[Firehol-support] Forwarding through multiple uplinks/providers

Mirko Buffoni firehol at synthesys.it
Mon Aug 13 17:05:52 CEST 2007 

Hi all,

After spending several days in this problem I came to the conclusion
that maybe it's not doable, or I am missing some point, so I decided
to disturb you folks and ask for help.

I have setup a linux box to reply to different uplinks, like described
in http://lartc.org/howto/lartc.rpdb.multiple-links.html

Eveything works just fine:  the linux-box has a default gateway to
a fixed ip from the multiple links set.

The linux-box also does snat to LAN PCs

snat to "${PUBLIC_IPADDRESS}" outface "${PUBLIC_INTERFACE}" src 
"${LAN_NETWORK}" dst not "${UNROUTABLE_IPS}"

So internal PCs can navigate using PUBLIC_IPADDRESS on internet.

I succesfully setup port forwarding to one of the internal pc, via

dnat to INTERNALPC proto PROTOCOL dport DPORT

and creating a

route SERVICE accept dst INTERNALPC

and internal pc having linux-box as default gateway.

So if I connect to PUBLIC_IPADDRESS:DPORT, from outside, I get redirected
to internal PC and everyone is happy.  (internal pc receives packets with
SRC=external ip, which is routed through linux-box, which routes through
its default gateway, which coincidentally was the same the request came from)

-----

The problem now is that if I connect to PUBLIC_IPADDRESS2:DPORT, I cannot
connect to internal PC.
So I tried different paths...

snatting to linux-box-ipaddress dst INTERNALPC

doesn't work, as the pc receives the packet, then reply to linux-box,
but the packet response which now have the external IP address is routed
trough default gateway (which is the first one) and not through the second
which originated the request.

Is this problem solvable? marking packet in some way to do the proper
path decision later with response?

 From what I understand FORWARDING doesn't mark anything, so the packet is
not following ip rule like defined by lartc.org/howto/...

Or am I wrong and I missing something?

-----

Basically what I'm trying to solve, is to reach the internal pc through one
of the other uplinks available, if unfortunately the gateway that gives
access to internet goes down for some reason.

Any help would be very much appreciated.

Mirko

More information about the Firehol-support mailing list