# [SOLVED] NATed ports with 2 WAN scenario

## oandarilho01

Hi,

I'm trying to deploy the following scenario:

A gentoo router with 3 NICs (lan, wan1, wan2), with wan1 being the default route, and a bunch of port redirection to allow remote desktop (Windows RDP, 3389) connections coming though the Internet on wan2.

Theoretically, the traffic has to come in through wan2 AND come out through the same NIC, am I right? This is why we generally follows a LARTC-like tutorial, as I did.

Problem is that these port forwarding is not working.

I'm searching hard for relations, configurations, etc, between kernel config, iproute2 and NAT, but can't solve yet this problem. The routing treatment for the router is OK, I mean, I can ssh to the router box through both wans. I can also use fwmarks to route tcp/udp traffic generated by the lan hosts to specific routes/NICs.

I've tried to turn off rp_filter, turn on accept_redirects and accept_source_route but none of these helped.

Any tips would be appreciated.

Thanks in advanceLast edited by oandarilho01 on Wed Sep 18, 2013 3:31 pm; edited 1 time in total

----------

## thegeezer

this is an overview, but ought to work.

lan0=local area network nic, same for wan0 and wan1 for your wan nics

192.168.1.0/24 = LAN

1.1.1.1/28 = wan1, gw at 1.1.1.9

2.2.2.2/28 = wan2, gw at 2.2.2.9

adjust as required

add the following lines to /etc/iproute2/rt_tables

101   internetA 

102   internetB 

then in /etc/conf.d/net  you want the following

rules_wan0=(

 "from 1.1.1.1 lookup 101"

 )

rules_wan1=(

 "from 2.2.2.2 lookup 102"

 )

routes_lan0=(

  "192.168.1.0/24 dev lan0 table 101"

  "192.168.1.0/24 dev lan0 table 102"

  )

routes_wan0=(

  "1.1.1.0/28 dev wan0 table 101"

  "default via 1.1.1.9"

  )

routes_wan1=(

  "2.2.2.0/28 dev wan1 table 102"

  "default via 2.2.2.9"

   )

at this point you can start doing experiments i.e. "ip rule add to 8.8.8.8 lookup 101"  or lookup 102

then do an mtr and make sure the route changes

ok so far so good

now however you have a one or the other.   if you have a DNAT inbound it will then reply according to the default rule or ip rule defined. which means if inbound intenretA it could be replying via internetB resulting in bad communications.  however, you want to be able to reply from wherever the packet comes in from. 

therefore you need to use iptables mangle tables to packet mark

# iptables -t mangle -N internetA

# iptables -t mangle -N internetB

# iptables -t mangle -N RESTORE

# iptables -t mangle -I PREROUTING -i wan0 -j internetA

# iptables -t mangle -I PREROUTING -i wan1 -j internetB

# iptables -t mangle -A RESTORE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff

# iptables -t mangle -A internetA -j MARK --set-xmark 0xa/0xffffffff

# iptables -t mangle -A internetA -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff

# iptables -t mangle -A internetB -j MARK --set-xmark 0xb/0xffffffff

# iptables -t mangle -A internetB -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff

finally... select the correct routing table based on the packet mark

# ip rule add from all fwmark 0xa lookup 101

# ip rule add from all fwmark 0xb lookup 102 

RP_FILTER has been the bane of my troubleshooting, make sure it's disabled for all /proc/sys/net/ipv4/conf/*/rp_filter

----------

## oandarilho01

Thanks for your help, thegeezer.

Finally it seems I managed to put that scenario to work. In fact the preparation of the routes follows the principles you wrote, but your iptables rule set didn't worked out for me. Redirect specifc traffic based on port (e.g. HTTP) was OK, but port forwarding (access RDP on a lan host from outside, from Internet) don't. Although the request hit the host, when it replies, the router was still throwing the packets through the main gateway interface.

After diggin' a bit more on netfilter, I discovered the conntrack match (-m conntrack) which allowed me to use a criteria that hits the port forwarding reply packets. Then, the set of commands/rules became:

1) to mark the redirected traffic:

# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 3

2) to mark the related port forwarding packets (it doesn't matter what port forwarding was made):

# iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT -j MARK --set-mark 3

OBS: yes, I choose to use the same mark, as I want to redirect to the same link

3) to treat the traffic:

# ip ru add fwmark 3 table internetA

Now, I cannot say whether the --ctstate rule is the optimal setup for this, nor can I foresee any problem it could cause to other connections. But happily it works now.

----------

