Greetings, I hope someone else has come up with a way to do this - so far I''ve tried out some of the tricks described in the Advanced Routing Howto, but haven''t gotten it to behave as I would like. I have a Linux-based (2.4.18 kernel) web server located on a private network. This network is connected to the Internet via two ADSL connections using Cisco SOHO77 routers. These routers do NAT of both outgoing and incoming connections. The problem is that I would like to have the web server available to clients on the Internet using both of the connections. Not only would it make the connection more reliable, it would also allow me to utilize the bandwidth of both the connections via a simple round-robin DNS setup of the Web server address. However, so far I haven''t been able to come up with a routing setup that allows me to do this. The routers have been configured to NAT an incoming request on TCP port 80 to the internal IP of the web server. This works fine for connections that come in on one of the routers, if I setup the web server with a default route to that particular router. But then connections arriving on the other router do not work - the router forwards the initial SYN packet OK to the web server, but since it tries to route the response out through it''s default route, it goes nowhere - the router that is asked to forward the response packet never saw the initial SYN-packet, so the response does not match anything in it''s NAT table, and it drops the packet. I tried giving the web server a second internal IP, and having one router NAT incoming connections to the first IP, and the other router NAT the connections to the second IP. Then using one of the examples in the HOWTO, I tried setting up the routing so that the response would go out via the proper router. I could not get that to work. Any ideas or suggestions would be appreciated. -- Henrik Storner <henrik@hswn.dk>
William L. Thomson Jr.
2002-May-17 10:09 UTC
Re: Routing from a box behind two NAT''ing routers
Henrik, I am in the same boat as you. I have two SDSL lines I would like to do the same with. I have yet to find a working solution and hope I will have time to address this tomorrow. In the mean time I bought a Nexland ISBPro800, which according to reviews and Nexland should do some of what we are looking to do. Unfortunately it does not even come close. I was better of just using RIP for redundancy. The Nexland is not doing anything for me, and I need to take the time to ship it back and get my money back. I have found two other solutions both of which are out of my price range at the moment. The first on for the money is not worth it. It''s the products from FatPipe, Inc. The one I do like and may end up having to purchase is made by SysMaster. There pricing is much better, the units scale better, and they just plug into a switch. No routing the routers through the unit and then through the switch. You just plugin everything into the switch, and use the SysMaster unit as the gateway. I spoke with one of the engineers at SysMaster, and if I do not have this problem solved by the time I get the cash. I just may by one and call it a day. On the Linux front I did get close, but ran into issues with the route caching table. I did receive a suggestion from Julian Anastasov, but I have not had time to try the cache settings he suggested. It''s in the list archive on 4/29/2002 Bottom line is I would rather have Linux do it. Personally I think it''s cooler and possibly better? I am willing to work or share info with others to come up with a working solution. I know others will be coming down this path as more people get multiple broad band connections. Hell I have an ISP that will provide 1.1mps SDSL lines for $80.00 a month. So in my situation it makes more sense than buying a T-1 or T-3. Anyway, I will be back at it some day this week. Shooting for tomorrow. I have a feeling that there needs to be additional logic in the multipath routing. But not knowing C/C++ I am not sure how much help I can provide. Sorry, so far I am a Java guy, but C/C++ is next on my list. This may be the motivation I need. There needs to be some sort of route aging mechanism or packet marking. So when new routes are presented the old ones will be removed. Also once the route cache issue has been addressed, I believe a DNS how to is crucial. Since depending on how you have your DNS servers set up will dictate how well things work. For example in my case for each private IP, I have two public IP''s, one on each ISP''s SDSL line. So once the Linux router works the way it should, the DNS servers will also need a special config. At the moment I have DNS server 1 returning IP''s from ISP 1 DNS server 2 returns IP''s from ISP 2. Basically like the example from http://www.samag.com/documents/s=1824/sam0201h/0201h.htm I tried doing something along the lines of having both DNS servers be on the same block, and if a request came in on that IP block, they would get IP''s from that block. If they requested either DNS server via the other block, IP''s from that block would be returned. That seemed to cause allot of problems. Anyway, you are not alone. Hopefully there is some one out there who has done this successfully and can shed light on were we are going wrong. Or someone out there willing to gang up with us to come up with a working solution. I am in, any one else interested in this? Henrik Størner wrote:> Greetings, > > I hope someone else has come up with a way to do this - so far > I''ve tried out some of the tricks described in the Advanced > Routing Howto, but haven''t gotten it to behave as I would like. > > I have a Linux-based (2.4.18 kernel) web server located on a > private network. This network is connected to the Internet via > two ADSL connections using Cisco SOHO77 routers. These routers > do NAT of both outgoing and incoming connections. > > The problem is that I would like to have the web server available to > clients on the Internet using both of the connections. Not only > would it make the connection more reliable, it would also allow > me to utilize the bandwidth of both the connections via a simple > round-robin DNS setup of the Web server address. However, so far > I haven''t been able to come up with a routing setup that allows > me to do this. > > The routers have been configured to NAT an incoming request on TCP > port 80 to the internal IP of the web server. This works fine for > connections that come in on one of the routers, if I setup the web > server with a default route to that particular router. But then > connections arriving on the other router do not work - the router > forwards the initial SYN packet OK to the web server, but since > it tries to route the response out through it''s default route, > it goes nowhere - the router that is asked to forward the response > packet never saw the initial SYN-packet, so the response does not > match anything in it''s NAT table, and it drops the packet. > > I tried giving the web server a second internal IP, and having one > router NAT incoming connections to the first IP, and the other > router NAT the connections to the second IP. Then using one of the > examples in the HOWTO, I tried setting up the routing so that the > response would go out via the proper router. I could not get that > to work. > > Any ideas or suggestions would be appreciated. >-- Sincerely, William L. Thomson Jr. Obsidian-Studios, Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com -- Sincerely, William L. Thomson Jr. Support Group Obsidian-Studios Inc. 439 Amber Way Petaluma, Ca. 94952 Phone 707.766.9509 Fax 707.766.8989 http://www.obsidian-studios.com
Hi, iproute2 has a command that perhaps could help you. ip route add default scope global equalize nexthop dev ppp0 \ nexthop dev ppp1 (actually if you know peer addresses of ppp* use it instead). I''ve never tried with it but it´s a possibility. You have to have two NIC in your web server; replace ppp0 and ppp1 with eth0 and eth1. Also have a look to Alexey iproute2 because he says that this command equalize load through the 2 NIC. Connect each NIC to each incoming line using 2 different address space. Give a feedback telling us your experiences. Best regards, Leonardo Balliache