Arch Linux

sincity

Member

Registered: 2005-12-15

Posts: 63

iproute2 / netfilter and multiple links

Hi guys,

I have a strange problem. I have a firewall with 3 nics.

1 - lan
2 - leased line or diginet
3 - connected to adsl modem

I have 2 tables in defined in /etc/iproute2/rt_tables:

200 diginet
201 adsl

The ADSL modem has an IP of 192.168.0.1 and is configured to initiate the PPPOE connection. I can mark packets within the network destined for port 80 successfully:

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip of the cisco router
ip route add default via 192.168.0.1 dev eth2 table adsl
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

That all works and if i do a tcpdump on eth2 I can see packets for web traffic going out via ADSL.

The problem:

If I configure the ADSL modem to no longer make the PPPOE connection but let the firewall do it i.e pppoe-setup / pppoe then it doesn't work. Here's the relevant netfilter and iproute2 steps I did.

ip ro add default via x.x.x.x table diginet #where x.x.x.x is the ip of the cisco router
ip ro add dev ppp0 table adsl
ip ro add default via x.x.x.x table adsl #where x.x.x.x is the p-t-p addr from the output of ifconfig ppp0
ip ru add fwmark 2 table adsl
ip ro fl ca

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 80 -j MARK --set-mark 2
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -I FORWARD -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

I have also set DEFROUTE=no and PEERDNS=no in /etc/ppp/pppoe.conf as the diginet is still the default route but I only want web traffic out on ADSL.

Some output from tcpdump showing this doesn't work:

[root@firewall ~]# tcpdump -i eth0 port 80 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
07:43:59.501397 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219115 0,nop,wscale 0>
07:44:02.495748 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6219415 0,nop,wscale 0>
07:44:08.496618 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6220015 0,nop,wscale 0>
07:44:20.498324 IP 192.168.1.222.2867 > 66.249.93.104.80: S 2326997538:2326997538(0) win 5840 <mss 1460,sackOK,timestamp 6221215 0,nop,wscale 0>

If anyone can shed some light on what I'm doing wrong or missing I'd really appreciate it.

Last edited by sincity (2007-08-09 06:32:39)

sincity

Member

Registered: 2005-12-15

Posts: 63

Re: iproute2 / netfilter and multiple links

Found the problem. It seems when adding the default route of ppp0 to the adsl table it screws things up.