Thanks Lonnie
Sorry for the late reply. Yes I'm using the outbound-snat plugin.
So just to confirm:
SECONDARY)
....
## Disable outbound-snat plugin in both iptables and config file in case
of reboot
iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
sed -i 's/^ENABLED=.*$/ENABLED=0/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf
;;
PRIMARY)
...
## Re-Enable outbound-snat plugin and config file
iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
sed -i 's/^ENABLED=.*$/ENABLED=1/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf
;;
I'm thinking that I might look at OUTBOUND_SNAT_NET_HOST to see if something is
set to make the decision on whether I disable and re-enable so it can be a
generic script.
PS. Would this be worth doing as part of the standard failover as I cant think
of any instance where we would not want to disable SNAT when it fails over to
another WAN interface.
Regards
Michael Knill
On 18/3/21, 1:49 am, "Lonnie Abelbeck" <[email protected]> wrote:
Hi Michael,
When you say you have SNAT configured, are you using the nat-loopback
plugin or the outbound-snat plugin ?
Either of those require obtaining the WAN IPv4 address to attach iptables
"-j SNAT --to-source $ip" rules, and as written only look at the primary
external address. Even if the Failover interface was looked at, the firewall
would have to be rebuilt for the failover context switch with the
/mnt/kd/wan-failover.script .
Question, does either of these plugins make sense for a failover situation ?
Possibly you want to disable the outbound-snat plugin on failover and
re-enable it on return to primary ?
If you have the special case of the outbound-snat plugin enabled, you could
(untested code):
-- /mnt/kd/wan-failover.script snippet --
SECONDARY)
## Switched to Failover using secondary WAN link
## Disable outbound-snat plugin
iptables -t nat -D POSTROUTING -j OUTBOUND_SNAT
;;
PRIMARY)
## Switched back to normal using primary WAN link
## Re-Enable outbound-snat plugin
iptables -t nat -I POSTROUTING -j OUTBOUND_SNAT
;;
--
but this is somewhat fragile, such that if the firewall was restarted
during failover it would revert to the PRIMARY setting. To be less fragile,
you could also add:
--
sed -i 's/^ENABLED=.*$/ENABLED=0/'
/etc/arno-iptables-firewall/plugins/outbound-snat.conf"
--
and ENABLED=1 on return to PRIMARY.
Lonnie
> On Mar 17, 2021, at 1:16 AM, Michael Knill
<[email protected]> wrote:
>
> Grr problem now found. I had SNAT configured which didn't work on the
second WAN connection.
> Any way I can fix this e.g. don't do SNAT on the failover WAN?
>
> Regards
> Michael Knill
>
> From: Michael Knill <[email protected]>
> Reply to: AstLinux List <[email protected]>
> Date: Wednesday, 17 March 2021 at 4:27 pm
> To: AstLinux List <[email protected]>
> Subject: [Astlinux-users] Weird routing problem
>
> Hi Group
>
> I'm currently at a site that has a primary and failover WAN connection
and a two LAN connections. The primary WAN connection has failed over to the
secondary WAN connection however it is only working on one of the LAN
interfaces and not the other. I can ping the interface address fine so its not
an interface problem.
>
> Does anyone have any idea why this would be happenning?
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
_______________________________________________
Astlinux-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
[email protected].
