On Tue, 2011-06-28 at 12:04 -0400, Simon Ryan wrote: > > My network has two firewalls: > > > 10.0.1.1 Main Firewall connect to 5Mbps ethernet > 10.0.1.2 Secondary Firewall (OpenWRT) connected to DSL > > > I have separate external address space for both from separate ISPs. > The web based application has an fqdn webapp.company.com which > directs traffic through the main firewall. I will create an > additional fqdn of webapp-backup.company.com that goes to the address > space on the secondary firewall. If the main connection goes down > the users will know to try the alternate backup url. > > > The problem is the web server uses 10.0.1.1 as its gateway. So my > DNAT rule works. but of course the internal web server responds using > it's default gateway and can't respond to request coming from the > DSL. Therefore I would like to do reverse masq/nat/snat, where the > incoming requests to webapp-backup.compay.com appear to all come from > 10.0.1.2 thereby allowing the internal web server to remain unchanged.
Hi Simon,
You need to SNAT traffic leaving the local interface of the OpenWRT
firewall. That will force response packets back through that firewall.
In /etc/shorewall/masq:
<local interface> 0.0.0.0/0 10.0.1.2
Note that a side-effect of that approach is that all connections from
remote clients appear to the server to have originated on the backup
firewall.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
