Date: Wed, 5 Oct 2011 13:52:16 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Harry Lachanas <grharry@freemail.gr>
Cc: Alpine Development <alpine-devel@lists.alpinelinux.org>
Subject: Re: [alpine-devel] Knock Missing ??
Message-ID: <20111005135216.35230bff@ncopa-desktop.nor.wtbts.net>
In-Reply-To: <4E8AAE21.3050002@freemail.gr>
References: <4E8743A7.9050607@freemail.gr>
	<20111003203525.2db35d52@alpinelinux.org>
	<4E8AAE21.3050002@freemail.gr>
Precedence: list
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Tue, 04 Oct 2011 09:56:33 +0300
Harry Lachanas <grharry@freemail.gr> wrote:
 
> > Do you think you could test it from edge/testing and confirm that it
> > works? Then I'll move it to main.
> >
> I've been using it with prev alpine releases with no probs
> I also did a quick compile for v.2.2.3 and it seems to work ok.

I have moved it to main and it will be available for alpine-2.3

> > I have new pingu working. It does dynamic policy routing, can ping
> > hosts and enable/disable gateways based on number of ping responses
> > (failover) and execute custom actions too when a host goes up/down.
> > It can also do simple "load-balancing"
> >
> > I also have a very simple pinguctl that can display the status of
> > the ping hosts and a lua module for the pingu client.
> >
> > I still need to make it possible to make the ISP up/down decision
> > based on multiple ping hosts  and I still havent figured out how to
> > make shorewall DNAT play nice with pingu. I think it needs to do
> > connmark or
> What exactly do you mean by " ... shorewall DNAT play nice with pingu 
> .... "??

What i did here, I have 2 ISPs, one cheap with lots of bandwitdh (lets
call it ISP A) and one slower with a static ip block which we call ISP
B. I put my mail server on the slower, static ip range (isp B) and set
up DNAT on the alpine firewall using shorewall.

Pingu will do policy routing, so when source address is in the static
ip range it will route via isp B. Otherwise ISP A will be used as
default isp. ISP B also servers as a failover in case ISP A goes down.

This works when using shorewall DNAT and shorewall providers feature.
It does not work otherwise. I think what happens is, DNAT to a rfc1918
address (10.x.y.z), the mailserver responds with source address
10.x.y.z and the reponse traffic goes out via ISP A instead of ISP B
because the NAT happens postroute - after the routing desicion was made.

I think what shorewall do to solve this is use conntrack packet
marking (the "track" option in shorewall "providers" file). I have not
figured out how to do it without, but I think it might be possible with
tcrules.

> > something to mark connections so the DNATed connection goes out same
> > interface it came from (the NAT happens post-route)
> >
> > I think I'll do a 1.0-rc1 release or something in the nearest days.
> > I'm not sure if should try squeeze in the multi ping host feature
> > before the 1.0 release or not.
> >
> > I can build a static binary for you that you can test with if you
> > want.
> >
> 
> Please do

I put it here:
http://ncdev.alpinelinux.org/~ncopa/pingu/

> I 'll also have a good look at the source ...

http://git.alpinelinux.org/cgit/pingu/tree/

> Thanks
> Harry

Thanks!

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---