[mdlug] Dual NAT config questions
Jeff Hanson
jhansonxi at gmail.com
Fri Jan 10 10:11:23 EST 2014
Load balancing at the host doesn't make much sense since they don't know
what the other hosts are doing. I would start by connecting both modems to
a single router/DHCP server and let it figure out balancing. I use an old
PC with Zeroshell but only have one Internet connection. Zeroshell
supports balancing: http://www.zeroshell.org/load-balancing-failover/
For the more complicated iptables configurations I suggest contacting the
folks in the #Netfilter channel on the FreeNode IRC server.
On Fri, Jan 10, 2014 at 6:54 AM, David Lee Lambert <davidl at lmert.com> wrote:
> I have two Internet connections via different providers, let's call them
> "A"
> and "B". For each one, I have a consumer-grade NAT device attached to the
> modem. Both devices map UDP, support static routing, some filtering,
> DNS proxy (also NAT basic UDP traffic like DNS or Teredo), and inbound
> port forwarding. I've disabled the DHCP server on one device (the newer
> one, actually). The newer device also works as an IPv6 router with ability
> to act as a 6to4 (RFC 3056) client.
>
> A diagram:
>
> Service A ---- 55.66.11.12 [ NAT A ] 192.168.123.1 ---+
> / |
> ~~~~~~~~~~~~~~~~~ / |
> ( IPv4 Internet ) --- Service B -- 3.4.5.6 [ NAT B ] 192.168.123.254 -+
> ~~~~~~~~~~~~~~~~~ |
> Ethernet (wire + wireless) 192.168.123.0/24, 169.254/16, IPv6... |
> +-------------+-------------+-------------+----------+------------+
> | | | | |
> Host A Host B Host C Host D Host E
> | (qemu virtual net(s))
> +----+-------+
> | |
> VM B' VM B''
>
>
> I am able to point each host at one NAT device for IP and the other for
> DNS with no trouble. In fact that's what I've set in DHCP for new
> hosts. I can also do static routing for load-balancing or temporarily
> if one link goes down.
>
> With just those tools, however, I don't think I can set up inbound port-
> forwarding from any provider to any host from both NATs. Any inbound
> connection from an IP address that the host would not route back to via
> the same NAT will not succeed ... the return packets will go out the
> wrong NAT, and even if they do not get filtered earlier, they will reach
> the original host with the wrong source address.
>
> Since several of the hosts run Linux, I suspect there's a way to write a
> script to set up routing/balnacing as desired on each host. Now at a high
> level, the rules would be:
>
> * Incoming TCP connections should be sticky to the NAT they came from
> * Outgoing TCP connections should be sticky to a NAT selected for
> the initial SYN packet, to include:
> - static assignment (provider A address blocks go out via NAT A,
> and vice versa)
> - certain ports via certain NAT
> - certain process (owner, name, etc.) via certail NAT (think a qemu
> VM)
> - random load-balancing
>
> I have not found a description of how to set exactly this up. How-to
> guides
> for similar scenarios (which may be badly out-of-date) suggest I might use
> the following tools:
>
> "iptables -t mangle -A [INPUT|OUTPUT] ..."
> /etc/iproute2/rt_tables (config file)
> "ifconfig" (add an additional address to each host's interface)
> "ip route ... table [A|B]"
> "ip rule ..."
>
> Has anyone on this list done something similar? Or can anyone explain the
> difference between IPtables connection marks, IProute2 tables, and how to
> connect them?
>
> --
> David Lee Lambert
> Member ACM (david.lee.lambert at acm.org)
> Ph# (616)676-7375 * IM: davidleelambert (Yahoo!, Skype and Google Talk)
> "Justicia, Tierra y Libertad"
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>
More information about the mdlug
mailing list