Hello again, I may have a common problem to solve but it seems it is harder than I thought... I have 2 internet providers (each one having a different gateway). Behind the router there are around 100 clients that are SNAT-ed. I want some clients to be SNAT-ed to the first provider, while the others to the second one. The following lines should work: iptables -t nat -A POSTROUTING -s 172.17.31.81 -j SNAT --to-source $INET_IP_1 iptables -t nat -A POSTROUTING -s 172.17.31.82 -j SNAT --to-source $INET_IP_2 But... there is a problem... I have to make the packet (after it has been SNAT-ed) follow the gateway corresponding to the $INET_IP_1 or to the $INET_IP_2 respectively. In my routing table I have only one default route... corresponding to one of the gateways. Is it possible to have 2 default routes? Is there a more elegant way to solve this problem? Is there a way to tell the routing table that every request that has the source address $INET_IP_1 follow the $GW_1, and every request that has the source address $INET_IP_2 follow the $GW_2? Thanks in advance, Mihai Vlad _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Mihai,> But... there is a problem... I have to make the packet (after it has been > SNAT-ed) > follow the gateway corresponding to the $INET_IP_1 or to the $INET_IP_2 > respectively. > > In my routing table I have only one default route... corresponding to one of > the gateways. > Is it possible to have 2 default routes? Is there a more elegant way to > solve this problem?you basically want to use the ''ip route'' command, and setup 2 routing tables.> Is there a way to tell the routing table that every request that has the > source address $INET_IP_1 > follow the $GW_1, and every request that has the source address $INET_IP_2 > follow the $GW_2?yup, you setup the two tables, one has GW_1 and one has GW_2, and direct traffic into the tables based on it''s address. take a look through the mailling list archives and doco on the web for examples. it''s not too hard. regards, -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Mihai Vlad wrote:> Is there a way to tell the routing table that every request that has the > source address $INET_IP_1 > follow the $GW_1, and every request that has the source address $INET_IP_2 > follow the $GW_2? > > Thanks in advance, > Mihai VladUnless I''m missing something really obvious, start here http://lartc.org/howto/lartc.rpdb.html and then read http://www.linux-ip.net/html/adv-multi-internet.html http://www.linux-ip.net/html/ch-routing.html and finally, google "martin brown lartc changing default route" and read the messages in that thread. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello there, i have a very special case about load balancing...
Here is my setup:
________
+------------+ /
| | |
+-------------+ ADSL ROUTER+-------
__ | | | /
___/ \_ +------+-------+ +------------+ |
_/ \__ | if1 | /
/ \ | | |
| Local network -----+ Linux router | | Internet
\_ __/ | | |
\__ __/ | if2 | \
\___/ +------+-------+ +------------+ |
| | | \
+-------------+ADSL ROUTER +-------
| | |
+------------+ \________
My load balancing is working great right now, but I have my dsl routers
acting as multiple-users access, and hence doing NAT. Since my Linux is also
doing NAT I want to connect the DSL routers acting as single-users and hence
avoid doing NAT two times per connection.
What I have to do, is change the public address on my dsl router as a mix of
the mask and the actual public address, and assign the public ip to IF1 ( or
IF2 in each case)
The problem comes when, my public address is:
IP1: XXX.XXX.XXX.1
IP2: same but ending in .2
MASK 255.255.255.0
To get the new local address for the router, y have to do the following:
(1 AND 0) +1 for router1
and (2 AND 0) +1 for router2.
And I have the next problem:
Both routers will have the same IP ADDRESS, and hence they will both be on
the same network.
When y set up my load balancing a year ago, I red somewhere both connections
have to be under different networks, is that right?
Will load balancing know which interface has to use for each connection??
Can I set up my dsl routers the way I want them to work??
Has any body done that???
Thank you!!
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Mihai, You can do this by iproute and only if your box is configured as [*] IP: advanced router You will also need ip-utils. "ip route show" will show the main table with all your routes but what is most important is your default $GW_1 So, let''s now create another table, with default gateway $GW_2 then, make a rule so all from $INET_IP_2 should follow that table : ip route add default via $GW_2 table secondary ( if iputils will scream that doesn''t know who is "secondary" create "iproute2" in your "/etc" then in that new dir create and edit the file named "rt_tables" and put on the first row "10 secondary". It should look like this : #cat /etc/iproute2/rt_tables 10 secondary # Then make a rule which says that everything leaving your box with ip $INET_IP_2 should go to $GW_2 : ip rule add from $INET_IP_2 table secondary And that''s it ! P.S. Daca iti nu iti iese da-mi un mail si vedem care e buba !> Hello again, > > I may have a common problem to solve but it seems it is harder than I > thought... > > I have 2 internet providers (each one having a different gateway). > Behind the router there are around 100 clients that are SNAT-ed. > > I want some clients to be SNAT-ed to the first provider, while the others > to > the second one. > The following lines should work: > > iptables -t nat -A POSTROUTING -s 172.17.31.81 -j SNAT --to-source > $INET_IP_1 > iptables -t nat -A POSTROUTING -s 172.17.31.82 -j SNAT --to-source > $INET_IP_2 > > But... there is a problem... I have to make the packet (after it has been > SNAT-ed) > follow the gateway corresponding to the $INET_IP_1 or to the $INET_IP_2 > respectively. > > In my routing table I have only one default route... corresponding to one > of > the gateways. > Is it possible to have 2 default routes? Is there a more elegant way to > solve this problem? > > Is there a way to tell the routing table that every request that has the > source address $INET_IP_1 > follow the $GW_1, and every request that has the source address $INET_IP_2 > follow the $GW_2? > > Thanks in advance, > Mihai Vlad > > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >Adrian Saileanu Netmaster Communications Srl address: Str. Ion Brezoianu Nr. 20 Sector 1, Bucuresti, Romania office: +40 21 315 92 00 mobile: +40 723 979 586 email: adrian@smartcall.ro _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Thanks for the help! I found out the using policy routing I can accomplish the task. However I have some other question. As I now the routing decision takes place before the SNAT is performed. So, if a client is going to be SNAT-ed to $INET_IP_2, I must make sure that I have a rule for it set with "ip rule". In order to avoid writing 2 lines of code for each client (one for ip rule and one for SNAT) I came with this idea: #------set the 2 routing tables-------- /sbin/ip rule add fwmark 1 table tbl_1 /sbin/ip rule add fwmark 2 table tbl_2 #------set the SNAT rules----------- iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to-source $INET_IP_1 iptables -t nat -A POSTROUTING -m mark --mark 2 -j SNAT --to-source $INET_IP_2 #-------mark the traffic (1 or 2) for choosing the ISP connection-------- $IPTABLES -t mangle -A PREROUTING -p tcp -s 172.17.11.38 -d \! 172.17.0.0/16 -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -p tcp -s 172.17.11.40 -d \! 172.17.0.0/16 -j MARK --set-mark 1 $IPTABLES -t mangle -A PREROUTING -p tcp -s 192.168.0.45 -d \! 172.17.0.0/16 -j MARK --set-mark 1 Everything works fine! Now I want to go even further and make all the P2P traffic follow a third ISP connection. So a third routing table, a third mark, etc. This traffic can be generated from clients that already have the mark set to 1 or 2... What will happen if I set the mark to 3 based on the service type and not on the source IP? Which one takes precedence? I have the ipp2p module up and running. But, as far as I understood in order to mark the P2P traffic, you should mark the connection, not only the packets. iptables -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m ipp2p --ipp2p --bit --apple -j MARK --set-mark 3 iptables -t mangle -A PREROUTING -p tcp -m mark ! --mark 0 -j CONNMARK --save-mark With this code I am able to block all the P2P traffic...???? I don''t know why... Can you help me with this? (I set up correctly the third connection, routing tables, ip rule, etc) Thanks again in advance, Mihai Vlad -----Original Message----- From: lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl] On Behalf Of gypsy Sent: Friday, May 28, 2004 5:21 AM To: Mihai Vlad Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] 2 Gateways Mihai Vlad wrote:> Is there a way to tell the routing table that every request that has the > source address $INET_IP_1 > follow the $GW_1, and every request that has the source address $INET_IP_2 > follow the $GW_2? > > Thanks in advance, > Mihai VladUnless I''m missing something really obvious, start here http://lartc.org/howto/lartc.rpdb.html and then read http://www.linux-ip.net/html/adv-multi-internet.html http://www.linux-ip.net/html/ch-routing.html and finally, google "martin brown lartc changing default route" and read the messages in that thread. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello GoMi,> Hello there, i have a very special case about load balancing...---snip----> And I have the next problem: > Both routers will have the same IP ADDRESS, and hence they will both be on > the same network.I didn''t really understand what you were writing about there.... but don''t you just want to put your DSL routers into some type of ''bridging'' mode, and then configure the IP addresses on your linux router ? (you may have to run PPPoE or something on the linux interfaces). > When y set up my load balancing a year ago, I red somewhere both connections> have to be under different networks, is that right? > Will load balancing know which interface has to use for each connection??Unless your ISP(s) is doing incredibly tricky things with routing, you can''t have 2 devices on the Internet with the same real IP address.> Can I set up my dsl routers the way I want them to work?? > Has any body done that???I still don''t really understand what''s different between your setup and all the other people who have 2 DSL connections to the internet. Regards, -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I am sorry about my previous email, it was a bit off a mess... Let me explain my self, I have my dsl routers working doing nat, and I want to set them up as a bridge but doing load balancing. My public ip addresses are : XXX.XXX.XXX.1 for dsl 1 and the same ending in .2 for dsl 2 Since I have to put the ip public address on the linux Ethernet cards, and they both have the same netmask address, will loadbalancing work? I red somewhere they have to be in different subnets in order to work Am I right? Can I set them as bridge mode? -----Mensaje original----- De: Damion de Soto [mailto:damion@snapgear.com] Enviado el: lunes, 31 de mayo de 2004 2:34 Para: GoMi CC: lartc@mailman.ds9a.nl Asunto: Re: [LARTC] Odd question about load balancing Hello GoMi,> Hello there, i have a very special case about load balancing...---snip----> And I have the next problem: > Both routers will have the same IP ADDRESS, and hence they will both beon> the same network.I didn''t really understand what you were writing about there.... but don''t you just want to put your DSL routers into some type of ''bridging'' mode, and then configure the IP addresses on your linux router ? (you may have to run PPPoE or something on the linux interfaces). > When y set up my load balancing a year ago, I red somewhere both connections> have to be under different networks, is that right? > Will load balancing know which interface has to use for each connection??Unless your ISP(s) is doing incredibly tricky things with routing, you can''t have 2 devices on the Internet with the same real IP address.> Can I set up my dsl routers the way I want them to work?? > Has any body done that???I still don''t really understand what''s different between your setup and all the other people who have 2 DSL connections to the internet. Regards, -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/