Hello,
I've got an MT box with two WAN interfaces: eth0 with static ip x.x.227.72, and eth1 with pppoe and dynamic ip. Int0 is my inside network with pool 192.168.0.0/24. On my inside network I have a Small Bussiness server which has an Exchange configured and responding to the static IP, as well as an ISA server, through which all boxes in the network have connectivity (the setup is for a customer, who wants to mantain control over which boxes can surf the web; to whom we cannot give MT administration).
The static IP in the MT is as well the host of a IPSEC VPN.
Currently, policy routing does the following:
all vpn traffic, through eth0 (static IP)
everything else, eth1
The problem i have is that i cannot access the MT (ssh) through eth1.
policy-routing rule:
# SRC-ADDRESS DST-ADDRESS INTERFACE FLOW ACTION TABLE
0 192.168.0.0/24 192.168.1.0/24 all vpn-out-flow lookup main
1 192.168.1.0/24 192.168.0.0/24 all vpn-in-flow lookup main
2 192.168.0.0/24 0.0.0.0/0 all other lookup adsl
3 0.0.0.0/0 0.0.0.0/0 all lookup main
Table main contains the default route for eth0 plus the connected routes.
Table adsl contains only the default route for eth1.
Mangle rules are:
1 ;;; VPN out - mark-connection
src-address=192.168.0.0/24 dst-address=192.168.1.0/24
action=passthrough mark-connection=vpn-out-conn
2 ;;; VPN out - mark-flow
connection=vpn-out-conn action=accept mark-flow=vpn-out-flow
3 ;;; VPN in - mark-connection
src-address=192.168.1.0/24 dst-address=192.168.0.0/24
action=passthrough mark-connection=vpn-in-conn
4 ;;; VPN in - mark-flow
connection=vpn-in-conn action=accept mark-flow=vpn-in-flow
5 ;;; Everything else - mark-flow: other
action=accept mark-flow=other
I've seen somewhere that a rule for 0.0.0.0/32 (router) might be needed. What for?? Where? Is it related to my problem??
Regards,
Santiago.
Yes, you need a /32 rule added to the top of the rule list for WAN interfaces on your policy router. This tells the router to reply out the correct gateway for inbound WAN comms:
[eth.1.ip.address]/32 - lookup - [uses routing table that contains eth1's GW]
put one of these rules at the top (above the MAIN rule) for every WAN interface you have, voila, you can now ping either external interface from the internet.
not sure how this would go together with a dynamic WAN IP however....
[eth.1.ip.address]/32 - lookup - [uses routing table that contains eth1's GW]
put one of these rules at the top (above the MAIN rule) for every WAN interface you have, voila, you can now ping either external interface from the internet.
not sure how this would go together with a dynamic WAN IP however....