# Splitting TCP connection or "MPTCP router" - any ideas?

## orion777

I have two gentoo running machines, both with Multipath TCP (MPTCP) implementation in its kernels. When these machines are connecting one to other via WAN they are able to use multipath TCP because BOTH are MP_Capable. However, if I make TCP connection from the windows machine thru the first gentoo machine to the second gentoo machine (1st gentoo also have shorewall nat server), the TCP session is established between windows and 2nd gentoo, so Multipath TCP in not possible because windows machine has no MPTCP, so it can't send MP_Capable flag during TCP session establishment.

As I understood, to be able to use Multipath TCP between gentoo machines, the TCP session from the Windows machine should be terminated at 1st gentoo, then 1st gentoo recreates TCP session to the 2nd gentoo. Recreated TCP session will have MP_Capable flag (as gentoo machine is MP_Capable) and multipath should work.

The question is: How to do this TCP session splitting? My suggestion is to use SOCKS Proxy on the 1st gentoo machine. This socks proxy must be transparent, because windows machine have no options to use proxies. (Shorewall nat server does not split the TCP sessions (and should not do this))

In fact, I have to run only one TCP session over a specific port that should be MP_Capable. All other windows machine traffic may remain in regular TCP. Both gentoo machines has fixed WAN IP addresses ,windows machine is in LAN and is connected via wireless to the 1st gentoo.

Illustration of the idea:

https://ibb.co/fMO94e

I'm dummy, so I will be happy to read any suggestions!

----------

## szatox

If it is just one specific port, you can hijack the connection and throw it at your local proxy, which will then open another TCP connection.

TCP connection itself does not carry information about destination though, so you must know that one in advance to configure your proxy.

Still, this may be good enough for your particular use case.

Regarding tools to use... Hijack connection with iptables and forward e.g. with haproxy. Mind that you have to specify tcp mode explicitly. AFAIR http is the default.

----------

## orion777

So, I have to forward TCP connections made on port 14550 from the LAN NIC to the WAN NIC and further to the destination in the WAN network.

So the haproxy configurations should look like this? as per example on the https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#2.5

```
pi64 /etc/haproxy # cat haproxy.cfg

global

    daemon

    maxconn 10

defaults

    mode tcp

    timeout connect 50000ms

    timeout client 100000ms

    timeout server 100000ms

frontend tcp-in

    bind *:14550

    default_backend servers

backend servers

    server server1 213.100.160.90:14550 maxconn 32

pi64
```

The idea is to forward all incoming connections on the port 14550 made from any LAN IP (windows machine) to the destination in the WAN 213.100.160.90:14550

But this configuration has no data about what NIC is WAN and what NIC is LAN and so.. So I'm really not sure that such config is correct.

----------

## orion777

1) The answer on "how to build the MPTCP router" is to use some transparent socks5 proxy. The proxy will re-create TCP connection and applies MPTCP capability.

2) I still unable to deal with SINGLE port forwarding. I was trying haproxy and rinetd on my NAT server. The rinetd config is quite simple: bindaddress bindport connectaddress connectport, so I was entering: 192.168.10.1 14550 213.100.0.20 14550. The connection from the LAN was made to 192.168.10.1:14550 in assumption that it will be redirected to 213.100.0.20:14550, but the connection fails quickly; rinetd log file also remains empty.

So maybe the case in the NAT server implementation in parallel with the rinetd? It uses shorewall, prepared per this tutorial https://wiki.gentoo.org/wiki/Ethernet_plus_WiFi_Bridge_Router_and_Firewall#Configure_shorewall . Is it possible to exclude only single port 14550 from the shorewall operation? 

```
/etc/shorewall/interfacesBasic 

#ZONE   INTERFACE       OPTIONS

net     enp4s0          tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0

loc     br0             dhcp,tcpflags,nosmurfs,routefilter,logmartians

```

```
/etc/shorewall/policyBasic

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

$FW             net             ACCEPT

loc             net             ACCEPT

net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST

all             all             REJECT          info
```

----------

