some packets going out from the wrong interface

To: debian-firewall@lists.debian.org
Subject: some packets going out from the wrong interface
From: Jorge Salamero Sanz <bencer@cauterized.net>
Date: Fri, 26 Mar 2010 20:48:15 +0100
Message-id: <[🔎] 201003262048.15634.bencer@cauterized.net>

hi all,

i've a firewall with two routers as a multigw scenario. load balancing works 
but some packets go out from the wrong interface to the routers.

routerA: 10.10.1.251 -> 10.10.1.1
                                                     firewall: 192.168.1.1->LAN
routerB: 10.10.2.251 -> 10.10.2.1

i can see this wrong traffic with tcpdump on any of the routers, for example 
from routerA with tcpdump -i eth1 src 10.10.2.1 shows some traffic, like 1-5% of 
the connections.

it's very weird that if i setup a rule on nat postrouting to log this packets 
going out with the wrong source o from the wrong interface, netfilter doesn't 
log anything but tcpdump still shows these packets.

this is my setup:

# ip rule ls
0:      from all lookup local 
32761:  from all lookup main 
32762:  from all fwmark 0x8002 lookup 2 
32763:  from all fwmark 0x8001 lookup 1 
32764:  from 10.10.2.1/24 lookup 201 
32765:  from 10.10.1.1/24 lookup 200 
32766:  from all lookup main 
32767:  from all lookup default 
# ip route ls table 1
10.10.2.0/24 dev eth2  proto kernel  scope link  src 10.10.2.1 
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.1 
10.10.1.0/24 dev eth1  proto kernel  scope link  src 10.10.1.1 
# ip route ls table 201
default via 10.10.2.251 dev eth2  proto static  src 10.10.2.1 
prohibit default  proto static  metric 1 
# ip route ls table 200
default via 10.10.1.251 dev eth1  proto static  src 10.10.1.1 
prohibit default  proto static  metric 1 
# ip route ls table main
10.6.7.0/24 dev eth0  proto kernel  scope link  src 10.6.7.12 
10.10.2.0/24 dev eth2  proto kernel  scope link  src 10.10.2.1 
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.1 
10.10.1.0/24 dev eth1  proto kernel  scope link  src 10.10.1.1 
# ip route ls table default
default 
        nexthop via 10.10.1.251  dev eth1 weight 1
        nexthop via 10.10.2.251  dev eth2 weight 2

and mangle:

Chain PREROUTING (policy ACCEPT 275K packets, 115M bytes)
 pkts bytes target     prot opt in     out     source               
destination         
 3482 1002K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
CONNMARK restore 
   19  1534 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x0/0xff MAC DE:AD:BE:EF:00:99 MARK set 0x8001 
   44  2580 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
MARK match 0x0/0xff MAC DE:AD:BE:EF:00:98 MARK set 0x8002 
 3482 1002K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
CONNMARK save  

Chain INPUT (policy ACCEPT 15410 packets, 2339K bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain FORWARD (policy ACCEPT 260K packets, 113M bytes)
 pkts bytes target     prot opt in     out     source               
destination         

Chain OUTPUT (policy ACCEPT 11892 packets, 2261K bytes)
 pkts bytes target     prot opt in     out     source               
destination         
  914  142K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
CONNMARK restore

do you know how to fix this ?

thanks!

Reply to:

Follow-Ups:
- Re: some packets going out from the wrong interface
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

Prev by Date: Re: tcng
Next by Date: Re: some packets going out from the wrong interface
Previous by thread: Re: tcng
Next by thread: Re: some packets going out from the wrong interface
Index(es):
- Date
- Thread