On Sunday 10 August 2008 08:36, Dirk H. Schulz wrote:
That works as expected. If e.g. I ping from an inside server to somewhere outside, ICMP request leaves via router2, the answer comes back via router1. conntrack -e on router1 shows this session (as unreplied), BUT the firewall blocks it as new connection - that means iptables does not recognize conntrackd's addition to the session table.
First off if you have traffic leaving one router and coming back on another router that is Asynchronous routing and is not a good thing, as you are seeing.
Firewall 1 doesn't know what firewall 2 is doing so firewall 1 is going to block this traffic as it was setup to do. Firewall 1 is thinking this is a new connection.
Since I don't know your setup my question is;
1. how many Internet connections do you have? 2. does router 2 have a valid public ip on the interface connecting to the Internet?