On Mon, 2002-08-19 at 19:51, Erez Doron wrote: > the router must use one and only one channel for a connection ! > > one can not send one packet of a connection on one channel (and one > source ip) > and the next packet from a different chunnel (and different source ip) > becuase the remote side of the > connection gets different source ips for the same connection and gets > confused
The packets of a given TCP session must all have the same source and destination addresses and ports. But there is nothing that limits how the packet is routed. It is very common to have multiple channels where different packets within the same virtual TCP connection get sent over different paths. Sometimes you can observe this by running traceroute to a given place multiple times and you can see that different paths are taken at different times. So, if Eli were to establish a TCP/HTTP session with a web server, say google.com, and the address of the session was set to the IP address of dsl_connection_1, and one packet was sent out over frame_relay_connection, and another over dsl_connection_2 (keep in mind that each packet still carries the return IP address of dsl_connection_1), google.com would be able to put the whole thing together and send a response to dsl_connection_1, which would end up back at Eli's computer since the masquerade-router knows that his computer started that session. Now, if one of the ISPs is using transparent proxying, then the proxy might only receive part of the request and get will not be able to process it. The proxy might think that this is the result of some kind of hacking activity and try to block off the source of the offending packets. This is what I suspect is the cause of the problem. > > also one can not send on one chunnel with the other's source ip because > that's spoofing ... > It isn't actually spoofing since he is using a valid IP address that he owns. It could be that the ISP might think that he is spoofing, and that might lead them to block the packets, which is a potential source of some of the problems he is having (I don't actually believe that this is the problem in the simple sense based on the way he is describing the problem though). > also, i tought of ANOTHER WAY AN ISP CAN IDENTIFY MASQUERADING: > I know a http server knows the ip of the http request initiator. this > could be because it sees > from what IP the request initiated from. but it could also be as one of > the parameters a browser > anonces ( like what kind of browser and OS ). > in the later case, a transparent proxy can block http requests that do > not originate from a valid or expected IP > ( e.g. a masquarding router does not modify the IP the broser anonces as > part of the http request) > > regards > erez. > > Joseph Teichman wrote: > > >My question to you would be how is your router set up to do load > >balancing and masquerading? Problems could arise if the router randomly > >send out packets over the different channels that you have available. > >So, for any given TCP connection, does it make sure to only transmit > >packets that are marked with the return IP address of that connection > >over the connection that is assigned with that IP address (an example of > >NOT doing this would be: sending out packets that carry the return > >address of the frame relay connection over the DSL connection and vise > >versa)? If not, then it will cause the transparent proxy of your ISP to > >choke over malformed requests. They may have logic in the proxy to > >detect insane requests and lock them out. If this is the problem, then > >the solution would be to set up rules in the router to stop this > >behavior. > > > >Yossi > > > > > >On Mon, 2002-08-19 at 10:31, Eli Marmor wrote: > > > >>Hi! > >> > >>I have 2 ADSL accounts at 012 (I love to pay them twice ;-), as well > >>as an expensive frame-relay (aquanet). I installed and configured a > >>Linux router (based on Devil-Linux) to serve as a router, firewall, > >>etc. It uses both of the lines (FR+ADSL) for connection with the > >>world, and splits the internal traffic to DMZ and clients. > >> > >>Recently, without changing anything in my configuration, I noticed a > >>strange behavior: After a while, the ADSL connection stops to serve > >>HTTP requests (i.e.: I can FTP, ping, and traceroute any site, and > >>even surf the website of 012, but not (HTTP)-surf any external > >>website). If I disconnect and re-connect, everything is perfect again > >>(until a while... and so on and so forth...). > >> > >>Is it possible that some ISP's (012 in my case) "block" IP > >>masquerading? > >> > >>If it's true, then who are the ISP's that do it? > >> > >>And if it isn't true, then what is the reason for this strange > >>behavior? > >> > >>Contrary to businesses with hundreds of employees that use one cheapy > >>private ADSL account, I already pay dozens of thousands of Dollars > >>yearly for 2.5 users (including me), so paying more (or in other > >>words: "upgrading" my deal to the business one) is not a viable > >>solution for me. > >> > >>-- > >>Eli Marmor > >>[EMAIL PROTECTED] > >>CTO, Founder > >>Netmask (El-Mar) Internet Technologies Ltd. > >>__________________________________________________________ > >>Tel.: +972-9-766-1020 8 Yad-Harutzim St. > >>Fax.: +972-9-766-1314 P.O.B. 7004 > >>Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel > >> > >>================================================================= > >>To unsubscribe, send mail to [EMAIL PROTECTED] with > >>the word "unsubscribe" in the message body, e.g., run the command > >>echo unsubscribe | mail [EMAIL PROTECTED] > >> > >> > > > > > > > >================================================================= > >To unsubscribe, send mail to [EMAIL PROTECTED] with > >the word "unsubscribe" in the message body, e.g., run the command > >echo unsubscribe | mail [EMAIL PROTECTED] > > > > ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
