2 ISPs again

[Daniel Chemko]

Andreas Grabner wrote:
> Thanks a lot for your reply!!!
> 
>> If your own IP's on the firewall aren't bound to the network, you'll
> What does                                 ^^^^^^^^^^^^^^^^^^^^^ this
> mean? 

Think about in the terms of promisc vs. non-promisc modes in tcpdump.

If the kernel doesn't know what IP addresses to properly receive data
on, the kernel will either let everything in or silently throw them
away. RP_filter is the mechanism used to protect routing integrity.
Since there is no IP, or an incorrect IP associated with the incoming
packet, it gets tossed. If you turn off the rp_filter, you're saying
that you want to receive all data incoming to the interface even if it
shouldn't be there.

EG: 

INET - eth1 - FW - eth0 -INTERNAL (192.168.1.0/24)

If you receive an inbound connection request from the internet from the
source address 192.168.1.2, the rp_filter will drop the packet flat.
There may be issues with having your two internet interfaces. Maybe
they're expecting traffic on one another.  

Question:

1. Are either inbound connections working, or do they both die? 
2. Do you see your DNAT counter increment when the packet comes in?
3. Can you confirm that the destination in the DNAT is correct from the
firewall? Make sure that the route on the firewall can properly get to
the target machine.