2

I use a linux machine with two different internet connections as the default gateway of local network. Each internet conncetion has its own public ip address. I've used source routing with "ip rule" command to balance outgoing traffic between these two internet connections.

eth0 is the local network. eth1 and ppp0 are connected to the internet. the linux machine itself uses eth1 to connect to the internet.

Everything works fine except that I can't access ppp0 public IP from local network:

ping PPP0-PUBLIC-IP #works fine from the linux machine
ping PPP0-PUBLIC-IP #works fine from outside network
ping PPP0-PUBLIC-IP #**fails** from other machines on local network

Also:

$ip rule ls

0:  from all lookup local 
32763:  from x.x.x.x lookup Home 
32765:  from 192.168.0.208/28 lookup Home 
32766:  from all lookup main 
32767:  from all lookup default

$ip route show table local

...
local x.x.x.x dev ppp0  proto kernel  scope host  src x.x.x.x 
...

Where x.x.x.x is ppp0 public IP address. What am I doing wrong here? Why I can't ping ppp0 pulic IP address from local network but I can ping it from outside network?

Update: I use two iptables command to setup NAT. I'm not sure if it is the right way, but it works for me:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Update 2: When I ping the ppp0 public IP address from a machine on local network, tcpdump output on the gateway indicates that the packets arrives correctly from local network, but it seems that kernel is not delivering them to the application layer.

Mohammad
  • 21
  • 1
  • 3
  • Are you certain it isn't firewall related? – Zoredache Mar 15 '12 at 17:00
  • Yes, I don't have a firewall. Neither on the linux gateway machine nor on the local network machines. – Mohammad Mar 15 '12 at 17:07
  • How is NAT configured? – Shane Madden Mar 15 '12 at 17:40
  • With two iptables commands: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE and iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE the nat works fine. – Mohammad Mar 15 '12 at 17:50
  • Possible duplicate of [Loopback to forwarded Public IP address from local network - Hairpin NAT](http://serverfault.com/questions/55611/loopback-to-forwarded-public-ip-address-from-local-network-hairpin-nat) – MadHatter Jun 14 '16 at 06:52

1 Answers1

1

You need to use hairpin NAT in this scenario. Please note that PCI-DSS disallows this type of NAT rule.

Joel E Salas
  • 5,562
  • 15
  • 25
  • I can't see how it could be a NAT problem, but to test your theory I deleted iptables rules completely and unfortunately I still can't ping the gateway public ip (of ppp0). – Mohammad Mar 15 '12 at 18:34
  • You need to add a NAT rule that translates the ping reply from the internal address to the external address. That way the pinging host "accepts" the traffic as a valid response. – Joel E Salas Mar 15 '12 at 18:36
  • Could you be more specific? I don't know what rule I have to write for iptables but tcpdump output on the gateway indicates that the gateway receives the ping packet but it is not producing the reply packets and the tcpdump output on the machine that generate ping packets shows that it is not receiving any replies at all (no matter if it has the wrong IP address) – Mohammad Mar 15 '12 at 18:49
  • I read the hairpin NAT link and your answer seems reasonable (although when I deleted the NAT rules I expect the ping to work). Anyway I used this command for haripin NAT: iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE but it doesn't work neither. Is it wrong? – Mohammad Mar 15 '12 at 19:25
  • No, hairpin NAT is not the correct solution to this problem. Hairpin NAT would apply if OP was trying to contact a server on the local LAN from the same LAN, using the external IP address (the one assigned to ppp0) instead of the server's local LAN address. That is not the case here. – Steven Monday Mar 15 '12 at 20:05
  • That's right Steven Monday. I want to access the machine with ppp0 public IP itself not some other server in the local network (through that IP address). Do you have any idea what could be wrong then? – Mohammad Mar 15 '12 at 20:43