[Shorewall-users] mutli-isp routing strangeness

Brian J. Murrell Wed, 09 May 2007 05:30:29 -0700

Hi All,

I have, as you all know, a multi-isp setup on an openwrt platform.


Things have been going tickity-boo since I tweaked the up/down scripts
of my Internet interface address acquisition protocols (DHCP and PPPoE)
to include much of the shorewall code bits that build the routing tables
and so forth.

This morning though I have run into a situation that seems to defy my
routing set up.

I have the firewall set to accept ssh on port 2222 and while connections
through my "CGCO" interface seem to work, connections through my "IGS"
interface don't.  The initial SYN is received on the IGS interface just
fine but for some reason the SYN-ACK wants to leave on the CGCO
interface.  For reference CGCO==vlan2 and IGS=ppp0:

Here's the incoming connection requests:

[EMAIL PROTECTED]:~# tcpdump -i ppp0 -n port 2222 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
08:24:07.714235 IP 206.168.112.79.59910 > 66.11.173.224.2222: S 
3788444964:3788444964(0) win 5840 <mss 1400,sackOK,timestamp 43994603 
0,nop,wscale 7>
08:24:13.217385 IP 206.168.112.79.59919 > 66.11.173.224.2222: S 
3896916709:3896916709(0) win 5840 <mss 1400,sackOK,timestamp 43995978 
0,nop,wscale 7>

And here are the responses:

[EMAIL PROTECTED]:~# tcpdump -i vlan2 -n port 2222
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vlan2, link-type EN10MB (Ethernet), capture size 96 bytes
08:24:07.714906 IP 66.11.173.224.2222 > 206.168.112.79.59910: S 
2094352526:2094352526(0) ack 3788444965 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:09.504902 IP 66.11.173.224.2222 > 206.168.112.79.59910: S 
2094352526:2094352526(0) ack 3788444965 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:13.218516 IP 66.11.173.224.2222 > 206.168.112.79.59919: S 
2209377383:2209377383(0) ack 3896916710 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:16.304501 IP 66.11.173.224.2222 > 206.168.112.79.59919: S 
2209377383:2209377383(0) ack 3896916710 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:22.304200 IP 66.11.173.224.2222 > 206.168.112.79.59919: S 
2209377383:2209377383(0) ack 3896916710 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:34.303584 IP 66.11.173.224.2222 > 206.168.112.79.59919: S 
2209377383:2209377383(0) ack 3896916710 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>
08:24:58.502369 IP 66.11.173.224.2222 > 206.168.112.79.59919: S 
2209377383:2209377383(0) ack 3896916710 win 5648 <mss 
1412,nop,nop,sackOK,nop,wscale 0>

My routing configuration:

[EMAIL PROTECTED]:~# ip rule ls
0:      from all lookup local 
10064:  from all fwmark 0x40 lookup CGCO 
10128:  from all fwmark 0x80 lookup IGS 
20000:  from 72.38.139.100 lookup CGCO 
20256:  from 66.11.173.224 lookup IGS 
32766:  from all lookup main 
32767:  from all lookup default 

[EMAIL PROTECTED]:~# ip route ls table IGS
10.33.66.2 dev tun0  proto kernel  scope link  src 10.33.66.1 
192.168.200.1 dev ppp0  scope link  src 66.11.173.224 
10.75.22.0/24 dev br0  proto kernel  scope link  src 10.75.22.199 
10.75.23.0/24 via 10.33.66.2 dev tun0 
72.38.136.0/21 dev vlan2  proto kernel  scope link  src 72.38.139.100 
default via 192.168.200.1 dev ppp0 

The connection mark appears to be correct as well:

[EMAIL PROTECTED]:~# grep 2222 /proc/net/ip_conntrack
tcp      6 49 SYN_RECV src=206.168.112.79 dst=66.11.173.224 sport=59910 
dport=2222 src=66.11.173.224 dst=206.168.112.79 sport=2222 dport=59910 use=1 
mark=128 bytes=932
tcp      6 56 SYN_RECV src=206.168.112.79 dst=66.11.173.224 sport=59919 
dport=2222 src=66.11.173.224 dst=206.168.112.79 sport=2222 dport=59919 use=1 
mark=128 bytes=164

So I am kind of puzzled why these SYN-ACKs are not being routed out via
the correct interface.

Upon looking, I also wonder if the "from <address>" ip rules should be
higher in the table than the "from all fwmark" rules.  The source
address should absolutely decide which interface to route out of
regardless of fwmark, no?

Any ideas?

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell

signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] mutli-isp routing strangeness

Reply via email to