[gentoo-user] IP Load Sharing - Per Packet Load Balancing (Linux router)
Hello everyone, I am looking to put together a linux router for small business, and was wondering if there was anything the suite (using quagga etc..) that would allow for load balancing of regular dsl links. Kind of like cisco with fast ethernet 0,1 and ip sef. If outgoing and incoming traffic could be balanced, it would be great! Kind Regards, Nick.
[gentoo-user] OT: BATMAN vs frr/ospf
Hi all, has anyone had experience using the batman-adv protocol and can comment on its use instead of ospf? The recommended "drop in" replacement for quagga/ospf based routing with the frr/ospf package has proven to be a less than stellar replacement in my case (not really frr's fault, but it is not identical to quagga and my requirements are complex) so I am looking to jump ship to batman. I am currently building kernels and vm's to test but I would appreciate comments from someone who has done this already. My networks include ~10-15 vlans that extend across (open)vpn tunnels and multiple wifi SSID's and have a number of potential looping scenarios that ospf manages. I use zeroconf (for homeassistant) and have lxc based instances using veth interfaces for services (asterisk, web, dns, ...). There is a moosefs data store on its own switch and two dedicated vlans. I have in excess of 30 devices on the network and ESP IoT devices are multiplying like rabbits (!) All non-esp or android phone systems use gentoo on arm32/arm64/intel, run shorewall, have multiple vlans via trunking or multiple interfaces in different vlans or in some cases up to 4 interfaces bonded for throughput. I am using d-link managed switches and a homebrew AP using hostapd in the 2.4 and 5g bands. Using quagga/ospf was mostly stable and just worked. While I could try tuning frr to work more reliably (worst problems are not staying converged, convergence time (which sometimes kills vm's via the moosefs data store disappearing off the network for minutes at a time), fighting frr's interference in ip forwarding across multiple interfaces and excessive overhead as it never seems to settle for long). I am thinking the effort might be better spent on batman - I am attracted to the supposedly fast convergence, minimal overhead and the potential of meshes (IoT) using the flat routing overlay it implements. Questions I have are: 1. easily works with shorewall 2. it actually does have fast and glitch free convergence 3. internetworking across a VPN based WAN with batman at either end 4. mesh hot spot control 5. any other gotchas? BillK
[gentoo-user] Re: {OT} A simple routing problem
Kevin Brandstatter kjbrandstatter at gmail.com writes: route add -host hostname gw 192.168.0.32 and it's pretty much working, except that I've to add a route to every host for which I want to use the ADSL connection. If I do the same on my local machine, it doesn't work and packets still end up going through my fiber connection. Would iptables ROUTE target help if I use that on my local machine? I think you want the forward chain, im not sure what tools dd-wrt and You might want to research about the capabilities of OSPF. net-misc/quagga is in portage. hth, James
[gentoo-user] Re: IP Load Sharing - Per Packet Load Balancing (Linux router)
I missed out some crusial info in my last email. As mentioned this would be two separate DSL services, connected using separate bridges. I think I am describing more of a link aggregation or bonding Also assuming that the service providers support bonding of the links N. On 5/25/13, Nick Khamis sym...@gmail.com wrote: Hello everyone, I am looking to put together a linux router for small business, and was wondering if there was anything the suite (using quagga etc..) that would allow for load balancing of regular dsl links. Kind of like cisco with fast ethernet 0,1 and ip sef. If outgoing and incoming traffic could be balanced, it would be great! Kind Regards, Nick.
[gentoo-user] Re: IP Load Sharing - Per Packet Load Balancing (Linux router)
Any different if the links are VDSL? I have little experience in working with DSL based connections, and was wondering what was possible in terms or bridging/bonding etc.. if anything. N. On 5/25/13, Nick Khamis sym...@gmail.com wrote: I missed out some crusial info in my last email. As mentioned this would be two separate DSL services, connected using separate bridges. I think I am describing more of a link aggregation or bonding Also assuming that the service providers support bonding of the links N. On 5/25/13, Nick Khamis sym...@gmail.com wrote: Hello everyone, I am looking to put together a linux router for small business, and was wondering if there was anything the suite (using quagga etc..) that would allow for load balancing of regular dsl links. Kind of like cisco with fast ethernet 0,1 and ip sef. If outgoing and incoming traffic could be balanced, it would be great! Kind Regards, Nick.
Re: [gentoo-user] OpenVPN setup
I do this with my work printer - the printer is locked down to a local network - I can print from locked out offices/labs anywhere (and even from home, picking up the printouts when I arrive - convenient!) I also transfer sometimes large files (using scp) and run ssh sessions and imap/smtp mail all through the same tunnel(s) - I actually use two in series with a convenient host in between to get around some local routing issues. All can be transparent and just work. scp can sometimes be a pain with slow speeds but its dependent on network conditions external to the tunnel - i.e., some external conditions cause interactions that affect packet sizes/latency within the tunnel - doesnt happen often though. Routing is often an issue (particularly to networks a few hops away on the inside) - ospf (quagga) was the solution, though RIP is probably easier/better for this The downside - gentoos openvpn and networking design is ok for simple setups, but has to be overidden when getting complex. Can be fragile when design changes are taking place - breaks when you least expect it like when they introduced the bind flag into the init.d script (gr) Note that you need sympathetic or pliable IT staff if its a workplace - helps to have them onside if you are going to bypass their security policies for your own benefit! BillK On Mon, 2008-02-11 at 19:44 -0600, Dan Farrell wrote: On Mon, 11 Feb 2008 16:00:49 -0800 Grant [EMAIL PROTECTED] wrote: You can print from your laptop to your printer at home while overseas, for example. Sounds very convenient ; ) -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] IPTables - Going Stateless
Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department. But as a first on site defense on our BGP router running Quagga, we only require stateless for performance reasons. Jerry, thank you so much! I might need some additional help with the three way handsahkes. What I did to stay scalable was: Define a chain: -N TCP Handle two way for a specific service: -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP Accepting Input and output requests to services included in the chain: #echo -e- Accepting input TCP traffic to open ports -A INPUT -i $INTIF1 -p tcp -j TCP #echo -e- Accepting output TCP traffic to open ports -A OUTPUT -o $INTIF1 -p tcp -j TCP Dropping Everything Else: #echo -e- Dropping input TCP to closed ports $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping output TCP traffic to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping input traffic to remaining protocols sent to closed ports $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Hope this keeps me scalable enough to keep the world of pain at bay as much as possible... N.
Re: [gentoo-user] VPN vs LAN address hostname resolution
I am doing something sort of similar ... use a routing protocol and set the metrics to make the LAN more attractive so it will get used over the wifi. Use dhcp to update dns. I was using ospf (quagga), dns and ISC dhcp which auto-updates bind. This is transparent to the the hosts, is a pain to set up but then just works. Pinning addresses makes like life very difficult though as dhcp wont update dns so Ive gone back to manually setting up the dns side for some hosts :( BillK On 23/05/13 02:52, Michael Orlitzky wrote: On 05/22/13 14:30, Samuraiii wrote: I'm sorry for mistake the subnet mask for both spaces IS 255.255.255.0. so it is not overlapping at all. I apologise for my mistake in notation. still this is not (mainly) problem with routing but problem with assigning name to address. If I had superfast internet connection I would not mind and just use vpn address space. So basically i need to assign lan address to computer (laptop) which is in same location (LAN) as other machines. And vpn address on all other computers. to illustrate: hostname: foo Location:1 address eth0: 10.1.1.3 address tap0: 10.2.2.3 hotname: bar Location: 1 addresses are irrelevant hosts entry for foo is 10.1.1.3 *(this is what I want to update if foo moves to location 2 to 10.2.2.3)* hosname baz Location: 2 addresses are irrelevant Hosts entry for foo is 10.2.2.3 *(this is what I want to update if foo moves to location 2 to 10.1.1.3)* Which machines are joined to the VPN? For a location-to-location VPN, the simplest thing to do would be to have your gateway routers participate in the VPN and handle the routing appropriately. That way if you're on the LAN at location 1 and you send a packet to another machine on the same LAN (using its VPN address), the gateway router knows to send the packet right back onto the LAN. No configuration necessary on the hosts. You can use the same VPN addresses at both locations. If that's not possible, set up a DNS resolver at each location and return the appropriate (local or VPN) address.
Re: [gentoo-user] VRFs / Jails / Containers
On 2/3/19 5:37 AM, Rich Freeman wrote: Nothing wrong with that approach. I use systemd-nspawn to run a bunch of containers, hosted in Gentoo, and many of which run Gentoo. However, these all run systemd and I don't believe you can run nspawn without a systemd host (the guest/container can be anything). These are containers running full distros with systemd in my case, not just single-process containers, in my case. However, nspawn does support single-process containers, and that includes with veth, but nspawn WON'T initialize networking in those containers (ie DHCP/etc), leaving this up to the guest (it does provide a config file for systemd-networkd inside the guest if it is in use to autoconfigure DHCP). ACK That makes me think that systemd-nspawn is less of a fit for what I'm wanting to do. I'm not exactly certain what you're trying to accomplish, but namespaces are just a kernel system call when it comes down to it (two of them I think offhand). Two util-linux programs provide direct access to them for shell scripts: unshare and nsenter. If you're just trying to run a process in a separate namespace so that it can use veth/etc then you could probably initialize that in a script run from unshare. If you don't need more isolation you could run it right from the host filesystem without a separate mount or process namespace. Or you could create a new mount namespace but only modify specific parts of it like /var/lib or whatever. That's quite close to what I'm doing. I'm actually using unshare to create a mount / network / UTS namespace (set) and then running some commands in them. The namespaces are functioning as routers. I have an OvS switch connected to the main / default (unnamed) namespace and nine (internal) OvS ports, each one in a different namespace. Thus forming a backbone between the ten network namespaces. Each of the nine network namespaces then has a veth pair that connects back to the main network namespace as an L2 interface that VirtualBox (et al) can glom onto as necessary. This way I can easily have nine completely different networks that VMs can use. My main home network has a route to these networks via my workstation. (I'm actually using routing protocols to distribute this.) So the main use of the network namespaces is as a basic IP router. There doesn't /need/ to be any processes running in them. I do run BIRD in the network namespaces for simplicity reasons. But that's more ancillary. I don't strictly need the mount namespaces for what I'm currently doing. That's left over from when I was running Quagga and /needed/ to alter some mounts to run multiple instances of Quagga on the same machine. I do like the UTS namespace so that each ""router has a different host name when I enter it. Maybe this helps explain /what/ I'm doing. As for /why/ I'm doing it, well because reasons. Maybe not even good reasons. But I'm still doing it. ¯\_(ツ)_/¯ I'm happy to discuss this in a private thread if anyone is really curious. People generally equate containers with docker but as you seem to get you can do a lot with namespaces without basically running completely independent distros. Yep. I feel like independent distros, plus heavier weight management daemons on top are a LOT more than I want. As stated, I don't really /need/ to run processes in the containers. I do because it's easy. The only thing I /need/ is the separate IP stack / configuration. Now, I will point out that there are good reasons for keeping things separate - they may or may not apply to your application. If you just want to run a single daemon on 14 different IPs and have each of those daemons see the same filesystem minus /var/lib and /etc that is something you could certainly do with namespaces and the only resource cost would be the storage of the extra /var/lib and /etc directories (they could even use the same shared libraries in RAM, and indeed the same process image itself I think). Yep. The only gotcha is that I'm not sure how much of it is already done, so you may have to roll your own. If you find generic solutions for running services in partially-isolated namespaces with network initialization taken care of for you I'd be very interested in hearing about it. I think there are a LOT of solutions for creating and managing containers. (I'm using the term "container" loosely here.) The thing is that many of them are each their own heavy weight entity. I have yet to find any that integrate well with OS init scripts. I feel like what I want to do can /almost/ be done with netifrc. Or that netifrc could be extended to do what (I think is) /little/ additional work to do it. I don't know that network namespaces are strictly required. I've been using them for years. That being said, the current incarnation of Virtual Routing and Forwarding (VRF) provided by l3mdev seems to be
Re: [gentoo-user] Glsa-check and binutils-- how to stop the madness?
-prolog-lite dev-libs/elfutils dev-lisp/plt dev-util/alleyoop dev-util/debootstrap dev-util/memprof dev-util/oprofile net-misc/quagga sci-chemistry/gromacs sci-electronics/balsa sci-electronics/lard sys-apps/lshw sys-apps/mindi sys-apps/mondo-rescue sys-apps/paxctl sys-apps/tcng sys-devel/gcc sys-devel/prelink sys-kernel/ksymoops All I've got is gcc, I haven't even gotten around to installing prelink yet. And I can't imagine that any of these programs (gcc, prelink, and elfutils, which prelink requires), would need some old version of binutils hanging around, especially since I would be keeping these reverse dependencies up-to-date. So you're probably right; I can most likely remove multislot from both binutils and gcc (since I only mean to have one version of GCC anyway), recompile everything *yet again* (just to be safe; this system is starting to have a rather filthy backend, and I will not have it), and I think it should be OK. Something for the weekend a month from now (as you may have noticed, I've got a lot of other cleanup work to do-- not to mention regular computer projects-- before I can feel comfortable rebuilding everything). Thanks a lot for the info. Holly -Richard -- gentoo-user@gentoo.org mailing list
