From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-76366-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1JWIUU-0005cG-Lq
	for garchives@archives.gentoo.org; Mon, 03 Mar 2008 21:46:34 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D7B6E06C8;
	Mon,  3 Mar 2008 21:36:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 1380AE06C8
	for <gentoo-user@lists.gentoo.org>; Mon,  3 Mar 2008 21:36:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by smtp.gentoo.org (Postfix) with ESMTP id A424F6656B
	for <gentoo-user@lists.gentoo.org>; Mon,  3 Mar 2008 21:36:10 +0000 (UTC)
X-Virus-Scanned: amavisd-new at gentoo.org
X-Spam-Score: -2.175
X-Spam-Level: 
X-Spam-Status: No, score=-2.175 required=5.5 tests=[AWL=0.424,
	BAYES_00=-2.599]
Received: from smtp.gentoo.org ([127.0.0.1])
	by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id kREB0ZBzXpcO for <gentoo-user@lists.gentoo.org>;
	Mon,  3 Mar 2008 21:36:04 +0000 (UTC)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTP id 5771666156
	for <gentoo-user@gentoo.org>; Mon,  3 Mar 2008 21:36:02 +0000 (UTC)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1JWIKC-0006tE-K3
	for gentoo-user@gentoo.org; Mon, 03 Mar 2008 21:35:56 +0000
Received: from c-76-17-159-23.hsd1.mn.comcast.net ([76.17.159.23])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Mon, 03 Mar 2008 21:35:56 +0000
Received: from grante by c-76-17-159-23.hsd1.mn.comcast.net with local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <gentoo-user@gentoo.org>; Mon, 03 Mar 2008 21:35:56 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: gentoo-user@lists.gentoo.org
From:  Grant Edwards <grante@visi.com>
Subject: [gentoo-user]  Re: How to do port-based routing?
Date: Mon, 3 Mar 2008 21:35:49 +0000 (UTC)
Message-ID: <fqhqvk$dj5$1@ger.gmane.org>
References:  <fqhelg$or5$1@ger.gmane.org> <1699.192.168.0.96.1204571480.squirrel@canuckster.org> <fqhjvi$gb7$2@ger.gmane.org> <47CC5D2F.3020206@badapple.net> <fqhnkc$q5$2@ger.gmane.org> <47CC68F4.2010809@badapple.net>
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: c-76-17-159-23.hsd1.mn.comcast.net
User-Agent: slrn/0.9.8.1 (Linux)
Sender: news <news@ger.gmane.org>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Archives-Salt: 5bfc92dd-6be9-4f83-879c-c7532a42b886
X-Archives-Hash: d2ff7ec929f1a2bca6d5b4d609fbad89

On 2008-03-03, kashani <kashani-list@badapple.net> wrote:
> Grant Edwards wrote:
>
>> I don't understand why I have to do NAT.  Can you explain why?
>> (Or point me to docs that explain why?)
>
> router01.your.network.com
> 	eth0 - 10.11.12.1
> 	eth1 - 24.1.2.231 - Comcast
> 	eth2 - 64.1.2.132 - Speakeasy
>
> Naturally RFC 1918 space is useless outside your network so
> you have to NAT.

Both of my gateways are on local networks and are doing NAT.

> However you need to make sure that you are making your policy 
> routing decisions at eth0. You don't want traffic marked as
> originating from 24.1.2.231 going out eth2

I don't have IP forwarding enabled, so that shouldn't happen.

> since Speakeasy could (and should) drop traffic that is not
> origination from its IP space. Additionally traffic will be
> routing back to your via Comcast connection resulting in 
> asymmetric routing which can increase the chances of packets
> arriving out of order.
>
> router01.your.network.com
> 	eth0 - 24.2.3.1/29
> 	eth0 - 64.2.3.1/29
> 	eth1 - 24.1.2.231 - Comcast
> 	eth2 - 64.1.2.132 - Speakeasy
>
> Same case with this setup even with real IPs. The chances of convincing 
> any ISP to accept routes smaller than /24 from you are tiny. And finding 
> anyone who knows what you even want to do even when you have the IP 
> space is pretty much non-existent. I know, I've tried. Same thing in 
> this case, you'll NAT at eth1 and eth2 and policy router at eth0.
>
> If you are doing this from a single machine with two IP's and no other 
> networks or interfaces, it should just work.

The machine will have different non-routing IPs on the two
interfaces where the two NAT/firewall/gateways are.  The
machine does have interfaces/networks, but since I'm not
forwarding packets, they should be irrelevant.

> Linux should use the IP of interface the packet leaves from,
> but I'd use tcpdump to make sure.

Good idea.

-- 
Grant Edwards                   grante             Yow! Hello, GORRY-O!!
                                  at               I'm a GENIUS from HARVARD!!
                               visi.com            

-- 
gentoo-user@lists.gentoo.org mailing list