Hi Lonnie
I haven’t managed to test out this site yet but as they are currently having an
internet outage I thought I would hop in and have a look as ppp0 is now down.
How is the best way to determine that SNAT is turned off other than being
onsite?
I tried 'arno-iptables-firewall status':
....
Chain OUTBOUND_SNAT (0 references)
pkts bytes target prot opt in out source
destination
1172540 140692582 SNAT all -- * ppp+ 172.30.10.2
!172.30.10.2 to:139.218.40.144
0 0 SNAT all -- * eth3 172.30.10.2
!172.30.10.2 to:139.218.40.144
....
Has that told me anything.
Regards
Michael Knill
On 20/3/21, 9:30 am, "Michael Knill" <michael.kn...@ipcsolutions.com.au> wrote:
Thanks. Will do.
Regards
Michael Knill
On 20/3/21, 9:29 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote:
> So just to confirm, there shouldn't be any issues in having this in
my default wan-failover.script e.g. whether outbound-snat is configured or not?
Correct, the OUTBOUND_SNAT nat chain should only exist when the
outbound-snat plugin is enabled.
But test anyway :-)
Lonnie
> On Mar 19, 2021, at 5:13 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>
> Thanks Lonnie
>
> So just to confirm, there shouldn't be any issues in having this in
my default wan-failover.script e.g. whether outbound-snat is configured or not?
>
> Regards
> Michael Knill
>
> On 20/3/21, 9:08 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
wrote:
>
> Hi Michael,
>
> Again off the top of my head (needs testing), this would be more
general...
> -- /mnt/kd/wan-failover.script snippet --
>
> SECONDARY)
> ...
> ## Disable outbound-snat plugin in iptables
> if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then
> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
> fi
> ;;
>
> PRIMARY)
> ...
> ## Re-Enable outbound-snat plugin
> if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then
> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
> fi
> ;;
> --
>
> I'm having second thoughts about editing the ENABLED variable ...
what if the box was rebooted while on failover, with ENABLED set to 0 on
SECONDARY you would have effectively disabled the outbound-snat plugin after
reboot.
>
> But, the above snippet should work whether the outbound-snat plugin
is enabled or not.
>
> But still not perfect.
>
>> PS. Would this be worth doing as part of the standard failover as I
cant think of any instance where we would not want to disable SNAT when it
fails over to another WAN interface.
>
> Yes, but I doubt the outbound-snat plugin is enabled very commonly,
implying multiple IPv4 WAN addresses. My first though is to do as above in the
wan-failover.script.
>
> Lonnie
>
>
>> On Mar 19, 2021, at 4:05 PM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>
>> Thanks Lonnie
>>
>> Sorry for the late reply. Yes I'm using the outbound-snat plugin.
>> So just to confirm:
>> SECONDARY)
>> ....
>> ## Disable outbound-snat plugin in both iptables and config file
in case of reboot
>> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
>> sed -i 's/^ENABLED=.*$/ENABLED=0/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf
>> ;;
>>
>> PRIMARY)
>> ...
>> ## Re-Enable outbound-snat plugin and config file
>> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
>> sed -i 's/^ENABLED=.*$/ENABLED=1/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf
>> ;;
>>
>> I'm thinking that I might look at OUTBOUND_SNAT_NET_HOST to see if
something is set to make the decision on whether I disable and re-enable so it
can be a generic script.
>>
>> PS. Would this be worth doing as part of the standard failover as I
cant think of any instance where we would not want to disable SNAT when it
fails over to another WAN interface.
>>
>> Regards
>> Michael Knill
>>
>> On 18/3/21, 1:49 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com>
wrote:
>>
>> Hi Michael,
>>
>> When you say you have SNAT configured, are you using the
nat-loopback plugin or the outbound-snat plugin ?
>>
>> Either of those require obtaining the WAN IPv4 address to attach
iptables "-j SNAT --to-source $ip" rules, and as written only look at the
primary external address. Even if the Failover interface was looked at, the
firewall would have to be rebuilt for the failover context switch with the
/mnt/kd/wan-failover.script .
>>
>> Question, does either of these plugins make sense for a failover
situation ?
>>
>> Possibly you want to disable the outbound-snat plugin on failover
and re-enable it on return to primary ?
>>
>> If you have the special case of the outbound-snat plugin enabled,
you could (untested code):
>>
>> -- /mnt/kd/wan-failover.script snippet --
>>
>> SECONDARY)
>> ## Switched to Failover using secondary WAN link
>>
>> ## Disable outbound-snat plugin
>> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
>> ;;
>>
>> PRIMARY)
>> ## Switched back to normal using primary WAN link
>>
>> ## Re-Enable outbound-snat plugin
>> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
>> ;;
>>
>> --
>> but this is somewhat fragile, such that if the firewall was
restarted during failover it would revert to the PRIMARY setting. To be less
fragile, you could also add:
>> --
>> sed -i 's/^ENABLED=.*$/ENABLED=0/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf"
>> --
>> and ENABLED=1 on return to PRIMARY.
>>
>>
>> Lonnie
>>
>>
>>
>>> On Mar 17, 2021, at 1:16 AM, Michael Knill
<michael.kn...@ipcsolutions.com.au> wrote:
>>>
>>> Grr problem now found. I had SNAT configured which didn't work on
the second WAN connection.
>>> Any way I can fix this e.g. don't do SNAT on the failover WAN?
>>>
>>> Regards
>>> Michael Knill
>>>
>>> From: Michael Knill <michael.kn...@ipcsolutions.com.au>
>>> Reply to: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Date: Wednesday, 17 March 2021 at 4:27 pm
>>> To: AstLinux List <astlinux-users@lists.sourceforge.net>
>>> Subject: [Astlinux-users] Weird routing problem
>>>
>>> Hi Group
>>>
>>> I'm currently at a site that has a primary and failover WAN
connection and a two LAN connections. The primary WAN connection has failed
over to the secondary WAN connection however it is only working on one of the
LAN interfaces and not the other. I can ping the interface address fine so its
not an interface problem.
>>>
>>> Does anyone have any idea why this would be happenning?
>>>
>>> Regards
>>> Michael Knill
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Astlinux-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Astlinux-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
>
>
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
