[Firehol-support] Link Balancer, marks & NATed servers

Tsaousis, Costa costa at tsaousis.gr
Tue Nov 28 00:25:41 GMT 2017


Hi,

no, marks never appear on the wire. They are mainly a mechanism for
building complex rules, within a single host.

Costa


On Mon, Nov 27, 2017 at 4:59 PM, Whit Blauvelt <whit at transpect.com> wrote:

> Let me simplify this question: Are the marks that Link Balancer places on
> packets at a gateway/firewall also utilizable by instances on the LAN, also
> running Link Balancer, to route packets out back out through that
> gateway/firewall, in a multiple gateway/firewall setup?
>
> Yes, I can engage in experiments to see. But it's always nice to know if
> something's theoretically sound before stumbling through experiments.
>
> Thanks again,
> Whit
>
> On Fri, Nov 24, 2017 at 02:12:15PM -0500, Whit Blauvelt wrote:
> > Hi,
> >
> > In a situation where there are two or more external firewalls/gateways,
> and
> > those in turn have two or more ISPs connected (i.e., are dual-homed), and
> > there are servers NATed on a common LAN behind them, I'm wondering if
> > there's a possible use of Link Balancer and/or FireHOL-style marks on the
> > NATed servers.
> >
> > The goal is to, if traffic is NATed in from a particular firewall and
> ISP,
> > to of course return it the same way. Obviously a single default gateway
> on
> > the NATed server isn't going to do that. One method that works, without
> any
> > tools from the FireHOL kit, is to set up multiple IPs on the NATed
> server,
> > have each of the firewalls NAT to it at a different IP, and use multiple
> > routing tables on the NATed server to return traffic to the right gateway
> > according to the IP it arrived on. It works, but it's complex to set up
> and
> > maintain.
> >
> > My question is, if the gateways are marking packets on the way in using
> Link
> > Balancer, can the same thing be accomplished without using multiple LAN
> IPs
> > to keep traffic straight on the NATed server? Can, for instance, the
> marks
> > set by the firewall/gateway be used by the NATed server to recognize
> which
> > routing table to use to get the default gateway to which to return that
> > traffic? If so, can Link Balance be used on the NATed server to
> accomplish
> > that?
> >
> > Thanks,
> > Whit
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.firehol.org
> > http://lists.firehol.org/mailman/listinfo/firehol-support
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>



More information about the Firehol-support mailing list