/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
juaid wrote: > Hi.. > > First I'd like to point out that I'm having a "semi-problem" of routing and > masquerading... > > The routing and masquerading I want to do, is working fine with what I have > done, > but it's giving some problem with traceroutes, making them not work > correctly or as expected... > > so here goes the detail of the situation and what I have done, sorry for > the long mail.... > > I've been running a network with IP Masquerading for about an year now > without any problem. > All routing is been made by iproute2, source routing, etc, and masquerading > via ipchains since I'm using Kernel 2.2.19pre17 on a Debain box (2.2-r3) > > Until some days ago, the network consisted of a Linux box behind the router > that conects to the Internet, and my LAN on the other side of the Linux box. > The Router has an E1 connection separated into 2 channels, one that goes > directly to Internet, and the other to UyNet (UruguayNet), which is the main > backbone and network across my country (Uruguay). So if I want to access any > site on the Internet like google.com, it goes through one channel, and if I > want to access a site in Uruguay it goes through the other one.. > > I got several different networks in my LAN which I have always masqued with > ipchains with no problem.. > > some days ago, we added a second connection which has only one channel that > accesses both, Internet and UyNet > You can see how it looks like in http://juanin.com/net.jpg > > The connection through "Router 1" is the new connection with one channel, > and the one through "Router 2" is the connection we have always used with > the 2 separated channels.. > > What I want to do is to route traffic from certain of my LANs to Internet > through "Router 1" and traffic from other of the LANs to Internet through > "Router 2". BUT, all traffic to UyNet must be routed through the UyNet > Channel in "Router 2". > > by default I masquerade my the LANs like this: > > ipchains -I forward -s 192.168.1.0/24 -j MASQ -i eth0 > > what I did for testing purposes is to leave everything as it is, but route > my own machine (192.168.1.137) to Internet through "Router 1" and to UyNet > through "Router2", by use of iproute2 source routing: > > ip ro add default gw [Router 1 IP address] table xx > ip ro add [all Uynet networks] via [Router 2 IP address] table xx > ip ru add from [eth2 IP address] lookup xx > ip ru add from 192.168.1.137 lookup xx > > I also added the following in order to masq my machine through eth2 and go > to Internet through "Router 1" > > ipchains -I forward -s 192.168.1.137 -j MASQ -i eth2 > > all of this works fine, and I go routed as I want... > > BUT the problem I got is that traceroutes now don't work as expected... > > If I traceroute an Internet address (for example google or yahoo) I see the > first step to 192.168.1.1 (my default gw, eth1), all the next hops through > the Uruguayan network appear as packet loss without being able to be > resolved > until it goes out to the Internet where it continues in a normal way... > > if I traceroute an address from the UyNet network, some hops are resolved > ok, and some are unresolved too... > > here are 2 examples: > > <Example 1, traceroute to internet address> > > C:\Documents and Settings\juanin>tracert www.yahoo.com > > Traza a la direcci�n www.yahoo.akadns.net [64.58.76.178] > sobre un m�ximo de 30 saltos: > > 1 <1 ms <1 ms <1 ms 192.168.1.1 > 2 * * * Tiempo de espera agotado para esta > solicitud. (Timeout) > 3 * * * Tiempo de espera agotado para esta > solicitud. > 4 * * * Tiempo de espera agotado para esta > solicitud. > 5 * * * Tiempo de espera agotado para esta > solicitud. > 6 143 ms 143 ms 143 ms iar2-so-2-2-0-0.Miami.cw.net > [208.173.90.73] > 7 144 ms 143 ms 143 ms acr2-loopback.Miami.cw.net [208.172.98.62] > 8 172 ms 170 ms 170 ms agr4-loopback.Washington.cw.net > [206.24.226.104] > 9 171 ms 172 ms 171 ms dcr1-so-6-3-0.Washington.cw.net > [206.24.238.61] > 10 173 ms 173 ms 173 ms > cable-and-wireless-internal-isp.Washington.cw.net [206.24.238.26] > > </Example 1, traceroute to internet address> > > > <Example 2, traceroute to UyNet address> > > C:\Documents and Settings\juanin>tracert www.fastlink.com.uy > > Traza a la direcci�n www.fastlink.com.uy [200.61.78.6] > sobre un m�ximo de 30 saltos: > > 1 <1 ms <1 ms <1 ms 192.168.1.1 > 2 1 ms <1 ms <1 ms gw.mydomain.com [xxx.xxx.xxx.xxx] > 3 * * * Tiempo de espera agotado para esta > solicitud > 4 18 ms 7 ms 7 ms ubgpcen1-fe-1-0.antel.net.uy > [200.40.128.11] > 5 * * * Tiempo de espera agotado para esta > solicitud > 6 370 ms 40 ms 66 ms r200-71-0-4.techtel.com.uy [200.71.0.4] > 7 * * * Tiempo de espera agotado para esta > solicitud > 8 68 ms 49 ms 74 ms paginas.fastlink.com.uy [200.61.78.6] > > </Example 2, traceroute to UyNet address> > > > If I make traceroutes from other machines in my LAN 192.168.1.0/24 which > have not been modified their routing (theay always go away through > "Router2"), the traceroutes are ok... > > If I connect my machine directly to "Router 1" with an IP of it's network, > traceroutes are ok too.. > > also, from Internet I can ping "Router 2" and eth0, also I can ping "Router > 1" but I can not ping eth2!!! > > so I think I'm having some masquerading mess I am missing... > does anyone know what the problem may be?? > > the routing works, great, but it's not very nice not to be able to do a > proper traceroute.. > > thanks in advance, > > juaid > > PS: I also tried making implicit maquerading like: > > ipchains -I forward -s 192.168.1.137 -d 64.58.76.178 -j MASQ -i eth2 > ipchains -I forward -s 192.168.1.137 -d 200.61.78.6 -j MASQ -i eth0 > > and got exactly the same awfull results.. :( > > a frined of mine told me he does something similar but with iptables, but > I'm not using Kernel 2.4 and do not want to upgrade it.. this is a job for tcdump on eth1 and eth2. that's the best way to see what's happening. it sounds like packets that leave via router2 are generating reply packets that might be arriving via router1 (or vice versa). could that be the problem? if so, the demasquerading will fail. i don't know what you'd have to do to fix that. there are howtos about multiple external paths but i don't know if they mention masquerading. raf _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
