Hi,
I posted this question yesterday on the Openvpn mailing list, with no
response, figured I will ask here too. I have been using openvpn for
quite a while, no major problems encountered. Now I need to allow the
server to access the lan of the client, and I can not figure out the
routing. T
Francis Brosnan Blazquez wrote:
> Hi,
>
> I've been implementing a load balancing solution using CONNMARK, based
> on solution described by Luciano Ruete at [1]. Gracias por el post y por
> apuntar en la dirección correcta Luciano!
>
> Once implemented, I've found that due to some reason packets
Salim S I wrote:
> Francis Brosnan Blazquez wrote:
>
>> Hi,
>
>>
>
>> I've been implementing a load balancing solution using CONNMARK, based
>
>> on solution described by Luciano Ruete at [1]. Gracias por el post y por
>
>> apuntar en la dirección correcta Luciano!
>
>>
>
>> Once implement
Peter Rabbitson wrote:
> ...
> In the case of _local_ traffic - it becomes even trickier. The problem
> is that when sockets are created they already have a source IP (the
> kernel determines that by looking at the default routing table, your
> marks do not exist yet).
This is
Salim S I wrote:
> Let me explain why the marking is done in POSTROUTING.
>
> want, letting the kernel decide based on the weights. (some people do
> think that we shouldn't let multipath decide routing, but thatz a
> different story).
I apologize, as I am one of these people, and subsequently as
Hi,
I have searched the archives on the topic, and it seems that the list
gurus favor load balancing to be done in the kernel as opposed to other
means. I have been using a home-grown approach, which splits traffic
based on `-m statistic --mode random --probability X`, then CONNMARKs
the individual
Salim S I wrote:
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
>> Sent: Monday, May 14, 2007 1:57 PM
>> To: lartc@mailman.ds9a.nl
>> Subject: [LARTC] Multihome load balancing - kernel vs net
ound that even with multipath method, there IS a
> need for reconfiguration.
Got you. This pretty much answers my original question. Thank you for
your time.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Rabbitson
> Sent: Mond
Salim S I wrote:
-Original Message-
From: Luciano Ruete [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 30, 2007 11:46 AM
To: Salim S I
Subject: Re: [LARTC] Multihome load balancing - kernel vs netfilter
On Tuesday 29 May 2007 03:16:47 you wrote:
None of the load balancing techniques I
Andrea wrote:
This is the exact way that I used for managing traffic of my lan towards
ISPs. But is this mode still valid if I want to manage services
executed directly in the router?
this rule:
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
capture all (web) tra
Andrea wrote:
Very very clear. Thanks very much!!! The only still obscure aspect for
me is this:
>you can request a specific interface (what you would do with the ping
script)
Check the man page of ping, and look for the '-I' option. Most network
testing utilities have this capability in o
Salim S I wrote:
Here is my issue with ping.
When I use -I with ping, the DNS queries for that domain is still sent
out with wrong source address through the interface, and hence, no
reply. This happens in both WAN interfaces.
When I add rules in OUTPUT chain to reroute packets with the unmatchi
Salim S I wrote:
Thanks! I get it now.
But why the src address for the interface is wrong?
In my case eth2 has a.b.c.d and eth3 has p.q.r.s.
DNS queries going through eth2 has p.q.r.s as src address and those
going through eth3 has a.b.c.d. Something wrong with routing?
Possible. Post full c
Salim S I wrote:
I solved it, thought a bit ugly.
Sorry I didn't answer earlier. Can you post your iptables rules too, the
routing alone is not sufficient. If your setup is confidential at least
show all statements that set MARKs one way or another. What you did is
strange, but it might ver
Salim S I wrote:
NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but
in essence it is
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE
In addition, there are several other MARKs for policy routing. They have
their own routing tables also. But at present, they are all empty.
Salim S I wrote:
NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but
in essence it is
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE
In addition, there are several other MARKs for policy routing. They have
their own routing tables also. But at present, they are all empty.
Salim S I wrote:
NATing is done with MASQUERADE, not SNAT, I use another MARK for it,
but
in essence it is
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE
In addition, there are several other MARKs for policy routing. They
have
their own routing tables also. But at present, they are all empty.
Grant Taylor wrote:
I need a way for the Linux kernel to try to use a default gateway and
switch to another one if it does not see any traffic.
I don't know about any working in-kernel solutions, but you can do it
trivially with netfilter and a cronjob:
* In netfilter do this:
-t ma
Grant Taylor wrote:
On 06/21/07 10:35, Peter Rabbitson wrote:
I don't know about any working in-kernel solutions, but you can do it
trivially with netfilter and a cronjob:
If I understand what you are proposing correctly, it looks like you are
jumping to a sub-chain used used onl
Grant Taylor wrote:
On 06/21/07 11:00, Peter Rabbitson wrote:
Ah, here is part of the problem.
(eth1) --- (DSL Modem) / DSL Gateway
Server --- (DMZ) --- (Linux Router)
(eth2) --- (Cable Modem / Cable Gateway
Note: Globally routable DMZ
Grant Taylor wrote:
No, again, if you are dealing with modem router combos, I'll grant you
what you say, but not on bridging modems.
*nod* I had several cases when my ISP had problems like the one ou
describe below, so the first 2 hops were pingable but nothing outside.l
This is why I suggest
Grant Taylor wrote:
Could you give me a suggestion?
Thanks.
Do not use this method to load balance. Look in to Equal Cost Multi
Path (a.k.a. ECMP) routing and specifying multiple default gateways on
one route command. The kernel should try to load balance across the
multiple default gate
Grant Taylor wrote:
First and foremost: It did not cover the reason "... route caching will
kill ..." to my satisfaction like you indicated.
Can you elaborate on this? My only issue with the kernel route balancing
is that route caching can not be disabled entirely, so traffic to the
same sit
Salim S I wrote:
The caching is per destination and source ip. TOS, fwmark and input
interface too, if present.
Interesting... It definitely did not work in my scenario though. I am
going to test this again in the near future, and if you are right I will
rest my case.
Routing with netfilte
Grant Taylor wrote:
On 6/27/2007 12:54 AM, Peter Rabbitson wrote:
I am actually simply jealous that some people apparently get it to
work in-kernel, and I can't seem to.
Ah, so the truth comes out. ;)
Hehe
My requirements are pretty simple:
o As transparrent as possible DGD, tha
Grant Taylor wrote:
Well let me take a moment to be sure we are thinking the same thing. You
want the kernel to be able to realize that one route through a given
default gateway is no good for a given destination and use a different
default gateway even though the kernel can reach other destina
Grant Taylor wrote:
On 6/27/2007 3:03 AM, Peter Rabbitson wrote:
I want the kernel to be able to realize that a gateway is no good for
any destinations other than the specified netblock.
Would it be fair to say that you are wanting an administratively
configurable "ignore addresses that
Hi,
I have a testing multihome setup, with the default gateway being one of
the links and using policy routing to honor requests for a specific
link. Everything works as expected when I request a specific IP to bind
to. But if I request a specific interface things fall apart in ways that
I ca
exit(2);
}
} else {
perror("connect");
exit(2);
}
}
alen = sizeof(source);
if (getsockname(probe_fd, (struct sockaddr*)&source, &alen) == -1) {
Grant Taylor wrote:
I my self and the company that I work for want to offer as much back to
the community as it has offered to us.
My company has invested time and money
I am curious what the community's reaction is to this and ask for and
encourage responses with regards to when is it app
Hello list,
I need to realize a complicated custom shaping setup, and given very
little experience with shaping I just can't wrap my head around it. I am
not seeking a complete script, I just need an idea/a set of pointers on
how to best subdivide traffic accordingly to my needs, and which shaper
Hello,
I am attempting to match on a single bit of the NF mark value, and after
hours of reading and googling I can not get the syntax right. It got to
be something very simple, yet I can't find it. Any help will be greatly
appreciated.
Thanks!
[EMAIL PROTECTED]:/etc/init.d# tc filter add d
Michal Soltys wrote:
Peter Rabbitson wrote:
Hello,
I am attempting to match on a single bit of the NF mark value, and
after hours of reading and googling I can not get the syntax right. It
got to be something very simple, yet I can't find it. Any help will be
greatly appreciated.
Lately I had time to make some progress on the problem stated at the
start of this thread. Now however I am facing a problem with HTB not
working correctly. Since I use the same rules on multiple interfaces, I
use the same impossibly high ceil for all of them (1Gbyte), and rely on
priorities in
anshul makkar wrote:
Hi,
I need to support port ranges in tc filter rules.
I know how to formulate the rule but , I am not able to understand how
to calculate the mask value for a perticular range so as to segregate
the port values that lie within this range .
I got the following sample
"tc f
Ben Scott wrote:
I can't bind Sendmail's outgoing SMTP client mailer to a specific
interface, because it has to be able to forward mail on to inside
systems, too.
Of course you can. Remember that the kernel knows about both networks -
the internal and external ones. Once you bind to the e
Ben Scott wrote:
Now, for the sake of knowledge, let us say that a piece of needed
software didn't have an option to bind to a specific interface. Would
it be possible to control the outgoing route/interface anyway, by
using iptables or some other mechanism external to the software? For
examp
William Xu wrote:
Hi,
I have a server and ten clients in a Gigabit network. The server has
125mbps network bandwidth.
I want that the server has 40Mbps bandwidth reserved for client 1 (IP
192.168.5.141), and the
rest bandwidth is for all other clients.
I ran a test in which all 10 clients
William Xu wrote:
So TC works well as long as total bandwidth is below 90MB/s, which is
about 70% of the
wise speed. Is it possible that I can use the full bandwidth (122MB/s)
in my script?
In order to troubleshoot further more info is needed:
1) execute your script with 120MB/s as limit
2)
Ben Scott wrote:
On 10/25/07, Peter Rabbitson <[EMAIL PROTECTED]> wrote:
Unfortunately not easy without doing local NAT (from the local interface
to another local interface).
I thought that might be the case. I even started to write a rule
about how the NAT might work... but then
William Xu wrote:
Hi Peter, thanks for looking at this.
Here are the information I got after running tests. The client1 got
7MB/s instead of 40MB/s for SEND,
and 40MB/s for RECV during the test.
Thanks,
william
# ip link show
...
5: eth2: mtu 9000 qdisc htb qlen 1000
link/ether 00:e0:ed
Mike Harris wrote:
I test this using ping but it doesn't seem to work properly, whichever
interface is set as the default route becomes just that. So 'ping -I
eth0 lartc.org' works but 'ping -I eth1 lartc.org' doesn't.
The source selection code of the ping binary is broken. Try
-I 86.54.82.14
This is more of a NF question but it is tightly related to LARTC as well. In the
following example:
-t mangle -A PREROUTING -i eth0 -j MARK 0x1
-t mangle -A INPUT -i eth0 -j MARK 0x2
Since MARK is a non-terminatring target, what would be the resulting mark on a packet
comming from the outs
Hello list. I have been trying to figure this out on my own, but I guess I
somewhat failed :) A linux router with external eth0 and internal eth1 acts
as a gateway for a number of machines utilizing a partial T1 line (512kbps).
Since the T1 is limited by hardware and by its nature to 64kbps per cha
44 matches
Mail list logo
