[Firehol-support] Link Balancer - no routing

Tsaousis, Costa costa at tsaousis.gr
Thu Jul 6 10:21:36 BST 2017


You probably need to add: masquerade reverse (if you added the masquerade
command inside the router block, the reverse keyword makes it work in
outface - the default is inface).
Alternatively, you can add masquerade NETWORK_INTERFACE at the top of
firehol.conf

Costa


On Thu, Jul 6, 2017 at 1:49 AM, Christopher Howard <christopher at alaskasi.com
> wrote:

> Seems like I must be doing some wrong with the masquerading. I can see
> with tcpdump that if I send either icmp or https packets, that the
> packets are making it out the wan interface, but no responses are coming
> back. E.g.:
>
> # tcpdump -i enp1s0
> icmp
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 14:45:32.552723 IP 192.168.235.100 > google-public-dns-a.google.com:
> ICMP echo request, id 2764, seq 1, length 64
>
> # tcpdump -i enp1s0 tcp port
> https
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 14:46:49.473220 IP 192.168.235.100.37695 >
> sea15s11-in-f14.1e100.net.https: Flags [S], seq 2536058409, win 29200,
> options [mss 1460,sackOK,TS val 5325619 ecr
>  0,nop,wscale 7], length 0
>
> On the other hand, if I send the requests from inside the router itself,
> replies come back immediately.
>
> On Wed, 2017-07-05 at 13:51 -0800, Christopher Howard wrote:
> > Ack! Nevermind, I was accidentally pinging the interface address :(
> >
> >
> > On Wed, 2017-07-05 at 13:15 -0800, Christopher Howard wrote:
> > > I figured it out! After I set
> > >
> > > net.ipv4.conf.all.accept_source_route =     1
> > >
> > > it started working!
> > >
> > > On Wed, 2017-07-05 at 12:56 -0800, Christopher Howard wrote:
> > > > Thank you! Is there more to it than adding "masquerade" to the router
> > > > definition? I did
> > > >
> > > > file:/etc/firehol/firehol.conf
> > > > ---------
> > > > <snip>
> > > > router lan12wan1 inface enp2s0 outface enp1s0
> > > >        masquerade
> > > >        server all accept
> > > >
> > > > router lan12wan2 inface enp2s0 outface enp3s0
> > > >        masquerade
> > > >        server all accept
> > > > <snip>
> > > > --------
> > > >
> > > > and restarted everything but nothing seems to have changed. Thank you
> > > > for your help.
> > > >
> > > > On Wed, 2017-07-05 at 22:49 +0300, Tsaousis, Costa wrote:
> > > > > Hi,
> > > > >
> > > > >
> > > > > I think you have forgotten to NAT (snat or masquerade) LAN IPs to
> the
> > > > > internet interfaces, so the LAN host are sent to the internet with
> > > > > private IPs.
> > > > >
> > > > >
> > > > > Costa
> > > > >
> > > > >
> > > > >
> > > > > On Wed, Jul 5, 2017 at 9:42 PM, Christopher Howard
> > > > > <christopher at alaskasi.com> wrote:
> > > > >         Hi, I am trying to set up a link balancer. I didn't know
> > > > >         Firehol /
> > > > >         link-balancer existed until about two days ago, so be
> patient
> > > > >         with me. I
> > > > >         have things configured so it seems like default route(s)
> are
> > > > >         showing up.
> > > > >         When logged into the router, I can ping the Internet fine.
> > > > >         However, from
> > > > >         device connected to the LAN port, I receive IP address, and
> > > > >         default
> > > > >         route (to link balancer) is showing, but the device cannot
> > > > >         ping the
> > > > >         Internet. Presumably it is some problem with the way I have
> > > > >         (or haven't)
> > > > >         configured routing.
> > > > >
> > > > >         On balancer box, I have:
> > > > >
> > > > >         file:/etc/network/interfaces
> > > > >         --------
> > > > >         # This file describes the network interfaces available on
> your
> > > > >         system
> > > > >         # and how to activate them. For more information, see
> > > > >         interfaces(5).G!
> > > > >
> > > > >         source /etc/network/interfaces.d/*
> > > > >
> > > > >         # The loopback network interfacen stopped. Policy is ACCEPT
> > > > >         EVERYTHING!
> > > > >         auto lo
> > > > >         iface lo inet loopback
> > > > >
> > > > >         # WAN1 - Left most port
> > > > >         allow-hotplug enp1s0
> > > > >         iface enp1s0 inet dhcp
> > > > >
> > > > >         # WAN2 - 2nd from left
> > > > >         allow-hotplug enp3s0
> > > > >         iface enp3s0 inet dhcp
> > > > >
> > > > >         # WAN3 - 3rd from left
> > > > >         allow-hotplug enp4s0
> > > > >         iface enp4s0 inet dhcp
> > > > >
> > > > >         # LAN1 - 4th from left
> > > > >         allow-hotplug enp2s0
> > > > >         iface enp2s0 inet static
> > > > >           address 192.168.235.1
> > > > >           netmask 255.255.255.0
> > > > >           broadcast 192.168.235.255
> > > > >           network 192.168.235.0
> > > > >         --------
> > > > >
> > > > >         file:/etc/firehol/firehol.conf
> > > > >         --------
> > > > >         interface any world
> > > > >                 client all accept
> > > > >                 server all accept
> > > > >
> > > > >         connmark 0x1 interface enp1s0
> > > > >         connmark 0x2 interface enp3s0
> > > > >
> > > > >         router lan12wan1 inface enp2s0 outface enp1s0
> > > > >                server all accept
> > > > >
> > > > >         router lan12wan2 inface enp2s0 outface enp3s0
> > > > >                server all accept
> > > > >         --------
> > > > >
> > > > >         file:/etc/firehol/link-balancer.conf
> > > > >         --------
> > > > >         LB_DEFAULT_IPV="4"
> > > > >
> > > > >         gateway cable dev enp1s0 gw 192.168.1.1
> > > > >         gateway sat1 dev ensp3s0 gw 192.168.0.1 check 66.82.4.8
> > > > >
> > > > >         table 1
> > > > >               default via cable
> > > > >
> > > > >         table 2
> > > > >               default via sat1
> > > > >
> > > > >         table main
> > > > >               default via cable weight 150
> > > > >               default via sat1 weight 50
> > > > >
> > > > >         policy
> > > > >                 connmark 0x1 table 1
> > > > >                 connmark 0x2 table 2
> > > > >         --------
> > > > >
> > > > >         Also on balancer box I see:
> > > > >
> > > > >         #
> > > > >         cat /proc/sys/net/ipv4/ip_forward
> > > > >         1
> > > > >
> > > > >          # ip
> > > > >         route
> > > > >         default via 192.168.1.1 dev
> > > > >         enp1s0
> > > > >         192.168.0.0/24 dev enp3s0 proto kernel scope link src
> > > > >         192.168.0.5
> > > > >         192.168.1.0/24 dev enp1s0 proto kernel scope link src
> > > > >         192.168.1.12
> > > > >         192.168.235.0/24 dev enp2s0 proto kernel scope link src
> > > > >         192.168.235.1
> > > > >
> > > > >         (For testing sat1 link is currently down.)
> > > > >
> > > > >         Have I forgot/misconfigured anything obvious?
> > > > >
> > > > >         --
> > > > >         Christopher Howard
> > > > >         Computer Assistant
> > > > >         Alaska Satellite Internet
> > > > >         3239 La Ree Way
> > > > >         Fairbanks, Alaska 99709
> > > > >         1-888-396-5623
> > > > >         https://alaskasatelliteinternet.com
> > > > >         personal web site: https://qlfiles.net
> > > > >
> > > > >
> > > > >
> > > > >         _______________________________________________
> > > > >         Firehol-support mailing list
> > > > >         Firehol-support at lists.firehol.org
> > > > >         http://lists.firehol.org/mailman/listinfo/firehol-support
> > > > >
> > > > >
> > > >
> > >
> >
>
> --
> Christopher Howard
> Computer Assistant
> Alaska Satellite Internet
> 3239 La Ree Way
> Fairbanks, Alaska 99709
> 1-888-396-5623
> https://alaskasatelliteinternet.com
> personal web site: https://qlfiles.net
>
>
>
>


More information about the Firehol-support mailing list