Re: multihomed linux box
sorry bout the long delay my mail server decided to die on me a couple days ago..copy/pasted your reply from the archives. GNU Zebra :) i'll check that out. Oh, and I have good news: in my *limited* testing, your trick with the metrics works fine: I remotely disabled one of the internet connections at work, and the Linux firewall *automatically* switched over to use one of the other internet connections. Thanks to the magic of policy routing I sayed in contact with the firewall the whole time :) i didn't. i just tried it. I do, however, have rp_filter turned off (ie I have spoofprotect=no in /etc/network/options). i tried that too. my config iface eth0 inet static address 10.121.110.35 netmask 255.255.255.224 network 10.121.110.0 broadcast 10.121.110.255 gateway 10.121.110.33 iface eth1 inet static address 10.113.243.240 netmask 255.255.255.224 network 10.113.243.0 broadcast 10.113.243.255 gateway 10.113.243.225 Router A Ethernet0 address: 10.121.110.33 Router B Ethernet0 address: 10.113.243.225 i set in /etc/network/options: ip_forward=yes spoofprotect=no syncookies=yes (tried both ip_forward on and off) restarted, /etc/init.d/network restart could no longer ping 10.113.243.225, can get out onto the net via 10.121.110.33 no problem. once i unplug router A, all network activity stops. nothing can get in/out. if i did an ifconfig eth0 down, i could access 10.113.243.225 any changes to my config that you can reccomend to me? i'll see if i can find that GNU zebra thanks! nate
Re: multihomed linux box
hi ya aphro/phil this same almost exact same concept just went thru the firewall mailing list - same conclusions... their ideas is to let the routers do the NATing and Load balance the external routes using EIGRP or OSPF yeah my routers do NAT already. and i do have failover for outgoing on NAT but i haven't gotten around to figuring out how to do failover nat(which seems to require dynamic NAT) combined with static NAT. a CCNA friend of mine works with a CCNP and he said its possible and would look at my config files to see what can be done but, i really expected this to be simple in linux! so until i figure out how to somehow combine dynamic and static nat on my cisco 2500s then i cant do failover for static nat entries(which my machines are on). nate
Re: multihomed linux box - dual t1
hi ya... think theres lot's of folks with dual t1... for outgoing traffic... think the routing and metrics might work.. yeah all im concerned about is outgoing traffic. for incoming traffic... we'd need all kidns of whacky work arounds or an autonmous ip# routable by either isp... yeah, too messy for me :) - pacbell ( SF bay area ) had a major fiber ring outage about a month ago where the main fiber was cut late one afternoon ... i remember when global crossing had their fiber cut last july i think...wow..took out most of the west coast :) thanks nate
Re: multihomed linux box - dual t1
-BEGIN PGP SIGNED MESSAGE- No workarounds. Policy routing :) how does that work though? the rest of the world has to know how to route to you..without that information i cant imagine a thing in the world you can do on a server to advertise you :) i can't believe this is such a difficult routing thing for the kernel to do..the metrics should work but they don't. from the docs i see that the kernel ignores it. (it says 2.0.x kernels used it) maybe if i switched to a 2.0 kernel it would work ;) ill try that networking option you mentioned though. i wont be able to unplug that other t1 till i get back to the office tomorrow though. thanks! nate
Re: multihomed linux box - dual t1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... how does that work though? the rest of the world has to know how to route to you..without that information i cant imagine a thing in the world you can do on a server to advertise you :) It works very easily. Linux policy routing works on the basis of multiple routing tables; when you make the connection to 10.0.0.2, and the packet makes the return trip, the kernel routing code looks and says ooh! packets coming from 10.0.0.2 goes through routing table number 1, and on it goes through routing table number 1. The whole time the world *does* know how to route to you. All policy routing does is decide which gateway the packet is going to go out through based on rules defined by the network administrator. In the case of my example, the packets returning from 10.0.0.2 *always* use go out through 10.0.0.1 based on the fact that they're returning from 10.0.0.2. Policy routing can take some getting used to - but, like anything else, is very simple once you've gotten the hang of it. i can't believe this is such a difficult routing thing for the kernel to do..the metrics should work but they don't. from the docs i see that the kernel ignores it. That seems to be the case - I'll have to try it out tomorrow as well. (it says 2.0.x kernels used it) I don't think the 2.0.x kernels had the rp_filter facility. maybe if i switched to a 2.0 kernel it would work ;) Maybe, just maybe... ill try that networking option you mentioned though. i wont be able to unplug that other t1 till i get back to the office tomorrow though. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SokD/ZTSZFDeHPwRAmvBAJ9liz5+v+0gzY/ctHi/vE9tetOGxgCfT1sN MCkdcT9V6MuGR7HqmKje6kw= =cRTf -END PGP SIGNATURE-
Re: multihomed linux box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... Generally BGP is the way to do it. BGP is outta the question for me..i asked cisco about that a couple months ago and they said 128MB was minimum for BGP on routers. And that's not even a full BGP feed :) A full feed if closer to 135 - 140 MB my routers have 8MB each .. And in another post you said you only have 2500s. I think the only thing slower is an AccessPro (a 2501 on an ISA card). From what I hear you need at least a 3640 or so for BGP. And you won't come close to getting even a partial feed if you have less than a /24. yeah thats what it looks like. so hopefully i can find something other then routed. GNU Zebra :) i dont want to enable rip, this should be a very basic routing thing. its not like it needs to be dynamic its either gateway A or B if A is down. not very complicated!! No it's not. But sometimes devices dedicated to a certain task (a Cisco, in this case) can do a better job at something than a general- purpose device (a PC running Linux, in this case). Oh, and I have good news: in my *limited* testing, your trick with the metrics works fine: I remotely disabled one of the internet connections at work, and the Linux firewall *automatically* switched over to use one of the other internet connections. Thanks to the magic of policy routing I sayed in contact with the firewall the whole time :) I do, however, have rp_filter turned off (ie I have spoofprotect=no in /etc/network/options). I'm still going to play with it some more tomorrow. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7Soyd/ZTSZFDeHPwRAhlVAKCP6Stb+lLAF7fDkjAOXulGh7R9TACeKOCG Wi6VxERBRnkXLePlZCEz1GI= =hDRx -END PGP SIGNATURE-
multihomed linux box
hi. i have this setup on 2 machines Machine A \ eth0 --- Switch -- Router A(65.xxx.xx.x.x) -- Internet \ eth1 -- Switch -- Router B (63.xx.x.x.x.x) -- Internet Machine B \ eth0 -- Switch -- Router A (65.xx.x.x.x.x) -- internet \ eth1 -- Switch -- Router B (63.xx.x.x.x) -- internet what i can't figure out is how to get it so if one route fails it will take the other. i have routed installed but im not sure if it will do what i want. what i have: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw MY_GATEWAY metric 0 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw ALT_GATEWAY metric 1 so i ssh to a machien it shows me comming from MY_GATEWAY's ip network. so i unplug the router, and try to ssh. nothing. try to ping using -i, nothing. once i remove the route to MY_GATEWAY i can ping/ssh again. each interface has a different IP address. its not really multihomed in the sense that to the outside world i have 1 ip address and it can be reached through either provider (2 different T1 providers) i just want failover route setup. /etc/gateway's manpage: /etc/gateways is comprised of a series of lines, each in the following format: [ net | host ] name1 gateway name2 metric value [ passive | active | external ] The net or host keyword indicates if the route is to a network or specific host. Name1 is the name of the destination network or host. This may be a symbolic name located in /etc/networks or /etc/hosts that doesn't seem to do what i want as both networks will be '0.0.0.0'. from route's manpage: metric M set the metric field in the routing table (used by routing daemons) to M. from the looks of it routed just does RIP on linux which is not what i want. my routers are setup to use static routing, so there is no routing protocols in use. in simple: if route 1 fails i want to use route 2 instead. oh and im running debian 2.2r3/linux.2.2.19 on 1 machine and debian testing(a month or so old) with 2.2.19 on the other. maybe there is another 'routing daemon' that i could use? thanks! nate
Re: multihomed linux box
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi. i have this setup on 2 machines Machine A \ eth0 --- Switch -- Router A(65.xxx.xx.x.x) -- Internet \ eth1 -- Switch -- Router B (63.xx.x.x.x.x) -- Internet Machine B \ eth0 -- Switch -- Router A (65.xx.x.x.x.x) -- internet \ eth1 -- Switch -- Router B (63.xx.x.x.x) -- internet what i can't figure out is how to get it so if one route fails it will take the other. Generally BGP is the way to do it. However, unless you have a /24- sized address space assigned by ICANN or whoever does it these days people won't even talk to you. i have routed installed but im not sure if it will do what i want. I think it can but only if your routers send out RIP packets :) If they don't, can't, or whatever then routed obviously won't work. what i have: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw MY_GATEWAY metric 0 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw ALT_GATEWAY metric 1 so i ssh to a machien it shows me comming from MY_GATEWAY's ip network. so i unplug the router, and try to ssh. nothing. try to ping using -i, nothing. once i remove the route to MY_GATEWAY i can ping/ssh again. each interface has a different IP address. its not really multihomed in the sense that to the outside world i have 1 ip address and it can be reached through either provider (2 different T1 providers) i just want failover route setup. For incoming traffic (ie redundancy for a mail server) or outgoing traffic? If you want redundancy for outgoing traffic I would think your trick with routes above would work. But they don't... unless you forgot a step. Try setting spoofprotect=no in /etc/network/options, reboot, and try again. If *that* doesn't work, I'm sorry to say that you're out of luck :( Anything else you can come up with is a pure hack and prone to failure. Incoming traffic is much easier :) Install the iproute2 package and read the Advanced Routing HOWTO, particularly the bit about policy routing. [...] oh and im running debian 2.2r3/linux.2.2.19 on 1 machine and debian testing(a month or so old) with 2.2.19 on the other. maybe there is another 'routing daemon' that i could use? GNU Zebra but it needs RIP (which you can't get) or BGP to work. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SlID/ZTSZFDeHPwRAhhIAJsGjgYPTe8tuh4Ljlwrsx5/sJFBkwCeILn1 zIE07nEMKIHBZ5/KuvdjBPA= =Btfd -END PGP SIGNATURE-
Re: multihomed linux box
hi ya aphro/phil this same almost exact same concept just went thru the firewall mailing list - same conclusions... their ideas is to let the routers do the NATing and Load balance the external routes using EIGRP or OSPF search the firewall archives for: http://lists.gnac.net/firewalls/archive.html Date: Tue, 10 Jul 2001 09:59:08 +1000 Cc: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: Multi-homed Internet connection oh well alvin i guess i'm stubborn... i dont see why a laptop can make a connection via ppp and/or eth0 if in the office... with the same fixed routing table... - the laptop connects thru either one...( the one that works ? ) in this case...we have 2 T1 wires...should be similar network issue... but its not On Mon, 9 Jul 2001, Phil Brutsche wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi. i have this setup on 2 machines Machine A \ eth0 --- Switch -- Router A(65.xxx.xx.x.x) -- Internet \ eth1 -- Switch -- Router B (63.xx.x.x.x.x) -- Internet Machine B \ eth0 -- Switch -- Router A (65.xx.x.x.x.x) -- internet \ eth1 -- Switch -- Router B (63.xx.x.x.x) -- internet what i can't figure out is how to get it so if one route fails it will take the other. Generally BGP is the way to do it. However, unless you have a /24- sized address space assigned by ICANN or whoever does it these days people won't even talk to you. i have routed installed but im not sure if it will do what i want. I think it can but only if your routers send out RIP packets :) If they don't, can't, or whatever then routed obviously won't work. what i have: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw MY_GATEWAY metric 0 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw ALT_GATEWAY metric 1 so i ssh to a machien it shows me comming from MY_GATEWAY's ip network. so i unplug the router, and try to ssh. nothing. try to ping using -i, nothing. once i remove the route to MY_GATEWAY i can ping/ssh again. each interface has a different IP address. its not really multihomed in the sense that to the outside world i have 1 ip address and it can be reached through either provider (2 different T1 providers) i just want failover route setup. For incoming traffic (ie redundancy for a mail server) or outgoing traffic? If you want redundancy for outgoing traffic I would think your trick with routes above would work. But they don't... unless you forgot a step. Try setting spoofprotect=no in /etc/network/options, reboot, and try again. If *that* doesn't work, I'm sorry to say that you're out of luck :( Anything else you can come up with is a pure hack and prone to failure. Incoming traffic is much easier :) Install the iproute2 package and read the Advanced Routing HOWTO, particularly the bit about policy routing. [...] oh and im running debian 2.2r3/linux.2.2.19 on 1 machine and debian testing(a month or so old) with 2.2.19 on the other. maybe there is another 'routing daemon' that i could use? GNU Zebra but it needs RIP (which you can't get) or BGP to work. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SlID/ZTSZFDeHPwRAhhIAJsGjgYPTe8tuh4Ljlwrsx5/sJFBkwCeILn1 zIE07nEMKIHBZ5/KuvdjBPA= =Btfd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: multihomed linux box - dual t1
hi ya... think theres lot's of folks with dual t1... for outgoing traffic... think the routing and metrics might work.. for incoming traffic... we'd need all kidns of whacky work arounds or an autonmous ip# routable by either isp... - who's writing this howto ??? -- UUnet also has a backup dark t1 that they provide ...for a minimal fee ... so that even if the primary t1 goes dow... you have a backup and the world does not know about your fiber being cut by the bozo and his backhoe down the street - not sure if the same ISP can be up if their other wire went down... ( or router or hubb or 110v power etc ) - pacbell ( SF bay area ) had a major fiber ring outage about a month ago where the main fiber was cut late one afternoon ... c ya alvin On Mon, 9 Jul 2001, Alvin Oga wrote: hi ya aphro/phil this same almost exact same concept just went thru the firewall mailing list - same conclusions... their ideas is to let the routers do the NATing and Load balance the external routes using EIGRP or OSPF search the firewall archives for: http://lists.gnac.net/firewalls/archive.html Date: Tue, 10 Jul 2001 09:59:08 +1000 Cc: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: Multi-homed Internet connection oh well alvin i guess i'm stubborn... i dont see why a laptop can make a connection via ppp and/or eth0 if in the office... with the same fixed routing table... - the laptop connects thru either one...( the one that works ? ) in this case...we have 2 T1 wires...should be similar network issue... but its not On Mon, 9 Jul 2001, Phil Brutsche wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi. i have this setup on 2 machines Machine A \ eth0 --- Switch -- Router A(65.xxx.xx.x.x) -- Internet \ eth1 -- Switch -- Router B (63.xx.x.x.x.x) -- Internet Machine B \ eth0 -- Switch -- Router A (65.xx.x.x.x.x) -- internet \ eth1 -- Switch -- Router B (63.xx.x.x.x) -- internet what i can't figure out is how to get it so if one route fails it will take the other. Generally BGP is the way to do it. However, unless you have a /24- sized address space assigned by ICANN or whoever does it these days people won't even talk to you. i have routed installed but im not sure if it will do what i want. I think it can but only if your routers send out RIP packets :) If they don't, can't, or whatever then routed obviously won't work. what i have: /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw MY_GATEWAY metric 0 /sbin/route add -net 0.0.0.0 netmask 0.0.0.0 gw ALT_GATEWAY metric 1 so i ssh to a machien it shows me comming from MY_GATEWAY's ip network. so i unplug the router, and try to ssh. nothing. try to ping using -i, nothing. once i remove the route to MY_GATEWAY i can ping/ssh again. each interface has a different IP address. its not really multihomed in the sense that to the outside world i have 1 ip address and it can be reached through either provider (2 different T1 providers) i just want failover route setup. For incoming traffic (ie redundancy for a mail server) or outgoing traffic? If you want redundancy for outgoing traffic I would think your trick with routes above would work. But they don't... unless you forgot a step. Try setting spoofprotect=no in /etc/network/options, reboot, and try again. If *that* doesn't work, I'm sorry to say that you're out of luck :( Anything else you can come up with is a pure hack and prone to failure. Incoming traffic is much easier :) Install the iproute2 package and read the Advanced Routing HOWTO, particularly the bit about policy routing. [...] oh and im running debian 2.2r3/linux.2.2.19 on 1 machine and debian testing(a month or so old) with 2.2.19 on the other. maybe there is another 'routing daemon' that i could use? GNU Zebra but it needs RIP (which you can't get) or BGP to work. - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SlID/ZTSZFDeHPwRAhhIAJsGjgYPTe8tuh4Ljlwrsx5/sJFBkwCeILn1 zIE07nEMKIHBZ5/KuvdjBPA= =Btfd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: multihomed linux box - dual t1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said... hi ya... think theres lot's of folks with dual t1... Or dual DSL, or DSL + Cable modem, or dual DSL + Cable modem (like I have at work). for outgoing traffic... think the routing and metrics might work.. Exactly. for incoming traffic... we'd need all kidns of whacky work arounds or an autonmous ip# routable by either isp... No workarounds. Policy routing :) Like so: Environment: eth0: 192.168.1.2/24; gateway 192.168.1.1 eth1: 10.0.0.2/24; gateway 10.0.0.1 Special magic: ip rule add from 192.168.1.2 lookup 1 ip rule add from 10.0.0.2 lookup 2 ip route add to default via 10.0.0.1 metric 0 ip route add to default via 192.168.1.1 metric 1 ip route add table 1 to 192.168.1.0/24 via eth0 ip route add table 1 to 10.0.0.2/24 via eth1 ip route add table 1 to default via 192.168.1.1 ip route add table 2 to 192.168.1.0/24 via eth0 ip route add table 2 to 10.0.0.2/24 via eth1 ip route add table 2 to default via 10.0.0.2 This all assumes that the Linux box is alone it's little world, without some sort of Masquerading going on. More magical incantations are needed if there is. The ip ... lines work with both the 2.2.x and 2.4.x kernels. And yes, an IP number space routable by more than 1 ISP will work to :) - who's writing this howto ??? A number of people involved in the development of Linux's networking abilities. The web page for it is at http://ds9a.nl/2.4Routing/; I know it says 2.4 in the link but experience tells me that alot of it works with 2.2.x. -- UUnet also has a backup dark t1 that they provide ...for a minimal fee ... so that even if the primary t1 goes dow... you have a backup and the world does not know about your fiber being cut by the bozo and his backhoe down the street You still need a method to tell the world to use that T1... like BGP. - not sure if the same ISP can be up if their other wire went down... ( or router or hubb or 110v power etc ) If the T1 goes through the same ISP I think you've lost a good portion of your redundancy... - pacbell ( SF bay area ) had a major fiber ring outage about a month ago where the main fiber was cut late one afternoon ... Exactly for this reason :) - -- - -- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Made with pgp4pine iD8DBQE7SnIV/ZTSZFDeHPwRAhfkAKCKHjSpsIBWTf+5E7Ty8QsbQnn+0ACeL0/b p1EeqUUHkGcC+Jjc55Xx7zM= =p3zL -END PGP SIGNATURE-
Re: multihomed linux box
Generally BGP is the way to do it. BGP is outta the question for me..i asked cisco about that a couple months ago and they said 128MB was minimum for BGP on routers..my routers have 8MB each .. I think it can but only if your routers send out RIP packets :) If they don't, can't, or whatever then routed obviously won't work. yeah thats what it looks like. so hopefully i can find something other then routed. i dont want to enable rip, this should be a very basic routing thing. its not like it needs to be dynamic its either gateway A or B if A is down. not very complicated!! For incoming traffic (ie redundancy for a mail server) or outgoing traffic? outgoing traffic. If you want redundancy for outgoing traffic I would think your trick with routes above would work. But they don't... unless you forgot a step. Try setting spoofprotect=no in /etc/network/options, reboot, and try again. i'll try that. thanks! Incoming traffic is much easier :) Install the iproute2 package and read the Advanced Routing HOWTO, particularly the bit about policy routing. outgoing should be easier!! incoming i can see how it could cause problems as each ip is on a totally different network different isp etc.. GNU Zebra but it needs RIP (which you can't get) or BGP to work. i can enable rip but i raly dont want to for something this simple.(or which should be) thanks! nate