Joined: Wed Sep 13, 2006
Location: Rosario-Santa Fe-Argentina

TWO ISP´S: packets coming out to the wrong interface

Tue Apr 22, 2008 5:18 pm

We've two internet connection on diferent ISPs and we're load balancing these connections using ECMP. Both have dst-natted ports

to internal servers (ie: web, smtp).


ISP1 ---> | MK RB 532 | ---> LAN (Servers, Workstations).

ISP2 ---> | |


Yesterday we've noticed that if we ping (from far far away on the Internet) an ISP2 address, the echo reply *may* go through ISP1 (it's up to what the ECMP route wants). Fortunately both ISP1 and ISP2 allow to send packets whose source address is

outside the address space they gave us and this works, even when it's wrongly configured.

Our goal is to make sure that packets that arrived from ISP1, go back to ISP1 and vice-versa.

We tried:

1) route-mark the packets in mangle/prerouting

2) use a default gateway route to ISP1 for packets marked as comingo from ISP1 and vice-versa.

Didn't work because it tried to send packets destined to our LAN to ISP1. A solution would be to duplicate the entire routing table, but i think is quite messy.

We also tried this with policy routing, with the same results.

Re: TWO ISP´S: packets coming out to the wrong interface

Tue Apr 22, 2008 6:45 pm


It seems you are trying to load balance, and then defeat that by redirecting the load balancing. Maybe just disable the load balancing. Let it go out the port it came in.
Re: TWO ISP´S: packets coming out to the wrong interface

Tue Apr 22, 2008 7:48 pm

You have to setup route marking and policy routing properly for things to go out the same interface it came in on. It's not as easy / simple as it seems. Search the forums for my userid and the words 'prerouting' and 'mangle' and 'output'
and you will find examples. The problem is with pings (ICMP) they are somewhat connectionless and not mangled the same as other traffic.
