Re: 2 wan + 2 fire + 1 mdz

To: ns007532 <ns007532@bragatel.pt>
Cc: debian-user@lists.debian.org
Subject: Re: 2 wan + 2 fire + 1 mdz
From: Rodolfo Alcazar <rodolfo.alcazar@padep.org.bo>
Date: Tue, 18 Oct 2005 13:51:42 -0400
Message-id: <[🔎] 1129657902.2917.19.camel@rodolfoap.padep.org.bo>
In-reply-to: <[🔎] 4354E587.5000503@bragatel.pt>
References: <[🔎] 4354E587.5000503@bragatel.pt>

On Tue, 2005-10-18 at 13:07 +0100, ns007532 wrote:
> Hi
> I recently upgrade my system with one more wan connection, connect to a 
> new firewall(Debian + iptables + snort + portsentry and bind9, etc.). I 
> only have one dmz box.

Sorry, what is a DMZ box? As far as I know, DMZ stands for
"DeMilitarized Zone", and that is not a box, it is a LAN area delimited
with a firewall with certain security policies.

> I have 2 nics (eth0 and eth1)on dmz 10.196.3.2 and 10.196.4.2, in the 
> firewall1 10.196.3.1 and in firewall2 10.196.4.1.
> The problem is the default gateway on eth0 on dmz 10.196.3.2 who is 
> 10.196.3.1, so a connection from wan2  62.123.x.x in firewall2 gets to 
> dmz, but the response is from the gateway and go back as martian source 
> to firewall1!

Well, Ive drawn your configuration, and I suppose you have this config:

internet(isp1) --- fw1 --- |eth1             |
                           |so-called-DMZ-box| --- eth2 to lan
internet(isp2) --- fw2 --- |eth0             |

You could have done this with just one box:

internet(isp1) --- |eth1      |
                   | FIREWALL | --- eth2 to lan
internet(isp2) --- |eth0      |
                   |          | --- eth3 to DMZ

> How can i resolve this?

If I did understood ok, your problem is obvious. You have only one gateway definition. You must add this iproute definitions and delete the former:

root # ip route 62.123.x.x/16 via 10.196.4.1 dev eth1
root # ip route your.other.wan.gateway via 10.196.3.1 dev eth0

Now, go to google and read "Load Balancing with Linux", to get the most
from your both connections.

Why do you have this expensive configuration? I have a 2-ISP
load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
balancing, routing and DNS, kinda your config. Dont you think this is
simpler and cheaper? Why all that expensive stuff? Cant understand!
Could you explain a little more?

--
Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo
Netzmanager Padep, GTZ
591-70656800, -22417628, LA PAZ, BOLIVIA
http://otbits.blogspot.com
--
When all else fails, read the instructions.

Reply to:

Follow-Ups:
- Re: 2 wan + 2 fire + 1 mdz
  - From: ns007532 <ns007532@bragatel.pt>

References:
- 2 wan + 2 fire + 1 mdz
  - From: ns007532 <ns007532@bragatel.pt>

Prev by Date: Re: Everything SSH related is dead
Next by Date: Wacom Graphire 3 (usb) under Debian Sarge
Previous by thread: 2 wan + 2 fire + 1 mdz
Next by thread: Re: 2 wan + 2 fire + 1 mdz
Index(es):
- Date
- Thread