Hi,

I have two ISPs (IS1 and IS2) and 2 Devil Linux boxes that act as (Shorewall based) routers/firewalls for both ISPs (DL1 and DL2).

These connect to a DMZ switch , where I have a CentOS based authentication server connected.
When users login from home, the authentication server MUST know the IP address of the user. So instead of giving me a DMZ IP address of the DL1 or DL2, it gives me the public address of the user.

But, if I set the default gateway on the Authentication server to be DL1, when users try to login using DL2, they cannot, because the reply to their request is going through DL1 and IS1 instead of IS2.

I have setup Shorewall on DL1 to do one-to-one NAT to the auth. server and it was working well, until I decided to add another ISP

So what can I do, either on DL1 and DL2 or the auth. server to let my users login using both ISPs?



Thanks guys

i will sound like a broken record i'm sure, but check chapter 4 of lartc.org. you should be able to use iptables marking to say that any inbound connections from DL2 should return to DL2 from the central server. i'm not too sure aboput the need for two isolated firewalls though... could you not look to use them in a clustered / active/passive mode instead of not knowing the other exists? you have the same issues as ion your question, but the problem then belongs to the firewall, not the server behind, and as an authentication server, it's really not a good thing for it to have to do anyway.

if you want to go further into this, you might want to explain more about what this authentication server actually is doing... radius for vpn's?

Thanks for your reply, acid_kewpie

lartc.org goes into great detail on how to set this up using two different interfaces and when I tried to adapt it to use the same interface, I realised that it will not work.

There could be something on the layer 2 level - to remember which MAC address the connection is coming from - and send back the reply in the same direction.

The two firewalls are doing about a hundred other things - email, http, vpn, etc. and to me it seemed the least complicated having two firewalls. There is an offsite DNS name failover service so when the primary connection goes down, the name is pointed at the second connection and life goes on.

The authentication server is only doing SSH with X forwarding - that's why it needs to know the IP address of the user.

On user machines I tried using IP address as given by DHCP, but some users use modems that have a DHCP server inbuilt, so all I would get is a 192.168.1.* address on the authentication server.

If all else fails, I'd probably write something to be on the client machine to find out its IP address from somewhere else, but this would be useful for a number of other services - like checking where email has come from or analysing http logs.

I am open to suggestions on how I can redesign my network to have the above to work.

Thanks !

Isn't just having two IP's on authentication server enough? I thought you don't need real interfaces..

That would mean I need 3 IPs - including the local network..

I'll just restrict them - if they want to use X they have to go through DL1. DL2 will send its own IP.

Thanks everyone for your input

try GNU Zebra. Its a routing software for linux

Why three IP's - just two local IP's inside local network. But DMZ should be instructed to redirect DL1 traffic to the first and DL2 traffic to the second. And even having 3 IP's on the same ethernet link is not that bad.