Julian Anastasov
2004-Jan-10 10:41 UTC
Re: Two routing cache entries with different interface
Hello, On Sat, 10 Jan 2004, Tushar Thakker wrote:> hi all, > i am setting up a load balancing netwrok with failover, > i have applied julian patch, > but whenever i try to traceroute from any client node, it gives me two entries for that destination, but i get different interface for that entries, > so it doesn''t forward my requests, > i have done masquerading for client nodes, > > the ip rule/route are as follows, > > ip rule add prio 222 table 222 > ip route add default table 222 proto static \ > nexthop via $GWE1 dev $IFE1 weight 1\ > nexthop via $GWE2 dev $IFE2 weight 1 > > Now after traceroute failure, if i see the routing cache for that ip, it shows following,output route, probably created from -j MASQUERADE?:> 205.158.62.141 via 203.88.135.213 dev eth1 src 203.88.135.212 > cache mtu 1500 advmss 1460input route:> 205.158.62.141 from 192.168.1.51 via 203.88.135.205 dev eth2 src 192.168.1.242 > cache <src-direct> mtu 1500 advmss 1460 iif eth0 > > please see eth1 and eth2 in both entries,Nothing strange so far, may be they are created from different connections. In fact, there should be more cache entries.> now it does not forward this request,Can you provide more information, in private mail if you prefer so, including: - tcpdump output(s) for all interfaces during the traceroute - topology: are eth1 and eth2 connected to same hub? - ip rules and routes I hope you really have the "routes" patch applied and running.> what can be the reason behind this and please can anyone suggest me the solution, > thanx in advance, > Regards, > > ---------------------------------------------------------------- > Tushar Thakker > Elitecore Technologies Ltd.Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Robert Kurjata
2004-Jan-10 13:03 UTC
Re[2]: Two routing cache entries with different interface
Witaj Julian, W Twoim liście datowanym 10 stycznia 2004 (11:41:34) można przeczytać: JA> Hello, JA> On Sat, 10 Jan 2004, Tushar Thakker wrote:>> hi all, >> i am setting up a load balancing netwrok with failover, >> i have applied julian patch, >> but whenever i try to traceroute from any client node, it gives >> me two entries for that destination, but i get different interface >> for that entries, >> so it doesn''t forward my requests, >> i have done masquerading for client nodes, >> >> the ip rule/route are as follows, >> >> ip rule add prio 222 table 222 >> ip route add default table 222 proto static \ >> nexthop via $GWE1 dev $IFE1 weight 1\ >> nexthop via $GWE2 dev $IFE2 weight 1 >> >> Now after traceroute failure, if i see the routing cache for that ip, it shows following,JA> output route, probably created from -j MASQUERADE?:>> 205.158.62.141 via 203.88.135.213 dev eth1 src 203.88.135.212 >> cache mtu 1500 advmss 1460JA> input route:>> 205.158.62.141 from 192.168.1.51 via 203.88.135.205 dev eth2 src 192.168.1.242 >> cache <src-direct> mtu 1500 advmss 1460 iif eth0 >> >> please see eth1 and eth2 in both entries,JA> Nothing strange so far, may be they are created from different JA> connections. In fact, there should be more cache entries.>> now it does not forward this request,JA> Can you provide more information, in private mail if you JA> prefer so, including: JA> - tcpdump output(s) for all interfaces during the traceroute JA> - topology: are eth1 and eth2 connected to same hub? JA> - ip rules and routes JA> I hope you really have the "routes" patch applied and JA> running.>> what can be the reason behind this and please can anyone suggest me the solution, >> thanx in advance, >> Regards, >> >> ---------------------------------------------------------------- >> Tushar Thakker >> Elitecore Technologies Ltd.JA> Regards JA> -- JA> Julian Anastasov <ja@ssi.bg> JA> _______________________________________________ JA> LARTC mailing list / LARTC@mailman.ds9a.nl JA> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ try this, after applying routes patch it works fine (for me it works when I upgraded it to 3 uplinks): ---------------------------cut here------------------------------------------ #!/bin/bash # This script is done by : Robert Kurjata Sep, 2003. # feel free to use it in any usefull way # CONFIGURATION IP=/sbin/ip PING=/bin/ping #--------------- LINK PART ----------------- # EXTIFn - interface name # EXTIPn - outgoing IP # EXTMn - netmask length (bits) # EXTGWn - outgoing gateway #------------------------------------------- # LINK 1 EXTIF1=eth2 EXTIP1EXTM1EXTGW1 # LINK 2 EXTIF2=eth1 EXTIP2EXTM2EXTGW2 #ROUTING PART # removing old rules and routes echo "removing old rules" ${IP} rule del prio 50 table main ${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} rule del prio 221 table 221 echo "flushing tables" ${IP} route flush table 201 ${IP} route flush table 202 ${IP} route flush table 221 echo "removing tables" ${IP} route del table 201 ${IP} route del table 202 ${IP} route del table 221 # setting new rules echo "Setting new routing rules" # main table w/o default gateway here ${IP} rule add prio 50 table main ${IP} route del default table main # identified routes here ${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 ${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202 ${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} proto static table 201 ${IP} route append prohibit default table 201 metric 1 proto static ${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} proto static table 202 ${IP} route append prohibit default table 202 metric 1 proto static # mutipath ${IP} rule add prio 221 table 221 ${IP} route add default table 221 proto static \ nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\ nexthop via ${EXTGW2} dev ${EXTIF2} weight 3 ${IP} route flush cache while : ; do ${PING} -c 1 ${EXTGW1} ${PING} -c 1 ${EXTGW2} sleep 60 done ---------------------------cut here------------------------------------------ -- Pozdrowienia, Robert _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi all, i have a router with debian 3.0 kernel 2.4.20, working with htb quite well, limiting bandwidth and doing port and ip priorizations. Now i want to server more than 1 internet ip, later i will do priorizations on each ip.. but.. i can´t manage yet the first thing. The idea is that it works as a "dhcp server", assigning the ips.. but the traffic must go through the linux box (so i can priorize and limit bandwidth). i have set up the second internet ip with ipalias in eth1:0, and it is active, i get ping from internet.. no problem.. but it does not work fine when i try to assign it to a private ip The idea is assigning 192.168.0.3 to eth1:0 (no natting, .. just the entire ip) The iptables after ''#'' is what i tried.. but it did not work, it gave me this message: debian:/etc/init.d# sh nat.sh Warning: weird character in interface `eth1:0'' (No aliases, :, ! or *). Warning: weird character in interface `eth1:0'' (No aliases, :, ! or *). iptables v1.2.7a: multiple -j flags not allowed Thanks in advance, Carlos The script, below.. #!/bin/sh echo "AthoS LaN Generando iptables..." > /dev/tty12 #limpiamos las tablas de iptables iptables -F iptables -t nat -F iptables -t filter -F #eth1 sera la interfaz de internet iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE #eth0 la interfaz de la red local iptables --append FORWARD --in-interface eth0 -j ACCEPT #iptables -t nat -F PREROUTING #iptables -t nat -P PREROUTING ACCEPT #iptables -t nat -F POSTROUTING #iptables -t nat -P POSTROUTING ACCEPT #iptables -t nat -A POSTROUTING -o eth1:0 #iptables -A FORWARD -i eth0 -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED #iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state ESTABLISHED,RELATED -j MASQUERADE #activamos el forward echo 1 > /proc/sys/net/ipv4/ip_forward #reglas para enrutado de paketes... #1.- redirecciona las peticiones del puerto 21 a mi pc iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j DNAT --to 192.168 .0.2:21 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Robert Kurjata
2004-Jan-10 17:00 UTC
Re[4]: Two routing cache entries with different interface
Witaj Tushar, W Twoim liście datowanym 11 stycznia 2004 (03:42:51) można przeczytać: TT> hello, TT> i have seen the script you sent, TT> but i is for static load balancing, TT> but i want to do automatic load balancing, It is automatic load balancing. And it works for me with 3 uplinks dynamically shared at about 8 Mbits traffic. TT> allowing nodes to select the gateway dynamically, TT> so i think tables 201 and 202 are not needed, No, No, No! Please read the Nano-HOWTO Carefully. Those tables are essential for proper operation. They take care of the subsequent packets of the connection. After the first one is matched by multipath route the gateway is selected and the output adress is selected. Subsequent connection packets NEED to go through the SAME interface. Without additional tables they may (and probably will) go out through invalid interface with invalid source IP thus if there is properly configured router on their way (eg. a provider which filters packets not comming from their subnet) everything will die. (Info taken from Nano currently at: http://www.ssi.bg/~ja/nano.txt ). As you can see after reading my script is an adopted version of nano proved to work. TT> i want to use only 221 (table having nexthop), TT> and my gateway itself allocates connections very correctly, TT> but in case of requests from other nodes, it can not transfer, TT> i hope you would help me in this regard, TT> Thanx and regards, TT> ---------------------------------------------------------------- TT> Tushar Thakker TT> Elitecore Technologies Ltd. TT> ---------------------------------------------------------------- TT> Life gives all that one deserves, but not all that one desires... TT> ---------------------------------------------------------------- TT> ----- Original Message ----- TT> From: "Robert Kurjata" <rkurjata@ire.pw.edu.pl> TT> To: "Julian Anastasov" <ja@ssi.bg> TT> Cc: "Tushar Thakker" <tusharthakker@elitecore.com>; <lartc@mailman.ds9a.nl> TT> Sent: Saturday, January 10, 2004 5:03 AM TT> Subject: Re[2]: [LARTC] Two routing cache entries with different interface>> Witaj Julian, >> >> W Twoim liście datowanym 10 stycznia 2004 (11:41:34) można przeczytać: >> >> >> JA> Hello, >> >> JA> On Sat, 10 Jan 2004, Tushar Thakker wrote: >> >> >> hi all, >> >> i am setting up a load balancing netwrok with failover, >> >> i have applied julian patch, >> >> but whenever i try to traceroute from any client node, it gives >> >> me two entries for that destination, but i get different interface >> >> for that entries, >> >> so it doesn''t forward my requests, >> >> i have done masquerading for client nodes, >> >> >> >> the ip rule/route are as follows, >> >> >> >> ip rule add prio 222 table 222 >> >> ip route add default table 222 proto static \ >> >> nexthop via $GWE1 dev $IFE1 weight 1\ >> >> nexthop via $GWE2 dev $IFE2 weight 1 >> >> >> >> Now after traceroute failure, if i see the routing cache for that ip,TT> it shows following,>> >> JA> output route, probably created from -j MASQUERADE?: >> >> >> 205.158.62.141 via 203.88.135.213 dev eth1 src 203.88.135.212 >> >> cache mtu 1500 advmss 1460 >> >> JA> input route: >> >> >> 205.158.62.141 from 192.168.1.51 via 203.88.135.205 dev eth2 srcTT> 192.168.1.242>> >> cache <src-direct> mtu 1500 advmss 1460 iif eth0 >> >> >> >> please see eth1 and eth2 in both entries, >> >> JA> Nothing strange so far, may be they are created from different >> JA> connections. In fact, there should be more cache entries. >> >> >> now it does not forward this request, >> >> JA> Can you provide more information, in private mail if you >> JA> prefer so, including: >> >> JA> - tcpdump output(s) for all interfaces during the traceroute >> JA> - topology: are eth1 and eth2 connected to same hub? >> JA> - ip rules and routes >> >> JA> I hope you really have the "routes" patch applied and >> JA> running. >> >> >> what can be the reason behind this and please can anyone suggest me theTT> solution,>> >> thanx in advance, >> >> Regards, >> >> >> >> ---------------------------------------------------------------- >> >> Tushar Thakker >> >> Elitecore Technologies Ltd. >> >> JA> Regards >> >> JA> -- >> JA> Julian Anastasov <ja@ssi.bg> >> >> JA> _______________________________________________ >> JA> LARTC mailing list / LARTC@mailman.ds9a.nl >> JA> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >> >> try this, after applying routes patch it works fine (for me it works >> when I upgraded it to 3 uplinks): >> >> ---------------------------cutTT> here------------------------------------------>> >> #!/bin/bash >> # This script is done by : Robert Kurjata Sep, 2003. >> # feel free to use it in any usefull way >> >> # CONFIGURATION >> IP=/sbin/ip >> PING=/bin/ping >> >> #--------------- LINK PART ----------------- >> # EXTIFn - interface name >> # EXTIPn - outgoing IP >> # EXTMn - netmask length (bits) >> # EXTGWn - outgoing gateway >> #------------------------------------------- >> >> # LINK 1 >> EXTIF1=eth2 >> EXTIP1>> EXTM1>> EXTGW1>> >> # LINK 2 >> EXTIF2=eth1 >> EXTIP2>> EXTM2>> EXTGW2>> >> #ROUTING PART >> # removing old rules and routes >> >> echo "removing old rules" >> ${IP} rule del prio 50 table main >> ${IP} rule del prio 201 from ${EXTIP1}/${EXTM1} table 201 >> ${IP} rule del prio 202 from ${EXTIP2}/${EXTM2} table 202 >> ${IP} rule del prio 221 table 221 >> echo "flushing tables" >> ${IP} route flush table 201 >> ${IP} route flush table 202 >> ${IP} route flush table 221 >> echo "removing tables" >> ${IP} route del table 201 >> ${IP} route del table 202 >> ${IP} route del table 221 >> >> # setting new rules >> echo "Setting new routing rules" >> >> # main table w/o default gateway here >> ${IP} rule add prio 50 table main >> ${IP} route del default table main >> >> # identified routes here >> ${IP} rule add prio 201 from ${EXTIP1}/${EXTM1} table 201 >> ${IP} rule add prio 202 from ${EXTIP2}/${EXTM2} table 202 >> >> ${IP} route add default via ${EXTGW1} dev ${EXTIF1} src ${EXTIP1} protoTT> static table 201>> ${IP} route append prohibit default table 201 metric 1 proto static >> >> ${IP} route add default via ${EXTGW2} dev ${EXTIF2} src ${EXTIP2} protoTT> static table 202>> ${IP} route append prohibit default table 202 metric 1 proto static >> >> # mutipath >> ${IP} rule add prio 221 table 221 >> >> ${IP} route add default table 221 proto static \ >> nexthop via ${EXTGW1} dev ${EXTIF1} weight 2\ >> nexthop via ${EXTGW2} dev ${EXTIF2} weight 3 >> >> ${IP} route flush cache >> >> while : ; do >> ${PING} -c 1 ${EXTGW1} >> ${PING} -c 1 ${EXTGW2} >> sleep 60 >> done >> >> ---------------------------cutTT> here------------------------------------------>> >> >> >> -- >> Pozdrowienia, >> Robert >> >>-- Pozdrowienia, Robert _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi all,
i am setting up a load balancing netwrok with failover,
i have applied julian patch,
but whenever i try to traceroute from any client node, it gives me two entries
for that destination, but i get different interface for that entries,
so it doesn''t forward my requests,
i have done masquerading for client nodes,
the ip rule/route are as follows,
ip rule add prio 222 table 222
ip route add default table 222 proto static \
nexthop via $GWE1 dev $IFE1 weight 1\
nexthop via $GWE2 dev $IFE2 weight 1
Now after traceroute failure, if i see the routing cache for that ip, it shows
following,
205.158.62.141 via 203.88.135.213 dev eth1 src 203.88.135.212
cache mtu 1500 advmss 1460
205.158.62.141 from 192.168.1.51 via 203.88.135.205 dev eth2 src 192.168.1.242
cache <src-direct> mtu 1500 advmss 1460 iif eth0
please see eth1 and eth2 in both entries,
now it does not forward this request,
what can be the reason behind this and please can anyone suggest me the
solution,
thanx in advance,
Regards,
----------------------------------------------------------------
Tushar Thakker
Elitecore Technologies Ltd.
----------------------------------------------------------------
Life gives all that one deserves, but not all that one desires...
----------------------------------------------------------------
Hi Carlos,> The iptables after ''#'' is what i tried.. but it did not work, it gave me > this message: > debian:/etc/init.d# sh nat.sh > Warning: weird character in interface `eth1:0'' (No aliases, :, ! or *). > Warning: weird character in interface `eth1:0'' (No aliases, :, ! or *). > iptables v1.2.7a: multiple -j flags not allowed > > #iptables -t nat -A POSTROUTING -o eth1:0 > #iptables -A FORWARD -i eth0 -j ACCEPT -m state --state > NEW,ESTABLISHED,RELATED > #iptables -A FORWARD -i eth1:0 -j ACCEPT -m state --state > ESTABLISHED,RELATED -j MASQUERADEYou need to fix those 3 lines just like the error messages say. Iptables uses the real interface (eth1) not the aliased one. and you can''t combine two -j flags ACCEPT and MASQUERADE. I assume the -j MASQUERADE option is a mistake and should belong elsewhere. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Damion de Soto - Software Engineer email: damion@snapgear.com SnapGear - A CyberGuard Company --- ph: +61 7 3435 2809 | Custom Embedded Solutions fax: +61 7 3891 3630 | and Security Appliances web: http://www.snapgear.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Free Embedded Linux Distro at http://www.snapgear.org --- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/