It tells you that 0 packets were SNAT'ed via eth3 ... so it seems your fix worked.
Lonnie > On Mar 26, 2021, at 5:10 PM, Michael Knill > <michael.kn...@ipcsolutions.com.au> wrote: > > Hi Lonnie > > I haven’t managed to test out this site yet but as they are currently having > an internet outage I thought I would hop in and have a look as ppp0 is now > down. > How is the best way to determine that SNAT is turned off other than being > onsite? > > I tried 'arno-iptables-firewall status': > .... > Chain OUTBOUND_SNAT (0 references) > pkts bytes target prot opt in out source > destination > 1172540 140692582 SNAT all -- * ppp+ 172.30.10.2 > !172.30.10.2 to:139.218.40.144 > 0 0 SNAT all -- * eth3 172.30.10.2 > !172.30.10.2 to:139.218.40.144 > .... > > Has that told me anything. > > Regards > Michael Knill > > On 20/3/21, 9:30 am, "Michael Knill" <michael.kn...@ipcsolutions.com.au> > wrote: > > Thanks. Will do. > > Regards > Michael Knill > > On 20/3/21, 9:29 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: > >> So just to confirm, there shouldn't be any issues in having this in my >> default wan-failover.script e.g. whether outbound-snat is configured or not? > > Correct, the OUTBOUND_SNAT nat chain should only exist when the > outbound-snat plugin is enabled. > > But test anyway :-) > > Lonnie > > >> On Mar 19, 2021, at 5:13 PM, Michael Knill >> <michael.kn...@ipcsolutions.com.au> wrote: >> >> Thanks Lonnie >> >> So just to confirm, there shouldn't be any issues in having this in my >> default wan-failover.script e.g. whether outbound-snat is configured or not? >> >> Regards >> Michael Knill >> >> On 20/3/21, 9:08 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >> >> Hi Michael, >> >> Again off the top of my head (needs testing), this would be more general... >> -- /mnt/kd/wan-failover.script snippet -- >> >> SECONDARY) >> ... >> ## Disable outbound-snat plugin in iptables >> if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then >> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT >> fi >> ;; >> >> PRIMARY) >> ... >> ## Re-Enable outbound-snat plugin >> if iptables -t nat -nL OUTBOUND_SNAT >/dev/null 2>&1; then >> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT >> fi >> ;; >> -- >> >> I'm having second thoughts about editing the ENABLED variable ... what if >> the box was rebooted while on failover, with ENABLED set to 0 on SECONDARY >> you would have effectively disabled the outbound-snat plugin after reboot. >> >> But, the above snippet should work whether the outbound-snat plugin is >> enabled or not. >> >> But still not perfect. >> >>> PS. Would this be worth doing as part of the standard failover as I cant >>> think of any instance where we would not want to disable SNAT when it fails >>> over to another WAN interface. >> >> Yes, but I doubt the outbound-snat plugin is enabled very commonly, >> implying multiple IPv4 WAN addresses. My first though is to do as above in >> the wan-failover.script. >> >> Lonnie >> >> >>> On Mar 19, 2021, at 4:05 PM, Michael Knill >>> <michael.kn...@ipcsolutions.com.au> wrote: >>> >>> Thanks Lonnie >>> >>> Sorry for the late reply. Yes I'm using the outbound-snat plugin. >>> So just to confirm: >>> SECONDARY) >>> .... >>> ## Disable outbound-snat plugin in both iptables and config file in case >>> of reboot >>> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT >>> sed -i 's/^ENABLED=.*$/ENABLED=0/' >>> /etc/arno-iptables-firewall/plugins/outbound-snat.conf >>> ;; >>> >>> PRIMARY) >>> ... >>> ## Re-Enable outbound-snat plugin and config file >>> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT >>> sed -i 's/^ENABLED=.*$/ENABLED=1/' >>> /etc/arno-iptables-firewall/plugins/outbound-snat.conf >>> ;; >>> >>> I'm thinking that I might look at OUTBOUND_SNAT_NET_HOST to see if >>> something is set to make the decision on whether I disable and re-enable so >>> it can be a generic script. >>> >>> PS. Would this be worth doing as part of the standard failover as I cant >>> think of any instance where we would not want to disable SNAT when it fails >>> over to another WAN interface. >>> >>> Regards >>> Michael Knill >>> >>> On 18/3/21, 1:49 am, "Lonnie Abelbeck" <li...@lonnie.abelbeck.com> wrote: >>> >>> Hi Michael, >>> >>> When you say you have SNAT configured, are you using the nat-loopback >>> plugin or the outbound-snat plugin ? >>> >>> Either of those require obtaining the WAN IPv4 address to attach iptables >>> "-j SNAT --to-source $ip" rules, and as written only look at the primary >>> external address. Even if the Failover interface was looked at, the >>> firewall would have to be rebuilt for the failover context switch with the >>> /mnt/kd/wan-failover.script . >>> >>> Question, does either of these plugins make sense for a failover situation ? >>> >>> Possibly you want to disable the outbound-snat plugin on failover and >>> re-enable it on return to primary ? >>> >>> If you have the special case of the outbound-snat plugin enabled, you could >>> (untested code): >>> >>> -- /mnt/kd/wan-failover.script snippet -- >>> >>> SECONDARY) >>> ## Switched to Failover using secondary WAN link >>> >>> ## Disable outbound-snat plugin >>> iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT >>> ;; >>> >>> PRIMARY) >>> ## Switched back to normal using primary WAN link >>> >>> ## Re-Enable outbound-snat plugin >>> iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT >>> ;; >>> >>> -- >>> but this is somewhat fragile, such that if the firewall was restarted >>> during failover it would revert to the PRIMARY setting. To be less >>> fragile, you could also add: >>> -- >>> sed -i 's/^ENABLED=.*$/ENABLED=0/' >>> /etc/arno-iptables-firewall/plugins/outbound-snat.conf" >>> -- >>> and ENABLED=1 on return to PRIMARY. >>> >>> >>> Lonnie >>> >>> >>> >>>> On Mar 17, 2021, at 1:16 AM, Michael Knill >>>> <michael.kn...@ipcsolutions.com.au> wrote: >>>> >>>> Grr problem now found. I had SNAT configured which didn't work on the >>>> second WAN connection. >>>> Any way I can fix this e.g. don't do SNAT on the failover WAN? >>>> >>>> Regards >>>> Michael Knill >>>> >>>> From: Michael Knill <michael.kn...@ipcsolutions.com.au> >>>> Reply to: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Date: Wednesday, 17 March 2021 at 4:27 pm >>>> To: AstLinux List <astlinux-users@lists.sourceforge.net> >>>> Subject: [Astlinux-users] Weird routing problem >>>> >>>> Hi Group >>>> >>>> I'm currently at a site that has a primary and failover WAN connection and >>>> a two LAN connections. The primary WAN connection has failed over to the >>>> secondary WAN connection however it is only working on one of the LAN >>>> interfaces and not the other. I can ping the interface address fine so its >>>> not an interface problem. >>>> >>>> Does anyone have any idea why this would be happenning? >>>> >>>> Regards >>>> Michael Knill >>>> _______________________________________________ >>>> Astlinux-users mailing list >>>> Astlinux-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>>> >>>> Donations to support AstLinux are graciously accepted via PayPal to >>>> pay...@krisk.org. >>> >>> >>> >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >>> >>> >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
