Re: [LARTC] multipath device round robin not working?
On Sat, Jan 13, 2007 at 12:54:24PM +0100, [EMAIL PROTECTED] wrote: Hi, I have a linux server running kernel 2.6.19 that is connected with 2 seperate 100Mbit links to the same isp: +---+ +---+ | I | +---+ | | | S | | | |eth0 --+--+ P | | | | | | S | | | | linux 2.6.19 | | W || ISP GATEWAY | | | | I | | | |eth1 --+--+ T | | | | | | C | | | +---+ | H | +---+ +---+ Both links have their own ip but have the same gateway. The problem is I can't seem to get egress traffic load balanced over the 2 nics. IP config after boot (dhcp from isp) ip a: 1: lo: LOOPBACK,UP,1 mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:0f brd ff:ff:ff:ff:ff:ff inet 10.0.0.110/24 brd 10.0.0.255 scope global eth0 3: eth1: BROADCAST,MULTICAST,NOTRAILERS,UP,1 mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:00:00:00:00:ed brd ff:ff:ff:ff:ff:ff inet 10.0.0.120/24 brd 10.0.0.255 scope global eth1 Default routing table after boot ip r: 10.0.0.0/24 dev eth0 scope link 10.0.0.0/24 dev eth1 scope link metric 1 127.0.0.0/8 dev lo scope link default via 10.0.0.1 dev eth0 default via 10.0.0.1 dev eth1 metric 1 I enabled ip_forward and set arp_ignore to 1 for eth0 and eth1 to make sure the correct nic answers to arp requests. I tried to get the egress load balancing to work by replacing the above two default routes with: ip route add default mpath drr nexthop via 10.0.0.1 dev eth0 weight 1 onlink nexthop via 10.0.0.1 dev eth1 weight 1 onlink I assumed that with mpath device round robin both nics would be used more or less equally, but the reality is only one of the nics actually works and the second nic even stops responding to arp requests. Am I doing something totally wrong or impossible here or is the device round robin code not working properly? Curiosity but why use such a setup is your ISP link 2Gbp/s ? Why not bond if you want HA. why its not round robining. I am going to guess but this line default via 10.0.0.1 dev eth0 costs less to use than default via 10.0.0.1 dev eth1 metric 1 so it should never use the second. I say guess cause I don't know what the default metric is if you do add one. What you want it to look something like is default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 5 nexthop via 10.20.20.230 dev ppp0 weight 20 There is a link to a howto on the web site that steps out how to set this up Alex ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] multipath device round robin not working?
On Mon, Jan 15, 2007 at 06:44:54PM -0600, Grant Taylor wrote: On 01/15/07 15:20, [EMAIL PROTECTED] wrote: Wow, that's a complicated solution. Nicely done:) But I think that's a bit too complicated for my setup thx for the input anyway. Thanks. Indeed the set up is not simple. You may consider talking with your ISP and seeing if they can assign one of your links an IP on a different subnet. I have found that ISPs that are worth their salt are willing to work with you to help you resolve these types of problems. Grant. . . . something else to look for, because you have 2 nics in the same broadcast domain (http://cactuswax.net/blog/articles/2006/09/arp_ignore.html) explains about arp_ignore. In its default setup you are going to find i nic is going to arp respond for both IP addresses! ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LoadBalancing on many asimetric different dsl's.
On Mon, Jan 22, 2007 at 10:03:21AM +0100, Jordi Segues wrote: Hello, I've done this some montsh ago, with a command like: ip route add default equalize scope global nexthop via $EXTGW1 dev $EXTIF1 weight 1 nexthop via $EXTGW2 dev $EXTIF2 weight 1 However, this is not the problem. While loadbalancing of simple requests worked fine, there where problems when you worked with connections. I mean HTTPS, of FTP connection for example. The problem was fo me that the system trys to send packets of the same connection throught different gateways, so with different IP source (each DSL connection was from different ISP). This caused the server not to understand why the same connection sent packets with 2 different source IP ;) Well, I hope you understand me. If you would do real load balancing, and in a proper way, you should not only do it by link charge, but route packets by connection to. (routing all packets of the same connection through the same gateway) This is caused because you must flush the route cache some times (or packets to a destination will allways take the same route, wich is not a loadbalance). So if someone has done it and doesn't have this problem, I'm interested too :) the above is actually covered in the wiki howto. Bu tyou need to setup snat on each interface, then connection tracking takes care of sending each stream out the right interface, you need to use snat and not MASQ. Then you need to setup up some ip rule tables for each of the interfaces. my ip ru looks like this 0: from all lookup local 200:from 144.132.145.38 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default my ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.230 dev ppp0 weight 20 default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 This works fine for me, I have tracked packets with tcpdump on both the server and the client. Alex Thanks! Jordi Segues On 22 Jan 2007 09:49:28 +0100, sAwAr [EMAIL PROTECTED] wrote: Hi, my company have just bought new network and I have question about one problem. As in topic we must use few completely different dsl's and balance traffic between them. 2M/0,5M 4Mb/0,5M 8M/0,5M M=Mb/s I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. If my problem isn't clear I'll try to explain it better later. Thanks in advance. Pozdrawiam sawar -- Wolne adresy pocztowe @interia.eu http://link.interia.pl/f19e8 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LoadBalancing on many asimetric different dsl's.
On Mon, Jan 22, 2007 at 01:21:32PM +0100, Jordi Segues wrote: the above is actually covered in the wiki howto. Bu tyou need to setup snat on each interface, then connection tracking takes care of sending each stream out the right interface, you need to use snat and not MASQ. Great news :) And thankyou for the details. But could you give the link to the wiki howto? I only found old doc. been a while since i had a look, quick google gave me this http://lartc.org/howto/lartc.rpdb.multiple-links.html I have this booked market as the wiki http://linux-net.osdl.org/index.php/Main_Page But I think the former is what you want Thanks! Then you need to setup up some ip rule tables for each of the interfaces. my ip ru looks like this 0: from all lookup local 200:from 144.132.145.38 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default my ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.230 dev ppp0 weight 20 default via 10.20.20.230 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.145.38 metric 30 This works fine for me, I have tracked packets with tcpdump on both the server and the client. Alex Thanks! Jordi Segues On 22 Jan 2007 09:49:28 +0100, sAwAr [EMAIL PROTECTED] wrote: Hi, my company have just bought new network and I have question about one problem. As in topic we must use few completely different dsl's and balance traffic between them. 2M/0,5M 4Mb/0,5M 8M/0,5M M=Mb/s I've never done such thing before so I have doubts how it will work. If the links are symmetric 2/2 4/4 8/8 there is no problem because with weights I can compensate the difference between them and achieve nice results. But what in my situation? My questions are: how to set load balancing to get all links equally loaded and avoid situation when the up load will be full and download almost empty? I believe this situation can happen due to fact that load balancing is based on flows and for example p2p or smpt/pop3 will eat whole upload. If my problem isn't clear I'll try to explain it better later. Thanks in advance. Pozdrawiam sawar -- Wolne adresy pocztowe @interia.eu http://link.interia.pl/f19e8 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFtJ1/kZz88chpJ2MRAhGKAJ9xthAZnQ/ovr82sa/x5j4BFJGgWwCgvtWa dS7qseaia3GnZK/n8szE98Y= =zLpL -END PGP SIGNATURE- ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -- Jordi Segués Daina --- Andorra GSM: (+376) 35 35 68 France GSM: (+33) (0)6 81 88 35 55 [EMAIL PROTECTED] / MSN: [EMAIL PROTECTED] AIM: superjordix Skype: callto://superjordix --- http://www.JordiX.com ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] LARTC Wiki
On Tue, Jan 23, 2007 at 03:53:23PM +, Andrew Beverley wrote: I'm not aware of one, and I think it's an excellent idea. There's some great software available for LARTC, and some of the documentation is very good, but unfortunately it's all a bit disparate. A wiki would be a great start. I'd be happy to host one and transfer stuff into it unless someone else has a better idea/offer? Andy Beverley Last time there was talk of a wiki this address was given http://linux-net.osdl.org/index.php/Main_Page This link below gives the details on how to setup a multi link connection http://lartc.org/howto/lartc.rpdb.multiple-links.html Alex On Tue, 2007-01-23 at 12:46 -0300, Marco Aurelio wrote: Hi all, Since the mail list receives a lot of repeated subjects (for example: i have two adsl lines...), maybe these specific issues should be treated on the LARTC Guide, or maybe if we had an wiki? Is there a LARTC Wiki? If not, what do you think about creating one? Thanks -- Marco ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] ip alias + dsl modem
On Thu, Jan 25, 2007 at 12:14:56AM +0900, GodSharp wrote: Hi Guys, Just wondering for some reason when I switched providers(DSL) IP aliasing stopped working. And, I am not sure what kind of modem this is, the previous one had some Ethernet ports at the back(it has a bult-in 4 port switch) the new doesn't have one, only a single Ethernet port and It is directly connected to my Linux box. My provider gave me a /24 subnet and 9 useable IP's. # ip a s eth2 6: eth2: BROADCAST,MULTICAST,UP mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:72:c1:f5 brd ff:ff:ff:ff:ff:ff inet xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 scope global eth2 inet xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 scope global secondary eth2 inet xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 scope global secondary eth2 -- settings -- ip link set eth2 up ip addr flush dev eth2 ip addr add xxx.xxx.xxx.50/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.51/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.52/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.53/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.54/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.55/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.56/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.57/24 brd xxx.xxx.xxx.255 dev eth2 ip addr add xxx.xxx.xxx.58/24 brd xxx.xxx.xxx.255 dev eth2 ip route add default via xxx.xxx.xxx.1 --- end settings --- /proc/sys/net/ipv4/ip_forward is 1 /proc/sys/net/ipv4/ip_dynaddr is 1 works: ping google.com -I eth2 works: ping google.com -I xxx.xxx.xxx.50 not working: ping google.com -I xxx.xxx.xxx.58 have you tried ip route get it will tell you what the kernel is thinking on how its going to route the packet. you might also need to setup some ip rule lines for each of the secondary addresses. but first try pinging the next hop with each of the addresses ! From the outside I can ping xxx.xxx.xxx.50 but cannot ping any secondary IP's. I tried tcpdump but didn't receive any replies from the secondary ip's I got replies from the primary IP though. If I remove the secondary IP's and use it on another computer the secondary IP works. It looks like I can only use 1 IP per computer(per mac). What seems to be the problem? Is it the modem? I am not sure about adsl's and their type of settings (bridge/router) and I would like to contact my provider. But I am having troubles on asking them regarding the problem. If there's a technical explanation regarding this or some trick it would help me clarify them or me. There are no filters involved(iptables). On my previous provider aliasing works both are dsl's. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Questions about mutiple providers
On Mon, Jan 29, 2007 at 01:17:03PM +0100, Fabio Muzzi wrote: Hi, this is my first post to the list. I have googled a lot, and still cannot find a proper solution. I hope someone here will be able to shed some light on my doubts. I have set up a firewall using kernel 2.6.15 (Debian) that does NAT for 100 clients, and uses two different ISPs, using the howto found at http://lartc.org/howto/lartc.rpdb.multiple-links.html.I have *not* patched my kernel. The rounting setup is taken from the howto, and it basically works, I see packets flowing out of both WAN interfaces, and everyting seems to work properly for packets that are generated from the firewall itself. I have set up NAT rules in postrouting table, this way: iptables -t nat -A POSTROUTING -o $WAN -j SNAT -s 10.0.0.0/16 --to-source 217.221.234.74 iptables -t nat -A POSTROUTING -o $WAN2 -j SNAT -s 10.0.0.0/16 --to-source 83.211.205.162 Local net is 10.0.0.0/16, the two WAN interfaces are $WAN and $WAN2, and their relative IP addresses are set as shown. WAN interfaces are phisically different and have no aliases, only the IP shown above. Now, I am experiencing two issues: - First, I see packets with from address set to 83.211.205.162 that go out of $WAN, and also packets with from address set to 217.221.234.74 that flow out of $WAN2. This address mixup should not happen, I suppose. looking at the packets, it seems that only NATed trafic shows this behaviour. you have to setup your ip rule rules, which will state anything coming from 217.221.234.74 only goes out $WAN and anything coming from 83.211.205.162 only goes out $WAN2, it should be part of the wiki/faq doco - Second, I see (rare) packets flowing out of WAN or WAN2 interfaces that still have the LAN from address, that is 10.0.x.x, these packets somehow where not NATed at all. never seen this Now, the questions are: How do I solve this? Do I need to patch my kernel to solve the first issue, because I need to lock at NAT established connections tables to make routing decisions? Is it impossible to have equal cost multipath and SNAT together without patching the kernel? If so, what patch do I need exactly? Is there something wrong with my kernel version, that has a broken NAT support? (this could explain why I get some packets that do not get NATed at all) Thanks a lot for the time you took reading this. -- Fabio Kurgan Muzzi ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: Hi all, I'm trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second routing table for eth1, with its own default gateway, and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. My problem is that one of the udp ports is forwarded to another server using iptables: /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport 4902 -j DNAT --to 192.168.12.5:4902 using tcpdump on eth1, I can see that the incoming packets receive an icmp rejection, and when I try something like ip route get 192.168.12.5 from 64.233.183.103 iif eth1 I get RTNETLINK answers: Invalid argument If I try ip route get 192.168.12.5 from 64.233.183.103 iif eth5 I get 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 cache mtu 1500 advmss 1460 metric 10 64 iif eth5 which leads me to conclude that the difference has something to do with the default route. I've tried things like ip rule add iif eth1 lookup 4 (4 being my custom routing table) ip rule add from 192.168.1.2 lookup 4 and even iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 ip rule from all fwmark 0x1 lookup 4 ip route flush cache I'm using linux 2.6.19.2 + grsecurity patches, every option I could find compiled in, on an up to date gentoo system. Can anyone see what I'm missing? Thanks, Paul Viney ip route show 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth5 ip route show table 4 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 ip rule show 0: from all lookup local : from all fwmark 0x1 lookup 4 1: from 192.168.1.2 iif lo lookup 4 if the ip address on eth1 is 64.233.183.103 then you need a rule 10001: from 64.233.183.103 lookup 4 I don't think the fwmark rule will work with ip route get. Plus your routing information in table 4, you are saying that the default address is available via 192.168.1.1 that doesn't match up with 64.233.183.103 this is my ip ru 0: from all lookup local 200:from 144.132.147.156 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default 144.132.147.156 is one isp, 60.241.248.86 is the other one ip r sh tab cable 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 metric 50 prohibit default proto static metric 100 ip r sh tab adsl 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 10.20.20.168 dev ppp0 proto static src 60.241.248.86 metric 20 prohibit default proto static metric 100 ip r sh tab default default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 default via 10.20.20.168 dev ppp0 src 60.241.248.86 metric 20 default via 144.132.144.1 dev vlan2 src 144.132.147.156 metric 30 The difference for you should be in the default table, you will not need default proto static metric 5 nexthop via 144.132.144.1 dev vlan2 weight 1 nexthop via 10.20.20.168 dev ppp0 weight 20 cause you want all your traffic to go out 1 link. alex 3: from all lookup main 3: from all lookup default ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Tue, Feb 13, 2007 at 10:54:51PM +0100, Paul Viney wrote: Thanks for the advice, Alex. I've been able to add both default routes - I hadn't considered using the metric to avoid using the VPN link. I guess I wasn't very clear with my use of 64.233.183.103, which was meant to be a random internet address coming in over the VPN link, not the default internet link. what exactly does the prohibit default proto static metric 100 in your routing table do? Haven't you already had a default route which would trigger before reaching this rule? it been a while since I looked over this, but from memory, if the link goes down, it stops the route table being used I still seem to have much the same problem. I no longer get ICMP unreachable errors, but the packet just seems to disappear - I can't see it being forwarded on any interface, nor can I find any kind of reply - icmp or otherwise. sounds like a firewall issue! ip route get random internet address to 192.168.12.5 gives 192.168.12.5 dev eth3 src 192.168.12.1 cache mtu 1500 advmss 1460 metric 10 64 ip route get random internet address to 192.168.12.5 iif eth1 gives RTNETLINK answers: Invalid argument try ip r g random internet address from 192.168.12.5, I seem to be getting the same error as you Am I not understanding how ip route get works? The man pages are fairly succinct in their explanation. Thanks for your help, Paul Viney On Tuesday 13 February 2007 21:40, Alex Samad wrote: On Tue, Feb 13, 2007 at 02:50:13PM +0100, Paul Viney wrote: Hi all, I'm trying to set up a computer with 2 routes to the internet, much as described at http://lartc.org/howto/lartc.rpdb.multiple-links.html .One of my interfaces (eth5, 192.168.2.2) is only used for traffic originating inside the network. The other (eth1, 192.168.1.2) is only used for a VPN, where all (udp) traffic originates from outside our network. I have created a second routing table for eth1, with its own default gateway, and selected it with ip rule from 192.168.1.2 iif lo lookup 4. All this works fine. My problem is that one of the udp ports is forwarded to another server using iptables: /sbin/iptables -t nat -A PREROUTING -i eth1 -p udp -d 192.168.1.2 --dport 4902 -j DNAT --to 192.168.12.5:4902 using tcpdump on eth1, I can see that the incoming packets receive an icmp rejection, and when I try something like ip route get 192.168.12.5 from 64.233.183.103 iif eth1 I get RTNETLINK answers: Invalid argument If I try ip route get 192.168.12.5 from 64.233.183.103 iif eth5 I get 192.168.12.5 from 64.233.183.103 dev eth3 src 192.168.2.2 cache mtu 1500 advmss 1460 metric 10 64 iif eth5 which leads me to conclude that the difference has something to do with the default route. I've tried things like ip rule add iif eth1 lookup 4 (4 being my custom routing table) ip rule add from 192.168.1.2 lookup 4 and even iptables -t nat -I PREROUTING -i eth1 -p udp -j MARK --set-mark 1 ip rule from all fwmark 0x1 lookup 4 ip route flush cache I'm using linux 2.6.19.2 + grsecurity patches, every option I could find compiled in, on an up to date gentoo system. Can anyone see what I'm missing? Thanks, Paul Viney ip route show 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.2.1 dev eth5 ip route show table 4 192.168.2.0/24 dev eth5 proto kernel scope link src 192.168.2.2 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2 192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.1 127.0.0.0/8 dev lo scope link default via 192.168.1.1 dev eth1 ip rule show 0: from all lookup local : from all fwmark 0x1 lookup 4 1: from 192.168.1.2 iif lo lookup 4 if the ip address on eth1 is 64.233.183.103 then you need a rule 10001: from 64.233.183.103 lookup 4 I don't think the fwmark rule will work with ip route get. Plus your routing information in table 4, you are saying that the default address is available via 192.168.1.1 that doesn't match up with 64.233.183.103 this is my ip ru 0: from all lookup local 200:from 144.132.147.156 lookup cable 201:from 60.241.248.86 lookup adsl 32766: from all lookup main 32767: from all lookup default 144.132.147.156 is one isp, 60.241.248.86 is the other one ip r sh tab cable 192.168.8.248/29 dev tap0 scope link src 192.168.8.249 192.168.11.0/24 dev vlan0 scope link src 192.168.11.1 192.168.10.0/24 dev eth1 scope link src 192.168.10.1 default via 144.132.144.1 dev vlan2 proto static src 144.132.147.156 metric 50
Re: [LARTC] Routing problem (RTNETLINK answers: Invalid argument) on multiple internet link.
On Wed, Feb 14, 2007 at 08:30:48AM +0100, Paul Viney wrote: I still seem to have much the same problem. I no longer get ICMP unreachable errors, but the packet just seems to disappear - I can't see it being forwarded on any interface, nor can I find any kind of reply - icmp or otherwise. sounds like a firewall issue! It does sound like a firewall issue, but the only firewall rule I have at the moment is the one doing the DNAT. If I do 'iptables -t nat -L -v', then I can see the number of packets increasing. Once I remove the firewall rule, I get my icmp unreachable errors again. Funnily enough, if I then reinstate the firewall (dnat) rule, then I still get icmp unreachable errors and the packet count doesn't go up for the rule. It's almost as though the rule doesn't get consulted. 'ip route flush cache' doesn't make a difference. After about 5 minutes the icmp unreachable errors stop and the packet count starts going up, although I still can't find my packet on the next hop. (I do have forwarding switched on). The packet count on a iptables log rule on the forward table does not go up, giving me the impression that routing has failed. This could be connection tracking, once you start a ping, connection tracking will keep it in its cache, so even though you have placed it (the rule) back in it doesn't count for the established link... I also tried ip r get random internet address from 192.168.12.5, which did indeed give me the same RTNETLINK answers: Invalid argument error. I guess that means that my understanding of the purpose of 'ip r get' is indeed faulty. does 192.168.12.5 exist on your box, can up do an ip a also do you have forwarding on ? Thanks for all your help so far. Paul Viney ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Split access, load balancing AND forwarding: HOW?
On Fri, Feb 23, 2007 at 03:23:42PM +0800, Ming-Ching Tiew wrote: From: Luciano Ruete [EMAIL PROTECTED] This solution works in theory and in practice, so plz, get your hands dirty before you post your next great idea. I understand your explanation fully but believe me I also have got hand-on experience with using the alternative, ie 1. I don't use multipath weight routing. 2. I use PREROUTING all the way, ie I don't use POSTROUTING. Instead, I use iptables 'recent' and 'statistics'/'random' match to achieve load sharing. hi sorry missed the previous bits of the thread, could you post the relevant info, interested to see how this works and why you would pick it over the multipath method I have use this for many years already, believe me I am not theoretical. It's just a matter of different ways to doing things. If you search the web it will come upon many others using the same method I used. Cheers ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Multiple uplinks, ssh connections hang
On Tue, Feb 27, 2007 at 08:12:17AM +0700, Denny Zulfikar wrote: Hello korey, I don't think your configuration will work well, because there're balancing using weight connection. So, if you have connection-oriented-application that must sure passing their traffic only from one connection (such as ssh and https-please try to test open and login to hotmail.com), it will fail when the default routing switch from one gateway to another (round robin). Dont use this config for connection-oriented application. it's round robin rule, that will switch from one gateway to another without notice/know about traffic type. ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 I have been using default proto static metric 5 nexthop via 138.130.8.1 dev vlan2 weight 1 nexthop via 10.20.20.243 dev ppp0 weight 20 for over 4 years and it has worked fine for me, for ssh and other connection oriented applications. the key thing is to have contrack (or its new incarnation) loaded. the default rule is only used when you don't have a source address or route cache entry. When you ssh through the machine, the syn packet uses the default route, but it also setups a entry in contrack, all other packets will have a source and dest address. These will match up the ip rul statements. if you followed your link onto julian pages http://www.ssi.bg/~ja/nano.txt, there is a howto on this ! please refer to this documentation howto develop multpile internet connection gateway. http://linux-ip.net/html/adv-multi-internet.html Best Regards, Denny Z On 2/27/07, Korey O'Dell [EMAIL PROTECTED] wrote: Folks, Ive got two ISP connections that I am using with: --- ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1 ip route add default via 192.168.200.1 table connection1 ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2 ip route add default via x.175.244.1 table connection2 ip rule add from 192.168.200.11 table connection1 ip rule add from x.175.244.2 table connection2 echo Enabling load balancing between ISP connections... ip route add default scope global nexthop via 192.168.200.1 dev eth2 weight 1 nexthop via x.175.244.1 dev eth1 weight 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11 ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DNAT and Load Balancing
On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote: On 3/2/07, Tom Lobato [EMAIL PROTECTED] wrote: Hi all! After that good thread DGD patch not detecting dead gateway I was able to set up a Load Balancing with ping based DGD (without Julian Anastasov patch). But now I'm facing a new problem and tried some options, with only partial solutions. I made a script based on http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank you Manish Kathuria), without Julian A. patch, and with routes/rules as described in nano.txt. It works fine, but... The problem: I do DNAT for internet located people to access my LAN machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. It appears that the connection from outside can enter, but when reply packets try to get back across nat machine, it falls into the round robin default route selection to define its gateway. Well, of course, this reply must leave the router via the same interface whose initial packets entered. vnc initial request packet reply that got \ wrong route \ ^ \ / V / isp1 isp2 isp3 _|||__ || | dnat | |_| ^ | | V LAN estation, the vnc server What I need is a way to force packets leave the router via the same interface whose its request entered this. I'd like to hear opinions about the problem (and also solution =). Remember, I can't apply the DGD patch from J.A. because it only checks the first hop for dead detection. I will apreciate any help. Thank you, Tom Lobato ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc I had overlooked this. I had also faced a similar problem. There are two possible solutions, one is to apply Julian's patches because even This sounds exactly like my problem, until I appplied julian's patch, I would suggest giving it a try though you are not using the patches for DGD, they do help in making NAT processing with multiple gateways work properly. The other option is to mark the packets using CONNTRACK. There was a good discussion on this topic some days back. You can check the thread using the following links to the archives: http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DNAT and Load Balancing
On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote: I solved this exact problem (with incoming connections on three different adsl) markin packets on PREROUTING chain. Obviously with three different routing tables. # incoming connections for DNAT to DMZ need to be marked here in PREROUTING iptables -t mangle -N mymark iptables -t mangle -F mymark # first of all RETURN for local interfaces iptables -t mangle -A mymark -i $E0_IF -j RETURN iptables -t mangle -A mymark -i $DMZ_IF -j RETURN iptables -t mangle -A mymark -i $VPN_IF -j RETURN # then mark and save incoming connections from the external universe iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M iptables -t mangle -A mymark -j CONNMARK --save-mark #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # non marked incoming connections need to be marked (DNAT to DMZ only) iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark Hi i know there was a thread on this methiod earlier, but has somebody put up a howto, or a wiki page on it ? alex signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Re: multiple routing tables for internal router programs
On Thu, Jun 14, 2007 at 11:50:30AM +0800, Salim S I wrote: I solved it, thought a bit ugly. Have two more rules now in ip ru 32150: from all lookup main 32201: from all fwmark 0x200/0x200 lookup wan1_route 32202: from all fwmark 0x400/0x400 lookup wan2_route 32203: from 10.20.0.137 lookup wan1_route 32204: from 10.2.3.107 lookup wan2_route 32205: from all lookup catch_all 32766: from all lookup main I did not like to include WAN IP anywhere, coz it may be dynamic, but well, seems like no choice. ran into the same problem, I capture the link information at ip-up time for ppp/pppoe and dhcp time for cable modem, then I fire off a scrip that pulls down all the ip ru ip ro and builds it from scratch (as well as the specialised iptables rules as well). This should only happen when I loose a connection so should be okay And then two rules in OUTPUT chain Iptables -t mangle -A OUTPUT -o eth2 -j LB1 Iptables -t mangle -A OUTPUT -o eth3 -j LB2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salim S I Sent: Wednesday, June 13, 2007 12:08 PM To: 'Peter Rabbitson' Cc: lartc@mailman.ds9a.nl Subject: RE: [LARTC] Re: multiple routing tables for internal router programs My configuration [EMAIL PROTECTED]:~# ip ru 0: from all lookup local 32150: from all lookup main 32201: from all fwmark 0x200/0x200 lookup wan1_route 32202: from all fwmark 0x400/0x400 lookup wan2_route 32203: from all lookup catch_all 32766: from all lookup main 32767: from all lookup default [EMAIL PROTECTED]:~# ip ro li ta main 192.168.100.0/24 dev eth0 proto kernel scope link src 192.168.100.254 10.20.0.0/24 dev eth2 proto kernel scope link src 10.20.0.137 192.168.1.0/24 dev eth10 proto kernel scope link src 192.168.1.254 10.2.3.0/24 dev eth3 proto kernel scope link src 10.2.3.107 127.0.0.0/8 dev lo scope link [EMAIL PROTECTED]:~# ip ro li ta wan1_route default via 10.20.0.1 dev eth2 proto static [EMAIL PROTECTED]:~# ip ro li ta wan2_route default via 10.2.3.254 dev eth3 proto static [EMAIL PROTECTED]:~# ip ro li ta catch_all default proto static nexthop via 10.20.0.1 dev eth2 weight 1 nexthop via 10.2.3.254 dev eth3 weight 1 The catch_all table comes into play only for local packets. All forwarded packets are marked in mangle PREROUTING, with 0x200 0r 0x400. If not loadblancing ping script, there maybe other apps using domain names instead of IP address, they might still fail, right? The problem happens when one of the link goes down (not the nexthop,but after that). Then the kernel will pick an interface and wrong src IP for local packets. -Original Message- From: Peter Rabbitson [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 12, 2007 7:24 PM To: Salim S I Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] Re: multiple routing tables for internal router programs Salim S I wrote: Thanks! I get it now. But why the src address for the interface is wrong? In my case eth2 has a.b.c.d and eth3 has p.q.r.s. DNS queries going through eth2 has p.q.r.s as src address and those going through eth3 has a.b.c.d. Something wrong with routing? Possible. Post full configuration and someone might be able to help. I was wondering, how the ping script (to check the lonk status) of others work id domain name is used. Don't know about others, and I personally use ip addresses :) ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Linux bridging and cascaded switches
On Tue, Jun 19, 2007 at 05:54:46PM -0500, Greg Scott wrote: Hi - Still plugging away at my Linux bridge/firewall and thinking through the consequences. In a normal firewall situation, the Internet is on one side, the internal LAN on the other. Duh! But now, with a Linux bridge in the middle, the whole thing becomes one big messy LAN. So we have a scenario that looks like this: Internal---User---Core-Firewall---Internet---Internet router Servers switch switch (Bridged)switch (and default GW for internal servers) out of curiosity why would you want to bridge at the firewall. is this meant to be a drop in-line firewall appliance The scenario is a little more complex than I drew above because the internal side has more than one LAN segment participating in the bridge. I'm working on a way to simulate all this here - before going into production - but I have a big question; That firewall/bridge is no longer a router - it's a bridge. Well, a bridge that also does a bunch of stateful IP layer 3 filtering. So now, it will participate in a spanning tree setup with all those switches, on both sides of it - right? I'm guessing I want to turn off STP in this case. Am I on the right track? if there is only 1 way to connect from the corporate (private LAN) to the public (internet) then I don't think you will need STP - it was meant to stop loops in ethernet segments. If you have multiple paths you might still need it Thanks - Greg Scott ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Linux bridging and cascaded switches
On Tue, Jun 19, 2007 at 06:35:46PM -0500, Greg Scott wrote: out of curiosity why would you want to bridge at the firewall. is this meant to be a drop in-line firewall appliance Long story but yes, it is essentially a drop in-line system. It's a mess. So will that Internet router really see 4 switches - a switch, a bridge, and 2 switches - between it and the internal servers? I don't remember all my LAN rules but that feels way too deep to me. I think that was the old 5-4-3 or was it 4-3-2 ... I think that was more in the days of repeater and broadcast hubs. Modern day switch I believe allow for a lot more. - Greg signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 05:35:13PM +0200, Peter Rabbitson wrote: Grant Taylor wrote: I need a way for the Linux kernel to try to use a default gateway and switch to another one if it does not see any traffic. should something like this work default proto static metric 5 nexthop via 58.173.108.1 dev vlan2 weight 10 nexthop via 10.20.20.106 dev ppp0 weight 20 and then let the dgd detect dead gateways and drop the relevant route about. I don't know about any working in-kernel solutions, but you can do it trivially with netfilter and a cronjob: * In netfilter do this: -t mangle -N ispA -t mangle -A ispA -j RETURN -t mangle -N ispB -t mangle -A ispB -j RETURN -t mangle -A PREROUTING -i $ifA -s ! a.a.a.a/aa -j ispA -t mangle -A PREROUTING -i $ifB -s ! b.b.b.b/bb -j ispB where a.a.a.a and b.b.b.b are subnets describing your first 1 - 2 hops, so traffic from your upstream router will not count. * Then make a cron job that run this every minute: iptables -t mangle -vnxZL isp[AB] and will look for the first number on the third line. If it is not 0 - the link is alive, otherwise change the routing tables accordingly. Of course you can have up to 1 minute of downtime, but it does not look so bad IMO. HTH Peter ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 04:24:19PM -0500, Grant Taylor wrote: On 06/21/07 16:01, Alex Samad wrote: should something like this work default proto static metric 5 nexthop via 58.173.108.1 dev vlan2 weight 10 nexthop via 10.20.20.106 dev ppp0 weight 20 and then let the dgd detect dead gateways and drop the relevant route about. Doesn't this use Equal Cost Multi Path (ECMP) routing? sorry yep, just woken up, reading and answering whilst eating breakfast okay then why not default via preffered path default via backup path metric 100 If so, how does this take in to account that I do not want any of the traffic to run over the backup connection unless the primary is down? It is my understanding that the weights of an ECMP route are for a fraction of the traffic. I.e. 10/30 and 20/30 of the traffic will use each of the routes. (Note: I state 10/30 and 20/30 because the man page indicates that 10/30 does not equal 1/3. Namely because the kernel creates an in memory route for each weight for each route. Thus if you use a weight of 10, there will be 10 routes in memory.) Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Redundant internet connections.
On Thu, Jun 21, 2007 at 05:23:23PM -0500, Grant Taylor wrote: On 06/21/07 17:18, Alex Samad wrote: sorry yep, just woken up, reading and answering whilst eating breakfast *nod* okay then why not default via preffered path default via backup path metric 100 I've done that with a metric of 0/1, and 1/2. The problem that I'm seeing is that the system will never try to use the second metric. It's as if the system will never go to a next higher metric if it does not receive an error while trying to use a lower metric. Strange I am running openwrt on a linksys wr54gs with 1 cable and 1 adsl. I load balance, (also have julian patches applied - its 2.4.30), when the routing notices the link is dead, so if i do a ip li. then it marks the routes as dead and stops using them, once the interface is brought down the routes disappear I haven;t followed the dgd threads, but I seem to remember it having some problem with upstream detection. You talked about getting OSPF routing for this, is this from the ISP's inbound as well as outbound. Wouldn't OSPF handle link state as well ? (it been a while since I looked at OSPF) Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] 2 ISP connection sharing problem
On Sun, Sep 02, 2007 at 03:25:11PM +0500, Arman wrote: Thats fine but primary problem is that only one connection is used at a time but I want to utilize both at the same time. Please guide -- Forwarded message -- From: Jorge Evangelista [EMAIL PROTECTED] To: lartc@mailman.ds9a.nl Date: Sat, 1 Sep 2007 18:33:35 -0500 Subject: Re: [LARTC] 2 ISP connection sharing problem Hi, You should change your last rule for some as it: ip route add equalize default nexthop via 192.168.1.1 dev eth0 nexthop via 201.81.219.1 dev eth2 It works fine for load balancing, but when a failure occurrs on one line, whats happen? if one line is down the change it is too slow, and the cache for the route is still there and when I want this Host again the old route is through from the down line. I have a script which runs via ping and cron when next hop is down, the box linux will change to use one line. i have something similiar, but my problem is conntrack/natting. once a stream is up and running, conntrack remembers with external ip and tries to route out that one untill the connection is closed - which it will not be until it gets an rst/finish. This can take a while to settle down - wait for all the timers to run out... On 9/1/07, Arman [EMAIL PROTECTED] wrote: Hi all, I have a similar question like many asked before I know but Please help as i cant figure out where the problem is and how should I tackle. I have 2 ISP connections. I want to share the bandwidth from both. I have copied the script from many places and created my own after changes. Problem is that only one connection is utilized at a time. Not both working. ratio of consuming bandwisth between then is around 1:30. both connections are from dhcp that is dynamic. configuration from 1 ISP remains same and from 1 changes. EXTERNAL_IP_2=201.81.219.95 EXTERNAL_NETWORK_2= 201.81.219.0 EXTERNAL_GATEWAY_IP_2=201.81.219.1 echo 200 T1 /etc/iproute2/rt_tables echo 201 T2 /etc/iproute2/rt_tables ip route add 192.168.1.0 dev eth1 src 192.168.1.2 table T1 ip route add default via 192.168.1.1 table T1 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 table T2 ip route add default via $EXTERNAL_GATEWAY_IP_2 table T2 ip route add 192.168.3.0 dev eth0table T1 ip route add 192.168.1.0 dev eth1table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 192.168.3.0 dev eth0table T2 ip route add $EXTERNAL_NETWORK_2 dev eth2table T2 ip route add 127.0.0.0/8 dev lo table T2 ip route add 192.168.1.0 dev eth1 src 192.168.1.2 ip route add $EXTERNAL_NETWORK_2 dev eth2 src $EXTERNAL_IP_2 ip route add default via $EXTERNAL_GATEWAY_IP_2 ip rule add from 192.168.1.2 table T1 ip rule add from $EXTERNAL_IP_2 table T2 ip route add default scope global nexthop via 192.168.1.1 dev eth1 weight 1 nexthop via $EXTERNAL_GATEWAY_IP_2 dev eth2 weight 2 route command output is Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.255 UH 0 0 0eth1 192.168.3.0 * 255.255.255.0 U0 00eth0 192.168.1.0 * 255.255.255.0 U0 00eth1 201.81.219.0* 255.255.255.0 U0 00 eth2 default 201.81.219.1 0.0.0.0 UG 0 00 eth2 Problem is that the interface which is set gateway is used only. The other one remains idle. -- Regards, Arman ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. My server routing table is: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. why do you want to hide the network - ? unless your server is the default gateway for the network you will have to do 1 of 2 things, either setup routing on each client or update the default gateway how to route the packet (ie via the server). Why do the client (openvpn client) not respond to pings, I would guess again routing usual problem, can you run tcpdump on these machines ? IP forwarding is enabled on all interfaces, and iptables (by way of firehol) has rules to allow all forwarding between all interfaces. If I create a 172.27.0.0/16 route on a LAN workstation, I can ping the server at 172.27.0.1. But I cannot reach any VPN workstation. At one time, by playing with some NAT rules, I was able to - but it didn't seem right. What am I missing? Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. My server routing table is: 172.27.0.2 dev tun0 proto kernel scope link src 172.27.0.1 192.168.20.0/24 dev vmnet8 proto kernel scope link src 192.168.20.1 10.4.1.0/24 via 172.27.0.2 dev tun0 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.71 192.168.0.0/24 dev br1 proto kernel scope link src 192.168.0.72 192.168.30.0/24 dev vmnet1 proto kernel scope link src 192.168.30.1 172.27.0.0/16 via 172.27.0.2 dev tun0 default via 192.168.0.1 dev eth0 I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? why do you want to hide the network - ? The VPN is to provide me a secure static connection to customer's sites. However, those customers should be able to see neither each other, nor reach our internal LAN - unless the connection is initiated from our side. Okay then you just want out bound, pretend the customers site is the internet, SNAT should do it (and a firewall just to be safe), you should only need one on the client's openvpn side, but because that is not in direct controll of you (physcially), I would probably suggest snat'ting again on your openpvn server or the firewall rules So At your site * Set routing either fix up the default route or add routing to each client machine (the former being the easier of the 2) * Set up a firewall * setup SNAT or push a route through to the client 'push route 192.168.8.0 255.255.252.0' - done in the openvpn server config (the later is probably the better - stay away from the double natting ) one the customer site * Set up SNAT hide everything coming from your site being the local lan address * set up a firewall So all traffic coming from your site will end up on the customer site with a local lan address. There is no routing back into your lan, because of a) routing b) firewall on the customer site c) firewall on the server. a b are easy to get around because they are at the customer site. C is where you protection is. Alex -- Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] OpenVPN routing
On Mon, Sep 10, 2007 at 03:48:13PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Mon, Sep 10, 2007 at 01:40:29PM -0700, Daniel L. Miller wrote: Alex Samad wrote: On Sun, Sep 09, 2007 at 11:36:18PM -0700, Daniel L. Miller wrote: Hi! I'm trying to create a routed VPN using OpenVPN - and having trouble with the routing concepts involved. Let me see if I can properly describe my current topology: Server - LAN, with both local workstations and remote bridged workstations on the 192.168.0.0/24 network (this works without reservation). Server located at 192.168.0.71, 192.168.0.72, 192.168.0.222, and few others. Routed VPN, 172.27.0.0/16 network. Server is located at 172.27.0.1. Server can talk to clients, and clients can talk to server. My 1st goal is to allow selected server-side LAN workstations to reach the routed VPN workstations. The LAN should be invisible to the routed VPN. My 2nd goal is to allow selected server-side LAN workstations to reach networks server by routed VPN workstations as gateways [this involves OpenVPN more, I believe]. The LAN should still be invisible to the routed VPN. I think you need to use a tap device (I currently have a similar setup, but I do not hide the LAN - infact I use openvpn to do site to site WAN) By hide the LAN you don't want to the openvpn clients to see the 192.168 addresses if that is the case this is more a iptables question you will need to nat the lan network going out, if you want in bound traffic you will need to setup natting on the way back in as well - static though. So do I need a source NAT directing all traffic intended for 172.27.0.0/16 from 192.168.0.0/24 to come from 172.27.0.1? Okay then you just want out bound, pretend the customers site is the internet, SNAT should do it (and a firewall just to be safe), you should only need one on the client's openvpn side, but because that is not in direct controll of you (physcially), I would probably suggest snat'ting again on your openpvn server or the firewall rules I've put in a snat on the server side - seems to be working fine. So At your site * Set routing either fix up the default route or add routing to each client machine (the former being the easier of the 2) * Set up a firewall * setup SNAT or push a route through to the client 'push route 192.168.8.0 255.255.252.0' - done in the openvpn server config (the later is probably the better - stay away from the double natting ) one the customer site * Set up SNAT hide everything coming from your site being the local lan address * set up a firewall So all traffic coming from your site will end up on the customer site with a local lan address. There is no routing back into your lan, because of a) routing b) firewall on the customer site c) firewall on the server. a b are easy to get around because they are at the customer site. C is where you protection is. Customer's site not under my control - and running Windows so my linux options are rather limited g. So I need to do everything within the server and OpenVPN. I CAN push a route to the client - but I still don't see why I need to share my LAN information with the clients at all - I just need the OpenVPN client to be a gateway for the VPN and forward VPN traffic from the remote network. if you are using snat you shouldn't. if you have setup a ip network for the vpn ie if your server ip address is not in the network for the customer you will need snat'ing there else the client machine will not know how to get back. -- Daniel ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[LARTC] scrapting data from tc rules
Hi Currently I use snmp to scrap information from my router about its interfaces, does any one have an easy way of scaping information from tc rules to place into a rrd db ? do I need to put together a perl script to extract it from the output ? Alex signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Routing public IP's through a gateway
On Sun, Oct 14, 2007 at 11:07:10PM +1000, Tim Groeneveld wrote: Greeting all, I have a bit of a complicated question. I have two ethernet devices, eth1 and eth2. eth1 is where my internet comes from. It is in the form of 202.172.122.208/29. It has another IP range, 202.172.122.72/29. What I want to be able to do is route 202.172.122.72/29 to eth2, so that other machines can use those IPs, any ideas on how to do this, I cannot work out how to do this. You haven't made it too clear what exactly you are trying to do, from what i gather this should work on your linux box ip route add 202.172.122.72/29 dev eth2 Does your isp route 202.172.122.72/29 to you ? eth2 has a DHCP server, which only gives out IPs 202.172.122.74 to 202.172.122.76. eth1 is basically just hooked into my internet router, while eth2 is hooked into a switch, and will be used for other computers. If anyone could help me with this setup, I would more then appreciate it. Thank you very much, - Tim Groeneveld -- Need hosting for your next Open Source project? why not try ShareSource? www.sharesource.org ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] One machine, two net feeds, outbound route selection
On Thu, Oct 25, 2007 at 02:00:14PM -0400, Ben Scott wrote: On 10/25/07, Peter Rabbitson [EMAIL PROTECTED] wrote: Unfortunately not easy without doing local NAT (from the local interface to another local interface). Can you use marking, mark the packet in the mangle table, us iptables to select the which packets and then use ip rules fw mark - routing table (sorry about the syntax) I thought that might be the case. I even started to write a rule about how the NAT might work... but then I ran into brain pain trying to figure out how, because I didn't know when the packets get what address/interface info assigned to them, and I didn't know how SNAT would interact with the routing tables. Normally, I do SNAT in the POSTROUTING chain, but by then the routing rules have already run, right? So the packet would still be bound for the wrong interface, even if the source address is translated. No? In other words, let's say $DEF_ADDR is the IP address of the interface that is going to be picked by the default routing table, but I really want the packets to go out the $ALT_ADDR interface. So I try this: iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j SNAT --to $ALT_ADDR But the whole point of changing the source address/interface is to influence which routing rules match, and those have already been applied by the time the packet transverses the POSTROUTING chain, right? In any event, that didn't work. So then I thought, well, maybe I can do SNAT in the PREROUTING chain for this? But in that case, the kernel won't have assigned it an address yet, right? So there's nothing to SNAT. And I can't do -s 0/0 because that actually means match all packets, right? So then I thought, well, maybe I can mark the packet in the OUTPUT chain of the mangle table, and match that in the routing rules, and *also* match that in the POSTROUTING chain: iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK --set-mark 42 ip rule add fwmark 42 table 42 iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR I think I tried that and it didn't work either. It was getting late and my maintenance window was closing and my brain hurt. If this is just one of those you can't do that situations, I'm willing to accept that answer. But if there is a way, I'd like to know what it is. :) -- Ben ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Mon, Dec 10, 2007 at 04:09:52PM +0530, Indunil Jayasooriya wrote: see cache_peer !! squid can load balance between 3 servers and cache it !! run squid on your box with real ip.. Thanks for your quick answer. I know about reverse proxy. I wanted to know that without squid, whether iptables it self can handle this situation. Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. Hope to hear form you. -- Thank you Indunil Jayasooriya ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] PAT HOW to - IPTABLES
On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote: Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situation as before? in that case, What can I do? your could use exim/postfix and route the mail to the right server, but I guess you are trying to find out how to have port 25 on the real ip nat'ed to one of the 3 dmz'ed ip based upon the destination mail address short answer you can't as far as I know, iptables only looks at src ip / src port dest ip/dest port. You could write your own plugin module to look into the tcp stream. based upon destination email address/domain could be done by postfix and transports for selected mail/domain to selected server. but there is also a possibility of load balancing and failover for set of domains with all servers working with all the domains for HA and flexibility of computing power, then id say take a look at keepalived for both those features. for http traffic its actually the same, and also you can consider apache reverse proxy feature. he only has 1 real ip [silly idea] of course could be really tricky and use an ipv6 to ipv4 address and name all the dmz servers with ipv6 (in dns as well), really relying upon clients to be ipv6 enable [/silly idea] -- Radek aka Goblin ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc signature.asc Description: Digital signature ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] List fault?
+1 -Original Message- From: lartc-boun...@mailman.ds9a.nl [mailto:lartc-boun...@mailman.ds9a.nl] On Behalf Of Russell Stuart Sent: Thursday, 5 May 2011 9:41 AM To: lartc@mailman.ds9a.nl Subject: Re: [LARTC] List fault? On Wed, 2011-05-04 at 14:24 -0500, Grant Taylor wrote: All in favor? Any one against? In favour. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
