Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
When users login from home, the authentication server MUST know the IP address of the user. So instead of giving me a DMZ IP address of the DL1 or DL2, it gives me the public address of the user.
But, if I set the default gateway on the Authentication server to be DL1, when users try to login using DL2, they cannot, because the reply to their request is going through DL1 and IS1 instead of IS2.
I have setup Shorewall on DL1 to do one-to-one NAT to the auth. server and it was working well, until I decided to add another ISP
So what can I do, either on DL1 and DL2 or the auth. server to let my users login using both ISPs?
i will sound like a broken record i'm sure, but check chapter 4 of lartc.org. you should be able to use iptables marking to say that any inbound connections from DL2 should return to DL2 from the central server. i'm not too sure aboput the need for two isolated firewalls though... could you not look to use them in a clustered / active/passive mode instead of not knowing the other exists? you have the same issues as ion your question, but the problem then belongs to the firewall, not the server behind, and as an authentication server, it's really not a good thing for it to have to do anyway.
if you want to go further into this, you might want to explain more about what this authentication server actually is doing... radius for vpn's?
Last edited by acid_kewpie; 08-06-2007 at 03:35 PM.
lartc.org goes into great detail on how to set this up using two different interfaces and when I tried to adapt it to use the same interface, I realised that it will not work.
There could be something on the layer 2 level - to remember which MAC address the connection is coming from - and send back the reply in the same direction.
The two firewalls are doing about a hundred other things - email, http, vpn, etc. and to me it seemed the least complicated having two firewalls. There is an offsite DNS name failover service so when the primary connection goes down, the name is pointed at the second connection and life goes on.
The authentication server is only doing SSH with X forwarding - that's why it needs to know the IP address of the user.
On user machines I tried using IP address as given by DHCP, but some users use modems that have a DHCP server inbuilt, so all I would get is a 192.168.1.* address on the authentication server.
If all else fails, I'd probably write something to be on the client machine to find out its IP address from somewhere else, but this would be useful for a number of other services - like checking where email has come from or analysing http logs.
I am open to suggestions on how I can redesign my network to have the above to work.
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
Why three IP's - just two local IP's inside local network. But DMZ should be instructed to redirect DL1 traffic to the first and DL2 traffic to the second. And even having 3 IP's on the same ethernet link is not that bad.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.