On 8/06/13 5:03 AM, James B. Byrne wrote:
<snip>
Presently we masquerade 192.168.0.0/16 in a NAT POSTROUTING chain which handles the internal hosts seeking addresses on the WAN. However, I am unsure of how to handle the gateway itself. Is this situation best handled by a permanent route reflecting 192.168 to eth1 only? Or, is it handled better by an addition to the OUTPUT chain in the NAT IPTable? Or, is the best method something else entirely of which I am unaware?
If I recall correctly you would have to have the appropriate routes set up, namely:
-Default to the WAN interface, which I assume is dynamic because you are masquerading. -static to the network/s on and behind eth1 -static to the network/s on and behind eth1:192071 -static routes back to the gateway from any routers behind the internal networks.
then wouldn't the gateway just handle itself. Masquerading is source NAT to a dynamic interface therefore all packet mangling is done after the routing. Hence, a packet that originates from within the gateway heading out would bypass the routing chain would use the static routes to try to exit via the WAN interface and then get caught via the POSTROUTING rule and be handled by that chain. Then if it exited through the WAN interface:
-the world sees it as originating from that interface -there is a NAT translation left in place so packets coming back would be mangled back to the correct source.
Alternatively, if the packet originates from the gateway to head internally it would, again, bypass the routing chain and use the static routes to decide which interface to exit on. There would be no NAT translation left in place because the rules would only apply for incoming packets looking to exit via the WAN and only remain in place for the translations they have set up. Also there would be no need for NAT as all the internal addresses are routeable as far as a packet that originates from the gateway is concerned.
An +1 for adding MAC addresses. I've come across a couple of switches that prefer multiple MAC addresses for cloned, aliased and tagged interfaces. Test and see what you need.
Cheers -pete