On 10/28/05, Robin Mordasiewicz <robin at bullseye.tv> wrote: > On Fri, 28 Oct 2005, Les Mikesell wrote: > > On Fri, 2005-10-28 at 09:48, Robin Mordasiewicz wrote: > >> We are using Centos behind an F5 Bigip load balancer. > >> The linux box is using bonding and tagged VLAN's > >> > >> Everything works fine except that when traffic is forwarded from the BigIP > >> to the linux box on the VLAN where the web server is running the linux box > >> returns the traffic on the wrong VLAN, It returns traffic on the lowest > >> ordered VLAN. > >> > >> ie. here is a tcpdump on my load balancer showing traffic being sent on > >> VLAN 911 to the linux box, but the linux box returns traffic on VLAN 902. > >> The linux box is returning traffic on the same VLAN as its configured > >> default gateway. If I change the default gateway to be on the VLAN 911 > >> then everytyhing works. > > > > It seems reasonable to require a route to the destination on the > > VLAN used. Why should it ever do otherwise? What are you trying > > to accomplish by using a VLAN interface with no route back? > > Is there any way to say that if traffic is recieved on VLAN#911 to be sure > that the return traffic is tagged with the same vlan id. Currently traffic > is tagged based on the routing table, and even if traffic comes in on > VLAN#911, when it returns the traffc it uses the VLAN tag from the network > that the default gateway is on(VLAN#902). > You might be able to use iptables "mark" capability or you would need to see if CentOS supports policy based routing based on inbound interface, source MAC, or source IP, all of the of the original packet. -- Leonard Isham, CISSP Ostendo non ostento.