[LARTC] Advanced Policy Routing not working properly
Hi list, I'm trying to setup a Linux box with a complicated source routing and could use a hand from you. The box has 4 NICs and lots of VLANs attached. It is a firewall and router in the following scenario: (obs: IP addresses have being changed for security purposes) - eth0 holds the default route (GW: 200.1.0.1, Firewall: 200.1.0.2); - The box is routing and sometimes source routing, with no problems; - We got our own ASN with a IP range assigned: 101.30.0.0/20; - We have a Cisco router responsible for BGP sessions of our ASN. This router is already talking to our neighbors and connects to the Firewall on eth2.887 (Router: 101.30.15.249, Firewall: 101.30.15.250); - We have old ISP's IP addresses used on lots of VLAN interfaces, ex: 200.1.2.0/26, 200.1.3.0/24, etc; - The default route is still pointing to our old ISP and cannot be changed by now; So far so good, but: - We created a testing VLAN, eth2.6, and assigned the address 101.30.0.1/28 to the Firewall and 101.30.0.2 to a testing machine (machine-X); - if we create a source routing like this: ip route add default via 101.30.15.249 table MyASN # IP of BGP router ip rule add from 101.30.0.0/28 table MyASN we can see the Internet and the Internet see us through our BGP router and neighbors, BUT we cannot see hosts at IP addresses of our old ISP (those directly connected to the Firewall). The reason is simple, table MyASN has no entry to these old addresses. The easy way to go is to insert static routes on MyASN, but it is a bad solution when you have lots of subnets in use and changes occur frequently. The old and new addresses (from my old ISP and from my ASN) must communicate but I cannot keep updating MyASN table. I tried some workarounds with no good results and here is where I need a hand. All the workarounds I tried expect that in the above scenario if a host on old ISP's IP address, lets say 200.1.2.2, pings my testing server: machine-X on 101.30.0.2, packets should show up on the sender host interface and go out on machine-x interface. I expect this as the _main_ table has a route to machine-x (directly connected to the Firewall) so the box should know where to send packets. It doesn't happen like this. The packets goes nowhere. They come on the sender host interface but never go out on machine-x interface. If I insert a route to 200.1.2.2 on table MyASN I start to see traffic coming and going. Why is this happening? Shouldn't the box just forward traffic when there is a route in the _main_ table regardless of existing or not a route of return? Or shouldn't it, at least, send this traffic to its default gateway? Any comments and suggestions are appreciated. Regards. Andre D. Correa, CISSP | Visite meus projetos pessoais: andre.correa (at) pobox.com | Visit my personal projects: http://andre.hiperlinks.com.br | - http://www.malware.com.br/ Sao Paulo / SP / Brazil | - http://www.linuximq.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Curious situation of htb
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings Y.K. Peng, : But it confuses me that what is the accurate definition of the : argument rate? In order to understand the HTB concept of rate, you must understand buckets. Read about either token buckets (e.g. Linux TBF [0]) or leaky buckets (the generic idea) [1]. : It seems to be the minimum rate which is guaranteed for a class : in the user guide of HTB Home, but in the manpage of lartc.org it : is defined as the maximun rate quaranteed for a class. The difference is merely a matter of perspective. You may think of it as you find most fitting for your understanding. To understand the term in the context of HTB, it helps to understand the entire borrowing model: * HTB will always allow a packet in a leaf class to be dequeued if that class has not yet exceeded its rate. (This leaf class is guaranteed a minimum rate of packet transmission.) * HTB may attempt to transmit a packet from a leaf class if that leaf class is above rate but below ceil. In order to transmit a packet when transmission of that packet will exceed rate, the leaf class will ask its parent class (which may ask its parent class (which may ask ...) ) if it may borrow (properly, use) a token to dequeue the pending packet. If the entire hierarchy of classes has an available token, then that token is counted. * HTB will never attempt to transmit a packet from a leaf class which has exceeded its ceil, an administrative absolute maximum for this leaf class. This borrowing logic holds true for all intermediate and root classes, but packets are only dequeued from leaf HTB classes. : First I setup the qos configuration by tc, and classification is : done by the u32 classifier. In this case, no matter how the : classes' rate set, the total bandwidth of 100Mbps will always be : about 75Mbps and each class is assigned the bandwidth in the : scale. : : To work with some tunnel or random-port transmission, another : program was applied to set the priority value of the structure : sk_buff as the classid the packet belongs to. In this case, the : total bandwidth is limited at the rate we set, so do all the : classes set. : : My question is that, why it differs from the two mechanism? Which : one will be the correct result? Unfortunately, I'm unable to interpret what your experiment was, so will not be able to address this question. I can only guess that you didn't use the default parameter on your HTB qdisc itself: tc qdisc add dev $DEV root handle 1:0 default $DEFAULT_CLASS If you do not specify a default class for otherwise unclassified traffic AND if you do not include a classifier as a catch-all: # -- catch all classifier # tc filter add dev eth0 parent 1:0 protocol ip prio 1 \ u32 match ip src 0.0.0.0/0 then any unclassified traffic will be dequeued as fast as the hardware allows [2]. Good luck, - -Martin [0] http://tldp.org/HOWTO/Traffic-Control-HOWTO/classless-qdiscs.html#qs-tbf http://lartc.org/howto/lartc.qdisc.classless.html [1] http://linux-ip.net/gl/tcng/node54.html http://en.wikipedia.org/wiki/Leaky_bucket [2] http://www.docum.org/docum.org/docs/htb/ - -- Martin A. Brown http://linux-ip.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/) iD8DBQFFkuinHEoZD1iZ+YcRAlgCAKC8WUFHfSMpj513SrXk6PXvRFtaEACgtDvV EaUDBj5i+vPdBjafnq7idLc= =dg5o -END PGP SIGNATURE- ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] How to add a route to a network via 2 gateways.
Hi iproute2, I have a network to reach which is 192.168.2.0/24. It is a branch of the company. I have currently added a route to that network via one gateway ( 192.168.0.254) in following way. ip route add 192.168.2.0/24 via 192.168.0.254 Now, We got another gateway which is 192.168.0.250. Now I want to add a route to the same network which is 192.168.2.0/24 via this gateway ( 192.168.0.250) as well. Then I will have 2 paths to the same network. One path should be primary and the other path should be backup. everything should go via primary path. if the primary path goes down, the backup path should be active. That is the purpose of doing this. Pls let me know whether it is possible or not? if possible, How can I achieve this goal. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc