Routing with multiple Interfaces

BigG · July 22, 2019, 9:57pm

Hello,

I have 2 WAN interfaces one is DS-Lite and one ist a native IPv4 connection. I want to route everything outgoing via DS-Lite but want still to allow incomming connections to my clients via port forwarding via the native IPv4 connection.

My problem is that if i route all outgoing via the DS-Lite interface portforwarding does stop working, what routing setting i must set so port forwards keep working?

I'm a littlebit lost with that.
Thanks everybody for help

lleachii · July 22, 2019, 10:03pm

You cannot send server traffic outbound to another ISP - it must be the same as the port forwards are configured to. Otherwise, you must alter the port forwards to the other ISP.

BigG · July 22, 2019, 10:22pm

Thank you for your response, but i don't understand why. Shouldn't OpenWRT be able to track the state RELATED and ESTABLISHED so it knows over which interface a connection has to go?
Can you point me to some more information?
Thank you

lleachii · July 22, 2019, 10:58pm

You configured outbound traffic on a different connection than your inbound service ports. Simply set the server to use the same ISP as the port forwards. The remaining hosts can use the alternate ISP. This can be done with ip rules.

On what?

vgaetera · July 22, 2019, 11:09pm

BigG · July 22, 2019, 11:14pm

Sadly that is not possible for me

Why this doesn't work. I mean it is like NAT. You open a connections up to a IP and the router knows which internal client did the requests and routes the answer to the internal IP, why can't i do the same thing here just for incomming requests?

Or maybe I'm completely wrong here and i did over see something?

@ vgaetera Thanks i take a look at that

mikma · July 23, 2019, 5:28am

Have you looked at Mwan3? I'm not sure but maybe it can be used. (The inbound wan needs to be tracked using firewall marks in the connection tracker anyway.)

jeff · July 23, 2019, 8:40am

It’s not like NAT, it’s routing. Different processes with different rules.

It is potentially that ISP2 blocks the packets ingress as their source IP is “wrong” in that return packets would not go back over that path. This would be good practice for the ISP to protect against IP spoofing and various kinds of attack’s.

BigG · July 23, 2019, 2:36pm

of course they do, that is the whole point behind my attempt to route answer to requests over the interface where they origin from

BigG · July 23, 2019, 2:41pm

nope mwan3 doesn't work, it does not accept my IPIP6 Tunnel as valid interface.

system · August 2, 2019, 2:49pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.