[Firehol-support] Link Balancer, marks & NATed servers

[Whit Blauvelt]

Hi,

In a situation where there are two or more external firewalls/gateways, and
those in turn have two or more ISPs connected (i.e., are dual-homed), and
there are servers NATed on a common LAN behind them, I'm wondering if
there's a possible use of Link Balancer and/or FireHOL-style marks on the
NATed servers. 

The goal is to, if traffic is NATed in from a particular firewall and ISP,
to of course return it the same way. Obviously a single default gateway on
the NATed server isn't going to do that. One method that works, without any
tools from the FireHOL kit, is to set up multiple IPs on the NATed server,
have each of the firewalls NAT to it at a different IP, and use multiple
routing tables on the NATed server to return traffic to the right gateway
according to the IP it arrived on. It works, but it's complex to set up and
maintain.

My question is, if the gateways are marking packets on the way in using Link
Balancer, can the same thing be accomplished without using multiple LAN IPs
to keep traffic straight on the NATed server? Can, for instance, the marks
set by the firewall/gateway be used by the NATed server to recognize which
routing table to use to get the default gateway to which to return that
traffic? If so, can Link Balance be used on the NATed server to accomplish
that? 

Thanks,
Whit