Dual ISP / WAN / GATEWAY on linux router

[tetzschner]

Hi

Been using linux as firewall/router for years now (one ISP and one/more LAN's), and it is excellent

However I been struggling with this dual ISP issue. After 3 hole days, pulling the rest of my hair out, I finally got a step further... but encountered a new problem.

The only thing I want with dual ISP is that traffic coming in on ISP1 or ISP2 (and routed/NAT to LAN) is returning back to the same ISP. It is not for balancing or failover.

I am now able to access (telnet) my LAN-PC-test-mail-server from outside the firewall/router through both ISP
The problem is, I am no longer able to ping the internet from my LAN-PC-test-mail-server? But if I telnet the LAN-PC-test-mail-server from the outside (and get connected), then I will be able to ping the internet from LAN-PC-test-mail-server, why??? even after the telnet is ended I can ping the internet...


Hope somebody can enlighten me ?

Please see attached image.

PC1:
Is my linux firewall connected with eth0 to ISP1 and eth1 to LAN and eth2 to ISP2.

PC2:
Is my linux test-mail-server (so I can test the firewall/router from the outside, by telnet port 25) with eth0 connected to LAN.


PC1-firewall-config:

/etc/network/interfaces

Code:

# The loopback network interface
auto lo eth0 eth1 eth2
iface lo inet loopback

# The primary network interface
#iface eth2 inet dhcp
iface eth0 inet static
        address 192.168.101.230
        netmask 255.255.255.252
        broadcast 192.168.101.231
        network 192.168.101.228
        post-up iptables-restore < /etc/iptables.up.rules

iface eth1 inet static
        address 192.168.222.1
        netmask 255.255.255.0
        broadcast 192.168.222.255
        network 192.168.222.0

iface eth2 inet static
        address 192.168.202.230
        netmask 255.255.255.252
        broadcast 192.168.202.231
        network 192.168.202.228
        post-up /root/wan_route

/root/wan_route

Code:

ip route add 192.168.101.229 dev eth0 table wan_isp1
ip route add 192.168.222.0/24 dev eth1 table wan_isp1
ip route add default via 192.168.101.229 dev eth0 table wan_isp1

ip route add 192.168.202.229 dev eth2 table wan_isp2
ip route add 192.168.222.0/24 dev eth1 table wan_isp2
ip route add default via 192.168.202.229 dev eth2 table wan_isp2

ip rule add fwmark 1 table wan_isp1
ip rule add fwmark 2 table wan_isp2

ip route flush cache

ip route add default via 192.168.202.229 dev eth2

/etc/iptables.up.rules

Code:

# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination 192.168.222.101:25
-A PREROUTING -p tcp -m tcp -i eth2 --dport 25 -j DNAT --to-destination 192.168.222.101:25

-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.101.230
-A POSTROUTING -o eth2 -j SNAT --to-source 192.168.202.230

COMMIT
# Completed on Wed May 12 12:08:15 2010
# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*mangle
:PREROUTING ACCEPT [14:3038]
:INPUT ACCEPT [14:3038]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:4064]
:POSTROUTING ACCEPT [12:4064]

-A PREROUTING -i eth1  -j CONNMARK --restore-mark
-A PREROUTING -i eth0 -j MARK --set-mark 0x1
-A PREROUTING -i eth0 -j CONNMARK --save-mark
-A PREROUTING -i eth2 -j MARK --set-mark 0x2
-A PREROUTING -i eth2 -j CONNMARK --save-mark

-A INPUT -i eth0 -j MARK --set-mark 0x1
-A INPUT -i eth0 -j CONNMARK --save-mark
-A INPUT -i eth2 -j MARK --set-mark 0x2
-A INPUT -i eth2 -j CONNMARK --save-mark

-A OUTPUT -j CONNMARK --restore-mark
-A OUTPUT -s 192.168.101.230 -j MARK --set-mark 0x1
-A OUTPUT -s 192.168.101.230 -j CONNMARK --save-mark

-A POSTROUTING -j CONNMARK --restore-mark
-A POSTROUTING -m mark  --mark 1 -j ACCEPT
-A POSTROUTING -m mark  --mark 2 -j ACCEPT
-A POSTROUTING -o eth0 -j MARK --set-mark 1
-A POSTROUTING -o eth2 -j MARK --set-mark 2
-A POSTROUTING -o eth0 -j CONNMARK --save-mark
-A POSTROUTING -o eth2 -j CONNMARK --save-mark

-A FORWARD -j CONNMARK --restore-mark
-A FORWARD -i eth0 -j MARK --set-mark 0x1
-A FORWARD -i eth0 -j CONNMARK --save-mark
-A FORWARD -i eth2 -j MARK --set-mark 0x2
-A FORWARD -i eth2 -j CONNMARK --save-mark

COMMIT
# Completed on Wed May 12 12:08:15 2010
# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state -i eth2 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j LOG  --log-prefix "INPUT: "

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -j LOG  --log-prefix "OUTPUT: "

-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -p tcp --dport 25 -j ACCEPT
#-A FORWARD -p tcp -m tcp -d 192.168.233.101 --dport 25 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -j LOG  --log-prefix "FORWARD: "

COMMIT
# Completed on Wed May 12 12:08:15 2010

Kind regards, Ole

[tetzschner]

A bit closer to the problem.

I have added a bunch of LOG in my iptables, so with a simple ping-to-the-outside from the test-client-on-the-lan I can now follow the ping.

IP 192.168.3.1 is outside in my test-setup.
IP 192.168.222.10 is a LAN client.
IP 192.168.222.11 is a LAN client.


When things are not working:

Code:

May 15 16:41:43 fw10 kernel: [  266.388097] -> MANGLE,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:51:44:88:08:00 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38
May 15 16:41:43 fw10 kernel: [  266.388109] <- MANGLE,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:51:44:88:08:00 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388121] -> MANGLE,FORWARD: IN=eth1 OUT=eth0 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388126] <- MANGLE,FORWARD: IN=eth1 OUT=eth0 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388132] -> MANGLE,POSTROUTING: IN= OUT=eth0 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388137] -- MANGLE,POSTROUTING: IN= OUT=eth0 SRC=192.168.222.10 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=48051 PROTO=ICMP TYPE=8 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388728] -> MANGLE,PREROUTING: IN=eth0 OUT= MAC=00:0c:29:ef:9f:5a:00:0c:29:2d:f8:93:08:00 SRC=192.168.3.1 DST=192.168.101.230 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38
May 15 16:41:43 fw10 kernel: [  266.388744] <- MANGLE,PREROUTING: IN=eth0 OUT= MAC=00:0c:29:ef:9f:5a:00:0c:29:2d:f8:93:08:00 SRC=192.168.3.1 DST=192.168.101.230 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388753] -> MANGLE,FORWARD: IN=eth0 OUT=eth0 SRC=192.168.3.1 DST=192.168.222.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388778] <- MANGLE,FORWARD: IN=eth0 OUT=eth0 SRC=192.168.3.1 DST=192.168.222.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388786] -> MANGLE,POSTROUTING: IN= OUT=eth0 SRC=192.168.3.1 DST=192.168.222.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1
May 15 16:41:43 fw10 kernel: [  266.388792] -- MANGLE,POSTROUTING: IN= OUT=eth0 SRC=192.168.3.1 DST=192.168.222.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1

When things are working:

Code:

May 15 16:22:36 fw10 kernel: [  282.962745] -> MANGLE,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:15:77:a7:08:00 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1
May 15 16:22:36 fw10 kernel: [  282.962759] <- MANGLE,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:15:77:a7:08:00 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.962773] -> NAT,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:15:77:a7:08:00 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.962782] <- NAT,PREROUTING: IN=eth1 OUT= MAC=00:0c:29:ef:9f:64:00:0c:29:15:77:a7:08:00 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.962837] -> MANGLE,FORWARD: IN=eth1 OUT=eth2 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.962843] <- MANGLE,FORWARD: IN=eth1 OUT=eth2 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.962849] -> MANGLE,POSTROUTING: IN= OUT=eth2 SRC=192.168.222.11 DST=192.168.3.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.963431] -> MANGLE,PREROUTING: IN=eth2 OUT= MAC=00:0c:29:ef:9f:6e:00:0c:29:b1:88:6d:08:00 SRC=192.168.3.1 DST=192.168.202.230 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=19415 PROTO=ICMP TYPE=0 CODE=0 ID=51973 SEQ=1
May 15 16:22:36 fw10 kernel: [  282.963443] <- MANGLE,PREROUTING: IN=eth2 OUT= MAC=00:0c:29:ef:9f:6e:00:0c:29:b1:88:6d:08:00 SRC=192.168.3.1 DST=192.168.202.230 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=19415 PROTO=ICMP TYPE=0 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.963460] -> MANGLE,FORWARD: IN=eth2 OUT=eth1 SRC=192.168.3.1 DST=192.168.222.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=19415 PROTO=ICMP TYPE=0 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.963466] <- MANGLE,FORWARD: IN=eth2 OUT=eth1 SRC=192.168.3.1 DST=192.168.222.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=19415 PROTO=ICMP TYPE=0 CODE=0 ID=51973 SEQ=1 MARK=0x2
May 15 16:22:36 fw10 kernel: [  282.963473] -> MANGLE,POSTROUTING: IN= OUT=eth1 SRC=192.168.3.1 DST=192.168.222.11 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=19415 PROTO=ICMP TYPE=0 CODE=0 ID=51973 SEQ=1 MARK=0x2

I am missing the NAT PREROUTING, is this a bug?


etc/iptables.up.rules

Code:

root@fw10:~# cat /etc/iptables.up.rules
# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p icmp -j LOG --log-prefix "-> NAT,PREROUTING: "
-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination 192.168.222.11:25
-A PREROUTING -p tcp -m tcp -i eth2 --dport 25 -j DNAT --to-destination 192.168.222.11:25
-A POSTROUTING -o eth0 -j SNAT --to-source 192.168.101.230
-A POSTROUTING -o eth2 -j SNAT --to-source 192.168.202.230
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.222.11:80
-A PREROUTING -p tcp -m tcp -i eth2 --dport 80 -j DNAT --to-destination 192.168.222.10:80
-A PREROUTING -p icmp -j LOG --log-prefix "<- NAT,PREROUTING: "
COMMIT
# Completed on Wed May 12 12:08:15 2010
# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*mangle
:PREROUTING ACCEPT [14:3038]
:INPUT ACCEPT [14:3038]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:4064]
:POSTROUTING ACCEPT [12:4064]

-A PREROUTING -p icmp -j LOG --log-prefix "-> MANGLE,PREROUTING: "
-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-mark 1
-A PREROUTING -i eth1  -j CONNMARK --restore-mark
-A PREROUTING -i eth0 -j MARK --set-mark 0x1
-A PREROUTING -i eth0 -j CONNMARK --save-mark
-A PREROUTING -i eth2 -j MARK --set-mark 0x2
-A PREROUTING -i eth2 -j CONNMARK --save-mark
#-A PREROUTING -i eth1 -m state --state NEW -j CONNMARK --set-mark 2
-A PREROUTING -p icmp -j LOG --log-prefix "<- MANGLE,PREROUTING: "


-A INPUT -p icmp -j LOG --log-prefix "-> MANGLE,INPUT: "
-A INPUT -i eth0 -j MARK --set-mark 0x1
-A INPUT -i eth0 -j CONNMARK --save-mark
-A INPUT -i eth2 -j MARK --set-mark 0x2
-A INPUT -i eth2 -j CONNMARK --save-mark
-A INPUT -p icmp -j LOG --log-prefix "<- MANGLE,INPUT: "

-A OUTPUT -p icmp -j LOG --log-prefix "-> MANGLE,OUTPUT: "
-A OUTPUT -j CONNMARK --restore-mark
-A OUTPUT -s 192.168.101.230 -j MARK --set-mark 0x1
-A OUTPUT -s 192.168.101.230 -j CONNMARK --save-mark
-A OUTPUT -p icmp -j LOG --log-prefix "<- MANGLE,OUTPUT: "

-A POSTROUTING -p icmp -j LOG --log-prefix "-> MANGLE,POSTROUTING: "
-A POSTROUTING -j CONNMARK --restore-mark
-A POSTROUTING -p icmp -j LOG --log-prefix "-- MANGLE,POSTROUTING: "
-A POSTROUTING -m mark  --mark 1 -j ACCEPT
-A POSTROUTING -m mark  --mark 2 -j ACCEPT
-A POSTROUTING -o eth0 -j MARK --set-mark 1
-A POSTROUTING -o eth2 -j MARK --set-mark 2
-A POSTROUTING -o eth0 -j CONNMARK --save-mark
-A POSTROUTING -o eth2 -j CONNMARK --save-mark
-A POSTROUTING -p icmp -j LOG --log-prefix "<- MANGLE,POSTROUTING: "

-A FORWARD -p icmp -j LOG --log-prefix "-> MANGLE,FORWARD: "
-A FORWARD -j CONNMARK --restore-mark
-A FORWARD -i eth0 -j MARK --set-mark 0x1
-A FORWARD -i eth0 -j CONNMARK --save-mark
-A FORWARD -i eth2 -j MARK --set-mark 0x2
-A FORWARD -i eth2 -j CONNMARK --save-mark
-A FORWARD -p icmp -j LOG --log-prefix "<- MANGLE,FORWARD: "

COMMIT
# Completed on Wed May 12 12:08:15 2010
# Generated by iptables-save v1.4.4 on Wed May 12 12:08:15 2010

*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state -i eth2 --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth2 -j ACCEPT
-A OUTPUT -j LOG  --log-prefix "OUTPUT: "
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -p tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -j ACCEPT
# -A FORWARD -p tcp -m tcp -d 192.168.233.101 --dport 25 -j ACCEPT
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -j LOG  --log-prefix "FORWARD: "
-A INPUT -j LOG  --log-prefix "INPUT: "
COMMIT
# Completed on Wed May 12 12:08:15 2010

Regards, Ole

[tetzschner]

I am missing the NAT PREROUTING, is this a bug?

Hmm not really... it appears that NAT is only called on the first packet.

But it do not understand how DST=192.168.222.xxx can be routed to eth0 ??? it should be on eth1. Can sombody please explain why???

May 15 16:41:43 fw10 kernel: [ 266.388753] -> MANGLE,FORWARD: IN=eth0 OUT=eth0 SRC=192.168.3.1 DST=192.168.222.10 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=15869 PROTO=ICMP TYPE=0 CODE=0 ID=27651 SEQ=38 MARK=0x1