Big problem with multiwan masquerading translating to bad IP

Home Page Forums Network Management ZeroShell Big problem with multiwan masquerading translating to bad IP

This topic contains 4 replies, has 0 voices, and was last updated by  olivier1010 10 years, 2 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #41588

    olivier1010
    Member

    I was fighting since two days with zeroshell and Multiwan.

    TCPDump just gave me the answer : the translated IP is sometimes the IP of the other wan interface.

    This means that as soon as the load balancer switch to the other interface, the traffic is lost. This is more easily seen in failover mode where telephony stop to work (sip and iax registration fails).

    The web traffic in load balance mode will not allow to see the problem.

    Most of the time the provider does not accept this wrong source IP address and drop the traffic.

    So the outbound traffic never come back. Rarely it does come back by the other link !!. It depends a lot on the destination IP.

    This make zeroshell fully unusable for multiwan setups.

    It’s not the first time i see some weird problems with the masquerade target and linux.

    The last time i’ve seen such a problem, it was with a pppoe connection inside openwrt. The masquerading stopped to work after a pppoe disconnect/reconnect, sending the private IP of the sending machine to the world !!

    I’ve replaced the masquerade target by SNAT and all become ok. (only possible for static addresses, or by a script).

    I think that the bugs of the masquerade target inside linux is one of the reasons why there are sometimes some weird problems with NATed traffic.

    #47906

    Juan Silva
    Member

    Hi,

    I reported the same problem, once a wan connection goes down, and the same connection restore, the zeroshell tries to send the wrong natted IP address to the wrong Interface, I think you have solved the problem by using a static target on the nat instead a dynamic one, please, can you tell how you did it? what script did you include or what in the NAT table have you modified? thanks in advance.

    #47907

    zzzzoooo
    Member

    Hello Juan Silva,

    You just saved me.

    I was experiencing mysterious upload timeout errors for last few weeks when I tried to upload files to certain secure sites but did not have an any clue at all.

    I suspected that it is could be casued by Net balancer feature thus disabled it in Web GUI of zeroshell which did not solve the problem. So I thought it was something else making issues.

    I read your message and I tried again to enfoce to set up static DEFAUT GATEWAY to make sure all traffics only going through the first DSL line and it turn out to solve the uploading timeout problem finally.

    For now I will just disable the second DSL line completely and will enable again with MLPPP bonding when it sync’ed and stablized at the right speed profile.

    Thanks
    Jae

    #47908

    Juan Silva
    Member

    Well, your solution sounds like “If you don’t want to have caries, don’t eat!”, As olivier1010 said, a better solution to bypass “disabling” other unstable Internet connections, is to set a static nat instead a dynamic one, my POSTROUTING chain in the nat table is now:

    Chain POSTROUTING (policy ACCEPT 1867 packets, 263K bytes)
    pkts bytes target prot opt in out source destination
    65248 5466K SNAT all — * ppp0 0.0.0.0/0 0.0.0.0/0 to:xxx.xx.xxx.176
    131K 9362K SNAT all — * ETH01 0.0.0.0/0 0.0.0.0/0 to:xxx.xxx.xx.28
    1091K 85M SNATVS all — * * 0.0.0.0/0 0.0.0.0/0

    As you can see, I have first inserted the SNAT before the SNATVS, and now it seems to work ok, if a connection goes down, it will keep sending the right NAT ip to the corresponding interface, anyway I really don’t know if this will cause other issues in the network, but this fixed the painful problem related to change the local IP (or port) when one of the interfaces went down and then goes up.

    I disabled the NAT in the router menu for all the interfaces, and added a startup command in the setup menu like this:

    iptables –table nat -I POSTROUTING 1 -o ETH01 -j SNAT –to-source xxx.xxx.xx.28
    iptables –table nat -I POSTROUTING 1 -o ppp0 -j SNAT –to-source xxx.xx.xxx.176

    in the NAT and Virtual Servers script.

    Note that my providers gave me static IP addresses so this won’t be useful for dynamic ones.

    #47909

    olivier1010
    Member

    Those problems seems related to Linux and BSD. I’ve seen similar problems inside PFsense, based on BSD 7.1.

    The problem is that those systems have not been tested correctly with multiwan setups.

    Multiwan seems simple in the beginning, but is often complex and buggy in the end.

    Here is what i did on an openwrt install to avoid problems :

    # iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $WAN -j SNAT –to-source 65.xxx.xxx.xxx

    you’ll need to adapt according to your needs. to-source is your wan public IP address.

    replace $WAN by the name of your wan interface.

    I do not know where are located those commands inside Zeroshell. You’ll have to find the right file.

    This works only if you have a static IP. If not you’ll need to make a script to dynamically configure iptables.

    #47910

    zzzzoooo
    Member

    Thanks for tip.

    As you can see, I am a newbie in these fields, linux, iptables and so on… but slowly learning stuffs.

    What I wanted to do is MLPPP to bond two DSL lines into one single double speeded line, however stupid one month notice for cancelling policy in my previous ISP prevent me from applying MLPPP for whole last month so I just played around with Net balancer feature which caused me mysterious uploading timeout problems till now.

    Jae

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.