LARTC - Nov 2001 - Virtual server with separate/multiple default gateway/routing.

Hello,
I am new to the list and did not practice policy routing yet,
but I have browse the archive, search google and read some howto.
But most problem solving stuff I have found seems routing oriented,
where in my case "I want NO routing at all"... ;-)

1) I want to "simulate" multiple server within one.
2) Each virtual server need to have a separate physical or logical ethernet.
3) Each server also need to have a separate routing table, address and mask.

I would like to archive the best logical separation possible.

Here is what I''m trying to accomplish in ASCII art...

The PHYSICAL view: (no eth0 to simplify)

            +--------------------------+
            |   Super linux server     |
            |VM1        VM2        VM3 |
            |eth1       eth2       eth3|
            +-+----------+----------+--+
      1.1.1.1 |  2.2.2.2 |  3.3.3.3 |
              |          |          |
              v          v          v
      1.1.1.9 |  2.2.2.9 |  3.3.3.9 |
          +---+----+ +---+----+ +---+----+
          | Router | | Router | | Router |
          +--------+ +--------+ +--------+
                   \     |     /
                    \    +    /
                     \__/ \__/
                     /       \
                    ("network")
                     \_  _  _/
                       \/ \/

The LOGICAL view:

           +-----+    +-----+    +-----+
           | Ser |    | Ser |    | Ser |
           | ver |    | ver |    | ver |
           | N°1 |    | N°2 |    | N°3 |
           +--+--+    +-----+    +-----+
      1.1.1.1 |  2.2.2.2 |  3.3.3.3 |
              |          |          |
              v          v          v
      1.1.1.9 |  2.2.2.9 |  3.3.3.9 |
          +---+----+ +---+----+ +---+----+
          | Router | | Router | | Router |
          +--------+ +--------+ +--------+
                   \     |     /
                    \    +    /
                     \__/ \__/
                     /       \
                    ("network")
                     \_  _  _/
                       \/ \/


For 1) I plan to use http://www.solucorp.qc.ca/miscprj/s_context.hc?dp=0
that describe "Virtual servers and security contexts"
a patch to linux kernel from Jacques Gelinas.
One of the added feature is to limit wich IP address a virtual server
can bind too. This mean is a server "bind" to 0.0.0.0 it will get
the only IP available to it in that context.

For 2) I have multiple option:
2a) Using separate physical ethernet for each virtual server.
 This will simplify my network topology, however cost a bit more.
 This is my prefered solution currently, it might offer enhanced
 separation if a routing table can be attach to an interface...??? (help)

2b) Use one of the linux VLAN (802.1Q) implementation on a single
 ethernet card. Then separate the traffic with a lan switch.

2c) Use a single ethernet card with multiple address on it (alias?)
 and use a lan switch capable of IP SUBNET vlan (cost a lot).

2d) Use a single ethernet card with multiple address AND multiple
 MAC address (already discuss somewhere on this list and in vlan one)
 and use a lan switch capable of MAC address based vlan
 (less difficult to find).

For 3) I need some more help from this list...

I have found this:
Can''t use two links on a linux box : Two link to the internet...
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000091.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000092.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000153.html
http://mailman.ds9a.nl/pipermail/lartc/2000q4/000156.html

I took a look at: http://kewl.phear.org/policy/

and of course at this:
@home cable modem: Separate default gateway per interface...
http://mailman.ds9a.nl/pipermail/lartc/2001q2/000736.html
http://mailman.ds9a.nl/pipermail/lartc/2001q2/000768.html

My problems...
A) I want to avoid being used as a router, I want to be a host
on each interface, this mean if I receave a packet not for me,
it must be discarded.
 [What should be done for that?]

B) I want to avoid sending any kind of ICMP redirect or such.
 [natural if I am not a router?]

C) I want to avoid accepting a packet going to 2.2.2.2 on eth1 or 3.
So the server should not accept a packet comming on the wrong interface.
 [What should be done for that?]

D) I want that packet receaved on eth2 go out on eth2...
 [This should be implicit by the way replying to IP packet work]

E) I want to be able to "ping" from 1.1.1.1 to 2.2.2.2 going accross
 the network (and not staying local). This might be the most difficult,
 and I have not even a clue on how local routing is archieved and
 how it can be disable or modified. [NEED HELP on this one too]

Any feedback, URL, solution, answer will be highly appreciated.
The resulting solution might be incorporate into Jacques Gelinas FAQ or
yours.

David GLAUDE

Hello,

On Fri, 9 Nov 2001, David GLAUDE Mailing wrote:
> Any feedback, URL, solution, answer will be highly appreciated.
	Only URL to start from:

http://mailman.ds9a.nl/pipermail/lartc/2001q4/001573.html
> David GLAUDE
Regards

--
Julian Anastasov <ja@ssi.bg>

Sorry Julian,

I don''t think it help me (however there might be some issue solved by
their
patch...).
Or tell me how it relate to my problem. ;-)
http://www.linuxvirtualserver.org/  is about creating a virtual server out
of multiple physical server.
What I try to accomplish is the opposite... create multiple logical server
out of one physical one.

It is kind of VMWARE server solution I am looking for,
but I don''t need that level of virtualisation
and I want the real speed.

But I need "IP" or "network" virtualisation, so the use of
multiple routing
table
per source address and/or per interface (if it is possible)

David GLAUDE
>From: "Julian Anastasov" <ja@ssi.bg>
> Only URL to start from:
> http://mailman.ds9a.nl/pipermail/lartc/2001q4/001573.html
> Julian Anastasov <ja@ssi.bg>

Hello,

On Fri, 9 Nov 2001, David GLAUDE Mailing wrote:
> Sorry Julian,
>
> I don''t think it help me (however there might be some issue solved
by their
> patch...).
> Or tell me how it relate to my problem. ;-)
> http://www.linuxvirtualserver.org/  is about creating a virtual server out
> of multiple physical server.
	No, no. I don''t mean about LVS. I''m answering your second
part of the subject "multiple default gateway ...", the URL I
mentioned
was about routing changes (I saw your findings from this mailing list).
> What I try to accomplish is the opposite... create multiple logical server
> out of one physical one.
	I understand it. Sorry, I was not clear.
> David GLAUDE
Regards

--
Julian Anastasov <ja@ssi.bg>