On Tue, 2005-10-18 at 13:07 +0100, ns007532 wrote:
Hi
I recently upgrade my system with one more wan connection, connect to
a new firewall(Debian + iptables + snort + portsentry and bind9,
etc.). I only have one dmz box.
Sorry, what is a DMZ box? As far as I know, DMZ stands for
"DeMilitarized Zone", and that is not a box, it is a LAN area delimited
with a firewall with certain security policies.
I have 2 nics (eth0 and eth1)on dmz 10.196.3.2 and 10.196.4.2, in the
firewall1 10.196.3.1 and in firewall2 10.196.4.1.
The problem is the default gateway on eth0 on dmz 10.196.3.2 who is
10.196.3.1, so a connection from wan2 62.123.x.x in firewall2 gets
to dmz, but the response is from the gateway and go back as martian
source to firewall1!
Well, Ive drawn your configuration, and I suppose you have this config:
internet(isp1) --- fw1 --- |eth1 |
|so-called-DMZ-box| --- eth2 to lan
internet(isp2) --- fw2 --- |eth0 |
You could have done this with just one box:
internet(isp1) --- |eth1 |
| FIREWALL | --- eth2 to lan
internet(isp2) --- |eth0 |
| | --- eth3 to DMZ
How can i resolve this?
If I did understood ok, your problem is obvious. You have only one
gateway definition. You must add this iproute definitions and delete
the former:
root # ip route 62.123.x.x/16 via 10.196.4.1 dev eth1
root # ip route your.other.wan.gateway via 10.196.3.1 dev eth0
Now, go to google and read "Load Balancing with Linux", to get the most
from your both connections.
Why do you have this expensive configuration? I have a 2-ISP
load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
balancing, routing and DNS, kinda your config. Dont you think this is
simpler and cheaper? Why all that expensive stuff? Cant understand!
Could you explain a little more?
--
Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo
Netzmanager Padep, GTZ
591-70656800, -22417628, LA PAZ, BOLIVIA
http://otbits.blogspot.com
--
When all else fails, read the instructions.