50 which it never contacted in the
first place.
The way to resolve this is to get the Smoothie to translate the source
address of the incoming packet to the IP of the green interface. This
can be done with iptables either by a source NAT or using IP
masquarading. The latter is probably simpler and can probably be turned
on in smoothwall's config tool. Failing that iptables -t nat -A
PREROUTING -i $red_int -o $green_int -j MASQUARADE is roughtly what you
are looking for, though you may want to check that manual as that's off
the top of my head.
Mike.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/kent/attachments/20101207/210a08e5/attachment.pgp>
More information about the Kent
mailing list