All masqueraded connections dies when DHCP lease renews...

[hrr]

Hi guys

I have this problem with longlived connections from my LAN dying on me when I use MASQUERADE instead of SNAT on the WAN interface of my Gentoo firewall box at home.

It seems I got an ISP (Telia, Sweden) that set its DHCP lease time to only 10 minutes.

Thus all my longlived connections will die with "NEW not SYN" or "Invalid" when the lease is renewed after 10 minutes or less.

Switching to "-j SNAT" solves the problem, but of course introduces another: I don't know my IP address to be recieved from Telia beforehand (and it might even change while I'm connected).

Does anybody know a workaround for this problem?

Thanks,
Henning

[daywalkerNT]

Hello,

what is the setup that you have ?

< WAN >
|
[ DSL/Cable Modem ]
|
|
|
---------[NIC 1]----------------
| |
| [ NIC 2] ---------- < LAN >
| |
| gentoo_firewall |
| computer |
----------------------------------

Would that be correct ?

So your ISP sets the DHCP Lease time to 10min, and thus every 10 min you get
a new IP, right ?

can you use a web-browser to get to your DSL/Cable Modem ? ie. http://192.168.2.1 or something
like that, it should show the current ip that you have ?

I use www.no-ip.com you can add a domainname to your ip address (there are free ones
available that you can choose)

and you can also download and install the client on your system and what the client does is it
sends heartbeats every x minutes (default 30, but you can change it) with the current IP that
you have and updates the no-ip DNS.

hope the info provides some assistance.

[daywalkerNT]

i see the 'graphic' i drew didn't come up nice

<WAN>
|
|
[DSL/Cable Modem]
|
|
[nic 1 on the gentoo firewall box]
|
[nic 2 on the gentoo firewall box]
|
|
<your LAN>

[epretorious]

echo 1 > /proc/sys/net/ipv4/ip_dynaddr
_________________
Eric P.
Sunnyvale, CA

[epretorious]

[daywalkerNT]

thanx for the links

[hrr]

DaywalkerNT, your second graphics of my setup is correct.

I am not having af DNS problem, though, but I guess I didn't explain very well.

My problem is that connections from LAN to WAN (thus NAT'ed by iptables) dies when the DHCP lease on the WAN interface is renewed (and that happens after 10 minutes or less). I do not get a new IP address, but rather the same as before as per ordinary DHCP procedures (but in principle it could happen I got a different one from time to time).

Connections from the firewall box itself to the WAN are not hurt by the DHCP lease renewal. And LAN connections are only hurt if I use "-j masquerade" instead of "-j SNAT" to do the NAT'ing.

I assume this has something to do with "masquerade" NAT table entries being purged by the lease renewal, while the FILTER table entries and "snat" NAT table entries are not (I'll monitor my NAT table entries to verify that assumption when I get the time).

...

epretorious, I haven't worked with the "/proc/sys/net/ipv4/ip_dynaddr" setting before, but I'll read up on it and give it a try.

I do not have a dial-on-demand connection, but a permanent ADSL2 connection that assigns a public IP to my WAN interface (Ethernet) using DHCP. Only "strange" aspect of this connection is the fact that Telia uses so short a DHCP lease time.

Thanks so far guys,
Henning