Bridging and iptables SNAT conflict
- by sad_admin
Hello I am working on a setup here and have it working with one minor exception.
Devices on one side of my bridge aren't getting SNAT'd to the Internet.
The Diagram / Overview:
Primary_Network (Site_A)
|
|
Internet ------- Linux_Bridge_GW (GW)
|
|
Secondary/CoLo Site (Site_B)
Here is the setup:
1.) Site_A has all the production servers and workstations.
2.) Site_B has a set of servers that we would like to fail-over to and also serve our internet facing services from.
3.) GW has two interfaces that are trunked and carrying the appropriate VLAN traffic (allow layer-2 propagation of traffic between sites) //this all works perfectly fine.
4.) The problem that is being encountered is, hosts from Site_B have their default GW at Site_A (same subnet) GW does not have IPs on the VLANs that are being passed.
5.) All hosts at Site_A can reach the Internet without problem.
6.) GW has an addresses on a subnet that is ONLY for Internet destined traffic. (This was done so that Websense would not have to parse unnecessary traffic. We use this VLAN as the monitor port's source on the switch where Websense is sitting).
What I think is happening:
1.) Packet/Frame comes in on physdev at Site_B destined for Internet.
2.) Kernel sees packet, and forwards it out the other side of the bridge to that host's default GW.
3.) Site_A (containing core-network's Default-GW) sees that packet is destined for a host it doesn't know about, so it sends it to it's default GW (the linux bridge, since it's Internet bound).
4.) The kernel says "Hey, I've seen you before" and therefore doesn't do SNAT'ing on the packet and sends it out to the Internet where it's black-holed.
Why I think it's happening:
1.) A tcpdump on the internet facing NIC shows the packet leaving the interface with the private address as it's source.
What I would like:
1.) Have the packet SNAT'd.
2.) Something like the below would be awesome
a.) packet comes in from Site_B
b.) kernel sees that the packet is NOT destined for itself or any private address
c.) kernel says "OK, well since you're destined for the Internet I'm going to send you out this interface rather than forward you to your normal default GW that's WAAAY over there."
d.) packet comes in from internet and is sent out the appropriate bridge physdev depending on which site the host it's destined for is at.
Thanks for any assistance or guidance that you are willing to offer.
Best Regards,
Sad Admin
