[Firehol-support] Link Balancer, marks & NATed servers

Whit Blauvelt whit at transpect.com
Mon Nov 27 14:59:44 GMT 2017 

Let me simplify this question: Are the marks that Link Balancer places on
packets at a gateway/firewall also utilizable by instances on the LAN, also
running Link Balancer, to route packets out back out through that
gateway/firewall, in a multiple gateway/firewall setup? 

Yes, I can engage in experiments to see. But it's always nice to know if
something's theoretically sound before stumbling through experiments.

Thanks again,
Whit

On Fri, Nov 24, 2017 at 02:12:15PM -0500, Whit Blauvelt wrote:
> Hi,
> 
> In a situation where there are two or more external firewalls/gateways, and
> those in turn have two or more ISPs connected (i.e., are dual-homed), and
> there are servers NATed on a common LAN behind them, I'm wondering if
> there's a possible use of Link Balancer and/or FireHOL-style marks on the
> NATed servers. 
> 
> The goal is to, if traffic is NATed in from a particular firewall and ISP,
> to of course return it the same way. Obviously a single default gateway on
> the NATed server isn't going to do that. One method that works, without any
> tools from the FireHOL kit, is to set up multiple IPs on the NATed server,
> have each of the firewalls NAT to it at a different IP, and use multiple
> routing tables on the NATed server to return traffic to the right gateway
> according to the IP it arrived on. It works, but it's complex to set up and
> maintain.
> 
> My question is, if the gateways are marking packets on the way in using Link
> Balancer, can the same thing be accomplished without using multiple LAN IPs
> to keep traffic straight on the NATed server? Can, for instance, the marks
> set by the firewall/gateway be used by the NATed server to recognize which
> routing table to use to get the default gateway to which to return that
> traffic? If so, can Link Balance be used on the NATed server to accomplish
> that? 
> 
> Thanks,
> Whit
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support

More information about the Firehol-support mailing list