Solved

two different Gateways with NAT for 3 ethernet cards in one server

Posted on 2009-04-14
20
617 Views
Last Modified: 2012-05-06
Hello,

I have a complicated network resumed like this:

one router adsl bridged by wan port with a wrt54g  router with one network of public ip's addresses. the ethernet DMZ public port is eth1.
one linux server with public ip's in one Ethernet card and two local lan's.

all the networks are fisical spited in a hp switch 2625 with vlan's
The server out ip is a pubic one and all the private lan network must be other public ip

the public network working by eth1 have no problem with default gw of public ip of the router adsl without NAT.

Yes i can do it with more one machine but the idea it do it with one.

the eth0 network works because have the gateway of the server 192.168.0.253 and the router  adsl is 192.168.0.253

the eth2  192.168.2.0 internal network works inside lan but do not have NAT to outside in this case by eth0, that's is the port that came from router adsl with lan ip address and have internet
I have the eth0 mascaraed in the iptables.

As i can i do to get NAT in my eth2 network. i can ping only the IP that have inside my server.

Tanks


0
Comment
Question by:_OpenSys_
  • 10
  • 10
20 Comments
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
I must admit i'm not following, can You draw the networks with IPs?
I'm pretty sure it's solvable with http://lartc.org/howto/ - but can't get the picture here.
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
the image of the network is on: http://img10.imageshack.us/img10/7924/mynetwork.png

the eth2 and eth3 can not get  nat by the server from eth0
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
I think it's simply the NAT is configured to nat only packets from eth0 -> eth1. No

To fix the config, I need current one.

please provide output from command: iptables -t nat -L -n; iptables -L FORWARD -n
if it's RedHat like OS, then the iptables config is at /etc/sysconfig/iptables - bring it here as well.

For testing purposes(not permanent config) You can try
iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -o eth1 -j MASQUERADE
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
The problem is the default gateway in the server, do not have activated to the public ip, to go out it self.
 the nat came only from eth0.
The only way to do this  is create some rule for DMZ interface to not came out to the default gateway.

I have tested first the rules that you give-me.
I am use Slackware.

I am very familiarly with linux OS.

i continue listening for a possible solution  
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> I am use Slackware.
Hmm, unfortunately I'm not familiar with - don't know where the iptables config is located.

So You saying that server has the default route set to 192.168.0.254/eth0 but You want it to NAT connections from eth2&eth3 via eth1?

You need to mark those candidates packets first
# iptables -t mangle -A PREROUTING -i eth2 -d !192.168.0.0/16 -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i eth3 -d !192.168.0.0/16 -j MARK --set-mark 1
then NAT them if they about to leave via eth1
#iptables -t nat -I POSTROUTING -s 192.168.0.0/16 -o eth1 -j MASQUERADE

then setup the alternate routing(actually the default route should be enough, only eth2->pubIP & eth3->pubIP are routed via this table)
# /sbin/ip route add 213.x.y.z/30 dev eth1 table 101
# /sbin/ip route add default via 213.x.y.z dev eth1 table 101
# /sbin/ip rule add fwmark 1 table 101 pref 101

since slack is not my distro - I cannot tell where to put those to make it permanent
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
Tank you, the key is the packet marking.
No, you are wrong my default gateway in server is 213.x.y.z/30

rules that work:

iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.2.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.3.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.2.0/24 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.3.0/24 -j MARK --set-mark 2

ip route add 192.168.0.0/24 dev eth0 table 101
ip route add default via 192.168.0.254 dev eth0 table 101
ip rule add fwmark 2 table 101 pref 101


This works fine, and i have NAT, but at same time not the final solution, some route are missing.

I ping all interfaces in the server from any network, but the devices that was connected to it, i not capable the ping it or trying other connection to it.

ex: 192.168.0.1(pc) ---> 192.168.0.253(server) --> 192.168.0.254(router)

from pc to server was fine, from pc to router was fail, from server to pc or router ok

By add a route to the local pc was fail.

my route -n

213.x.x.x   0.0.0.0         255.255.255.252 U     0      0        0 eth1
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         213.x.x.x   0.0.0.0         UG    1      0        0 eth1

Tanks for you time.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> ex: 192.168.0.1(pc) ---> 192.168.0.253(server) --> 192.168.0.254(router)
All three hosts are in same network segment - no routing between them? if pc -> router fails, then better verify switch or the router configuration?

BTW: why You want NAT to eth0's IP, not directly to external IP bounded to eth1?

> iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.2.0/24 -j MARK --set-mark 2 # packet meant for eth3 is marked here, but no routes for eth3 in table 101
> iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.3.0/24 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.2.0/24 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.3.0/24 -j MARK --set-mark 2
It catches too many packets, therefore some routing between eth2 & eth3 may be affected
Try NATing only packets to pub IPs(not to 192.168.0.0)
iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.0.0/16 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.0.0/16 -j MARK --set-mark 2
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
sorry my fault this is correct:
 ex: 192.168.3.1(pc) ---> 192.168.3.254(server) --> 192.168.3.3(pc)

there no communication between the 192.168.3.1 <--> 192.168.3.3

I do not what the eth1 have NAT because i what that the output browser fixed ip address different that the server.

Internet NAT eth0 (one fixed ip) internet output ip
Internet no NAT eth1 (one fixed ip) server output ip

i try also reverse the rules:

ip route add 192.168.0.0/24 dev eth0 table 101
ip route add default via 192.168.0.254 dev eth0 table 101
ip rule add fwmark 2 table 101 pref 101

to

ip route add 213.x.x.x/30 dev eth1 table 101
ip route add default via 213.x.x.x/30 dev eth1 table 101
ip rule add fwmark 2 table 101 pref 101

and change the default gateway, but this do not work as i like all interfaces go out from eth0 and have only one public ip adress.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> there no communication between the 192.168.3.1 <--> 192.168.3.3
Not the server's fault - it's the same network segment and no routing occurs. Probably the 3.3 is blocking incomming connections and icmp(is it windows?).

> I do not what the eth1 have NAT because i what that the output browser fixed ip address different that the server.
Then actually your linux server should not NAT but leave the NAT job to the linksys
Current linux current config is almost fine - except just remove the NAT/MASQ iptables rules.
Of course the linksys have to have routes for 192.168.2 and 192.168.3 set to linux server gateway - otherwise it would consider routed packets(2.x 3.x) martians.

So to summarize
- linux server routes packets from 2.x and 3.x to !192.168.0.0/16 via linksys (marking and 101 routing table)
- linksys routes 2.0/24 3.0/24 via linux server and performs NAT

> i try also reverse the rules:
I suppose it was blind shot ;)
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
the gateway from the two machines is 3.254 (server)
if the default gw is the 192.168.0.254, will work fine all the routes but only one ip to NAT.

I don't have windows machines :)

the router is only for provide me internet not for NAT, router have 16M of ram, very low to handle all the nat sessions needed, the server must do the job.

try other steeps.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> the router is only for provide me internet not for NAT, router have 16M of ram, very low to handle all the nat sessions needed, the server must do the job.
Is it? If Your linux server NATs and changes source to 192.168.0.X, then linksys has to NAT it again, so in the internet it appears as public IP. As You can see the linksys NATs anyway - that's why I stated, that the linux server should not NAT anymore.

The ping(connection) between 192.168.3.1 <--> 192.168.3.3 has nothing to do with the linux server - it does not route/interfere such connections.

Maybe You had problems with connections between 192.168.2.x <--> 192.168.3.x - true - Your rules messed that routing - and I already mentioned that, and suggested the solution.
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
Tanks for yours quick answers

Well e change the gateway to .0.254 all works fine but the server get out by the eth0 not for the eth1:

my rules:

iptables -t mangle -A PREROUTING -i lo -d ! 192.168.0.0/24 -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -i lo -d ! 192.168.0.0/24 -j MARK --set-mark 2


ip route add 213.x.x.x/30 dev eth1 table 101
ip route add default via 213.x.x.x dev eth1 table 101
ip rule add fwmark 2 table 101 pref 101

this not work all trafic from lo to internet continue to out by eth0, i need from eth1, if this can work, this will solve my problem at all

As i can make this correctly ?
0
 
LVL 43

Accepted Solution

by:
ravenpl earned 45 total points
Comment Utility
> iptables -t mangle -A PREROUTING -i lo -d ! 192.168.0.0/24 -j MARK --set-mark 2
> iptables -t mangle -A OUTPUT -i lo -d ! 192.168.0.0/24 -j MARK --set-mark 2
And where fro have You got the "-i lo" ? Why will not You get the easier path, and use rules I already provided?

Assumptions:
- hosts at 192.168.0 net have linksys as it's gateway, and have inet access OK via linksys NAT
- hosts at 192.168.0 net(including linksys) have linux server as gateway for 192.168.2.0 & 192.168.2.0 networks
- linux server has 213.x.y.z as it's gateway, but You want all 192.168.0.0 hosts to appear as linksys' pubIP in the internet

Please flush all current config and apply

iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.0.0/16 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.0.0/16 -j MARK --set-mark 2
ip route add 192.168.0.0/24 dev eth0 table 101
ip route add default via 192.168.0.254 dev eth0 table 101
ip rule add fwmark 2 table 101 pref 101
#no nat - as I already explained linksys has to NAT it anyway - no point in double NATting
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
revenpl,
 the rules that you write, i already have it, work partial, i have internet but can not ping or make other communication to any device connected in other interface.
As i explain 192.168.3.1 <--> 192.168.0.1 not work

this is the problem.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> As i explain 192.168.3.1 <--> 192.168.0.1 not work
Can You show the routing table from 192.168.0.1 host? Does it know where is the 192.168.3.1 network available (via linux server)? It was one of my assumptions - "hosts at 192.168.0 net(including linksys) have linux server as gateway for 192.168.2.0 & 192.168.2.0 networks"
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
yes, no problem i show all routes:

ip route show

213.x.x.x/30 dev eth1  proto kernel  scope link  src 213.x.x.x
192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.1
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.101
192.168.1.0/24 dev eth4  proto kernel  scope link  src 192.168.1.253
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
127.0.0.0/8 dev lo  scope link
default via 213.x.x.x dev eth1  metric 1

i can ping all Ethernet devices that exist in the linux server.

if my gateway is 0.254 all routes work fine
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> 213.x.x.x/30 dev eth1  proto kernel  scope link  src 213.x.x.x
I suppose those are from linux server - I asked for routing table from 192.168.3.1 - does it have route to 192.168.0.0/24 network. Oh, yes - does the 192.168.0.1 have route to 192.168.3.0 network? No, then configure them to have.
You can do it either by hand, or sending those routes with dhcp(?) or make default gateway(linksys in fact) to send proper redirects.
Look - if 192.168.0.1 sends out a packet to 192.168.3.1 it picks up the default route(the linksys). If linksys does not have route to 192.168.3.1, sends the packet via default route - the packet will not reach it's destination.
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
sorry is server route.
no,

> Look - if 192.168.0.1 sends out a packet to 192.168.3.1 it picks up the default route(the linksys). If linksys does not have route to 192.168.3.1, sends the packet via default route - the packet will not reach it's destination.

The 192.168.0.1 have the server route in this case 192.168.0.253:

192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
0.0.0.0         192.168.0.253   0.0.0.0         UG    0      0        0 eth0


if i set in the 192.168.0.1 machine the route: route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.0.253

 anyway does not work.
0
 
LVL 43

Expert Comment

by:ravenpl
Comment Utility
> 0.0.0.0         192.168.0.253   0.0.0.0         UG    0      0        0 eth0
> if i set in the 192.168.0.1 machine the route: route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.0.253
It's the same gateway - no wonder nothing changed.
route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.0.254 # i assume 254 is the server, 253 is the linksys
Am I really so hard to understand?
0
 
LVL 2

Author Comment

by:_OpenSys_
Comment Utility
no is not hard!

i can not explain but when i ping one machine, the answer come from internet, strange thing, i reboot the server, now all work file. some stupid route cache

rules:
iptables -t mangle -A PREROUTING -i eth2 -d ! 192.168.0.0/16 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -i eth3 -d ! 192.168.0.0/16 -j MARK --set-mark 2
ip route add 192.168.0.0/24 dev eth0 table 101
ip route add default via 192.168.0.254 dev eth0 table 101
ip rule add fwmark 2 table 101 pref 101

tank you
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Is your computer hacked? learn how to detect and delete malware in your PC
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now