On Wed, 2005-10-19 at 10:25 +0100, ns007532 wrote:
ns007532 wrote:
Rodolfo Alcazar wrote:
On Tue, 2005-10-18 at 13:07 +0100, ns007532 wrote:
Hi
I recently upgrade my system with one more wan connection, connect to
a new firewall(Debian + iptables + snort + portsentry and bind9,
etc.). I only have one dmz box.
Sorry, what is a DMZ box? As far as I know, DMZ stands for
"DeMilitarized Zone", and that is not a box, it is a LAN area delimited
with a firewall with certain security policies.
I have 2 nics (eth0 and eth1)on dmz 10.196.3.2 and 10.196.4.2, in the
firewall1 10.196.3.1 and in firewall2 10.196.4.1.
The problem is the default gateway on eth0 on dmz 10.196.3.2 who is
10.196.3.1, so a connection from wan2 62.123.x.x in firewall2 gets
to dmz, but the response is from the gateway and go back as martian
source to firewall1!
Well, Ive drawn your configuration, and I suppose you have this config:
internet(isp1) --- fw1 --- |eth1 |
&#-1;&#-1; |so-called-DMZ-box| --- eth2 to lan
internet(isp2) --- fw2 --- |eth0 |
You could have done this with just one box:
internet(isp1) --- |eth1 |
| FIREWALL | --- eth2 to lan
internet(isp2) --- |eth0 |
| | --- eth3 to DMZ
How can i resolve this?
If I did understood ok, your problem is obvious. You have only one
gateway definition. You must add this iproute definitions and delete
the former:
root # ip route 62.123.x.x/16 via 10.196.4.1 dev eth1
root # ip route your.other.wan.gateway via 10.196.3.1 dev eth0
Now, go to google and read "Load Balancing with Linux", to get the most
from your both connections.
Why do you have this expensive configuration? I have a 2-ISP
load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
balancing, routing and DNS, kinda your config. Dont you think this is
simpler and cheaper? Why all that expensive stuff? Cant understand!
Could you explain a little more?
What i have is this:
wan1--------fire1-------- lan0
|------------lan1
|------------dmz
wan2--------fire2---------lan0
|------------dmz
Fire1 is a firewall and a primary dns server
Fire2 is a firewall and a secoundary dns server
Fire1 and fire2 is connect to the same lan0 and dmz area. Dmz area only
have 1 box(for now).
Since your solution is for 2 wan on 1 box, don' t aplly to this.
Many thanks.
>> Why do you have this expensive configuration? I have a 2-ISP
>> load-balancing setup, with a DMZ in just one box: eth0 to ISP1, eth1 to
>> ISP2, eth2 to DMZ and eth3 to lan. This box manages firewalling,
>> balancing, routing and DNS, kinda your config. Dont you think this is
>> simpler and cheaper? Why all that expensive stuff? Cant understand!
>> Could you explain a little more?
Allright! Now I got a crystal understanding!
I think you have to do this:
TCP/IP packages had two fields, among o, Source-IP and Destination-IP.
Example,
Source=ANY.EXTERNAL.IP.NUMBER, Dest=10.196.3.2.
If you get one of this packages on your DMZone, the package will return
always by the same gateway. If you masq the package, meaning you make
your server on DMZ believe that the source IP is FIRE2:
Source=10.196.3.1, Dest=10.196.3.2)
the package will cameback to that server. So (I didnt tried this, but
suppose it works), you got to masq your petitions by adding this to your
iptable NAT rules on FW1:
-A POSTROUTING -d 10.196.3.2 -j MASQUERADE
You must be aware your DNS points requests to your
FW1.EXTERNAL.IP.NUMBER. Do the same on FW2.
As I said, I didnt tried an internal masquerading. If that doesnt work,
you should try a similar approach with iptables SNAT and DNAT
Sorry I don't explain this part!
Why? Because my company needs 100% uptime. 2 internets connection in 1
box is good, but 2 x 1 internet + box is better. I want machine and
internet backup.
In your configuration if the hardware of your firewall get crazy
everything is down!
Now I got your point on your configuration. You have a great concern of
your network availability. But, I still think this is a very complex
solution (I have a backup firewall, i286 ready to replace the main, in
case of failure). This are the reasons:
- Administration tasks gets doubled. Two backups. Two different
configurations. Probably two different hardwares, if you add one
recently. Two sets of supplies, probably.
- Two firewalls=probabilities of one gets broken doubles. Then, half of
the network, as I explain on next point:
- You cant balance the traffic (just setup half of the users with one
firewall and the other half with the other, or some services on one FW
and other services on the other). This leads to a new problem: If any FW
gets broken, half of the services (or users) goes down. How did you
approach this problem on each user?
--
Rodolfo Alcazar - rodolfo.alcazar@padep.org.bo
Netzmanager Padep, GTZ
591-70656800, -22417628, LA PAZ, BOLIVIA
http://otbits.blogspot.com
--
Murphy's Law of Research
Enough research will tend to support your theory.