Hi Robert, --On 10. August 2008 13:56:22 -0400 Robert Spangler <mlists at zoominternet.net> wrote: - snip - > OK, I don't know this tool you are using to syn the conntracking of all > the firewalls. Could you post a link to it? Yes, of course: <http://www.netfilter.org/projects/conntrack-tools/index.html> > > Now for the fun stuff. Why would you have many Internet connection that > do not return the same path they go out on? sounds like you really only > have one true connection with one true IP to the Internet. That would > explain why traffic leaving on interface 2 comes back on interface 1. It is two routers that are connected to 2 upstream routers; all four use OSPFv2 for routing between them. I have not finetuned OSPF so far to avoid asynchronous routing - I want to to do the connection table synchronization stuff before because I have to do it anyway (in case of a router crash) and now I have an ideal testbed (because of the asynchronous routing). > > Without knowing your setup I'm not going to guess at this. The setup is as follows: Every Router has - an external interface with public ip address each resting in a small separate subnet that connects to the upstream router - an interface for inter router connections (private ip addresses) - 2 additional interfaces to server LANs - both routers have an interface to both of the 2 server LANs both server LAN interface use shared virtual ips additionally If you need more detailed information I could offer the OSFP configuration (XORP). Here is the configuration for conntrackd (I have omitted buffer sizes etc.): > Sync { > Mode FTFW { > ResendBufferSize 262144 > CommitTimeout 180 > ACKWindowSize 20 > } > Multicast { > IPv4_address 225.0.0.50 > IPv4_interface 192.168.11.1 > Interface eth1 > Group 3780 > } > Checksum on > CacheWriteThrough On > } > General { > HashSize 8192 > HashLimit 65535 - snip - > IgnoreTrafficFor { > IPv4_address INTER_ROUTER_INTERFACE > IPv4_address EXTERNAL_INTERFACE > IPv4_address INTERNAL_INTERFACE1 > IPv4_address INTERNAL_VIRTUAL_IP > IPv4_address INTERNAL_INTERFACE2 > } > > IgnoreProtocol { > IGMP > VRRP > } The setup works - using "conntrackd -e" I can see the connection table entries the other router's conntrackd has synchronized. What I cannot check is if the receiving conntrackd writes the received entries into the kernels connection tracking table. Example: > udp 17 30 src=124.165.230.206 dst=93.94.81.82 sport=2040 dport=1434 [UNREPLIED] [active since 6s] > tcp 6 120 SYN_SENT src=93.185.115.91 dst=93.94.80.133 sport=4290 dport=135 [UNREPLIED] [active since 46s] So I hope to find someone on the list have done this kind of setup before. Thanks for your interest so far. Dirk