3 Internet Interface + 1 LAN (similiar to load balance)

moengoet · May 4, 2007, 6:32am

hai,
i want to NAT’ed all of my local traffic to these 3 internet interfaces (WAN).
but i don’t want to load balance them.

WAN1 = for email only (TCP port 25 and 110)
WAN2 = for web and FTP (80, 8080 and 21)
WAN3 = for others (p2p, messenger and others)

Question:

Could i do the NAT through these 3 interfaces based on port (not balancing)?
What is the different between using connection-mark and packet-mark?

Hypothesis:
i’ve ran several ideas (not implementing it).
in the mangle (ip firewall)
add chain=prerouting protocol=tcp dst-port=110 action=mark-connection \ new-connection-mark=email passthrough=yes comment=“” disabled=no

add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \ new-connection-mark=web passthrough=yes comment=“” disabled=no

add chain=prerouting protocol=tcp dst-port=5101 action=mark-connection \ new-connection-mark=others passthrough=yes comment=“” disabled=no

add chain=prerouting connection-mark=email action=mark-routing \ new-routing-mark=emailrouting passthrough=yes comment=“” disabled=no

add chain=prerouting connection-mark=web action=mark-routing \ new-routing-mark=webrouting passthrough=yes comment=“” disabled=no

add chain=prerouting connection-mark=others action=mark-routing \ new-routing-mark=othersrouting passthrough=yes comment=“” disabled=no

in the NAT (ip firewall)

add chain=srcnat out-interface=wan1 routing-mark=emailrouting
action=src-nat to-addressses=xxx.xxx.xxx.xx1
comment=“” disabled=no
add chain=srcnat out-interface=wan2 routing-mark=webrouting
action=src-nat to-addressses=xxx.xxx.xxx.xx2
comment=“” disabled=no
add chain=srcnat out-interface=wan3 routing-mark=othersrouting
action=src-nat to-addressses=xxx.xxx.xxx.xx3
comment=“” disabled=no

in the ROUTE (ip route) wan1 (xx1) wan2 (xx2) wan3 (xx3)

add dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.xx1 scope=255 target-scope=10
routing-mark=emailrouting comment=“” disabled=no

add dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.xx2 scope=255 target-scope=10
routing-mark=webrouting comment=“” disabled=no

add dst-address=0.0.0.0/0 gateway=xxx.xxx.xxx.xx3 scope=255 target-scope=10
routing-mark=othersrouting comment=“” disabled=no

galaxynet · May 5, 2007, 12:03pm

moengoet -
At first glance your thoughts look sound - the only thing I saw amiss was you using masqurade vice src-nat. I believe that MT OS will just masqurade to the address of it’s choice - which is usually the lowest IP number on the first outgoing interface… So I would change your masq rule to src-nat to the particular IP address you want on the interface you expect to use for the different packet/connection/route markings.

Thom

moengoet · May 7, 2007, 3:52am

good point galaxynet,
thank you.

the other point is,
if the gateway’s IP is DYNAMIC, how do we dynamically change the src-nat’s address?

galaxynet · May 7, 2007, 12:13pm

moengoet -
If you do a quick search of the forum or take a look at the manual you’ll find that is a common question - it has been answered many times.

Not being a smart #$#, I just have never used that as all of my lines have static IPs - so I never stored the knowledge as to how to do that…

Thom