two ISP and a weird LAN setting / services not visible from outside (routing problem)

pe2338 · 01-25-2005, 05:49 PM

Hello all,

I have a weird problem:

I am the admin of the server in my dorms where we have two ISPs.
We have only a server with 4 Ethernet cards (of which 1 is unused).
- one internal
- one pure external on cable link
- one external on a faster, but more restrictive ISP (used also to connect to other dorms)

Services provided by server:
- dchub
- firewall
- web server
- mail server (smtp and imaps)
- ssh, of course

My slow connection has a FQ(sub)DN and is the way I want to receive www connections/mails/etc from outside.

I want the private network to have all (clients') forward traffic on the fast connection and have the services accessible on all but no SNAT here.

The problem is that when somebody sends me a packet from outside on the slow eth the answer (I think) is sent through the fast connection, not the slow one.

How do I set up the routes/iptables rules to have my set up work properly?

PS:
- The behavior above appears even if I have no firewall, so I don't think is a firewall problem.
- i have watched with iptraf the traffic on the slow connection. I receive the ping req, but I don't see any reply (I will double check)

fr_laz · 01-26-2005, 02:38 AM

Hi,

What about your IP addressing ?

How many public IP(s) do you have, can you use one for www connection and one for the "fast" connection ?

If so, you could force the interface used to answer the www requests by using a feature called "NAT of local connexions" : thus you source-nat locally generated packet source port 80 to the IP of your slow ethernet interface...

I'm not sure that this will/could work....

Good luck !

pe2338 · 01-31-2005, 05:43 PM

weird, I didn't got any warning that I have an answer...

I found something that I think is the answer to my problem:

http://www.uwsg.iu.edu/hypermail/lin...07.0/0006.html

and the advanced routing howto

I hope this helps other people (I didn't tried it, but I have a very good feeling about this).

PS:
fr_laz: both the external interfaces have public IPs, but as I understand, you are trying some kind of change when the connection is made fro the inside, while I need incoming connections from outside to have their return packets sent correctly.

Thanks anyway. I will come back to announce if I succeded with the setup.