LARTC - Apr 2004 - two WANs one LAN

Hello list,

I want a set-up with a satellite link (eth0) and a cellular cdma
  link (ppp0) coming into a linux box with a LAN (eth1 or wlan0)
  to be able to route first through the satellite when it''s on, or
  else the cdma when it''s in range.  Load sharing is not critical,
  but it would be nice.  The satellite has a static IP, the cdma
  is dynamic.  Both WANs are NAT''d public IPs.  The private LAN
  will be SNAT''d or MASQ''d for access to the internet.

To simplify the situation, I''m simulating the real situation with
  three ethX''s.  I have two independant ISPs (static public IPs) and
  a linux laptop connected via cross-over to the LAN interface.

This is not a new question, but I have done this:
  I checked the mailing list archives, applied the patches
[http://www.ssi.bg/~ja/#routes-2.4]
  to a 2.4.26 kernel, and read (and applied) the commands from
[http://www.ssi.bg/~ja/nano.txt],
  and set up a bash script to ping via my two WAN interfaces once
per minute.

But I''ve done something wrong, obviously(?).

I suspect a typo or other oversight, but haven''t found it yet.

Here are my settings:

root@scyther:~# uname -a
Linux scyther 2.4.26 #2 Fri Apr 16 18:17:31 EDT 2004 i586 unknown unknown
GNU/Linux
root@scyther:~# lsmod
Module                  Size  Used by    Not tainted
ipt_state                472   2  (autoclean)
iptable_nat            16280   1  (autoclean)
ip_conntrack           19944   0  (autoclean) [ipt_state iptable_nat]
iptable_filter          1612   1  (autoclean)
8139too                13576   1
mii                     2304   0  [8139too]
tulip                  40832   2
root@scyther:~# ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:80:c8:f8:24:1d brd ff:ff:ff:ff:ff:ff
     inet aa.bb.23.183/27 brd aa.bb.23.195 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:80:c8:f8:24:1e brd ff:ff:ff:ff:ff:ff
     inet cc.dd.69.83/27 brd cc.dd.69.95 scope global eth1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
     link/ether 00:80:c8:f8:24:1f brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
     link/ether 00:80:c8:f8:24:20 brd ff:ff:ff:ff:ff:ff
6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:e0:f4:11:52:43 brd ff:ff:ff:ff:ff:ff
     inet 192.168.10.1/24 brd 192.168.10.255 scope global eth4
root@scyther:~# ip rule
0:      from all lookup local
50:     from all lookup main
201:    from aa.bb.23.160/27 lookup 201
202:    from cc.dd.69.83/27 lookup 202
222:    from all lookup 222
32766:  from all lookup main
32767:  from all lookup default
root@scyther:~# ip route
aa.bb.23.160/27 dev eth0  proto kernel  scope link  src aa.bb.23.183
cc.dd.69.64/27 dev eth1  proto kernel  scope link  src cc.dd.69.83
192.168.10.0/24 dev eth4  proto kernel  scope link  src 192.168.10.1
root@scyther:~# ip route show table 201
default via aa.bb.23.161 dev eth0  proto static  src aa.bb.23.183
prohibit default  proto static  metric 1
root@scyther:~# ip route show table 202
default via cc.dd.69.94 dev eth1  proto static  src cc.dd.69.83
prohibit default  proto static  metric 1
root@scyther:~# ip route show table 222
default  proto static
         nexthop via aa.bb.23.161  dev eth0 weight 1
         nexthop via cc.dd.69.94  dev eth1 weight 1
root@scyther:~# cat ping-daemon.sh
#!/bin/sh
#
# ping on interfaces to keep kernel happy
#

while : ; do
         ping -c 1 aa.bb.23.161 > /dev/null 2>&1
         ping -c 1 cc.dd.69.94 > /dev/null 2>&1
         sleep 60
done
root@scyther:~#
root@scyther:~# iptables -v -L
Chain INPUT (policy ACCEPT 1251 packets, 83120 bytes)
  pkts bytes target     prot opt in     out     source               destination
10141 1037K keep_state  all  --  any    any     anywhere             anywhere

Chain FORWARD (policy ACCEPT 824 packets, 68747 bytes)
  pkts bytes target     prot opt in     out     source               destination
  1416  142K keep_state  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 7859 packets, 653K bytes)
  pkts bytes target     prot opt in     out     source               destination
16864 1625K keep_state  all  --  any    any     anywhere             anywhere

Chain keep_state (3 references)
  pkts bytes target     prot opt in     out     source               destination
18487 2000K ACCEPT     all  --  any    any     anywhere             anywhere 
        state RELATED,ESTABLISHED
  9934  804K RETURN     all  --  any    any     anywhere             anywhere
root@scyther:~# iptables -v -L -t nat
Chain PREROUTING (policy ACCEPT 1391 packets, 78477 bytes)
  pkts bytes target     prot opt in     out     source               destination
  1391 78477 keep_state  all  --  any    any     anywhere             anywhere

Chain POSTROUTING (policy ACCEPT 7246 packets, 608K bytes)
  pkts bytes target     prot opt in     out     source               destination
     3   227 SNAT       all  --  any    eth0    invalid.168.192.in-addr.arpa/24 
  anywhere           to:aa.bb.23.183
   209 17307 SNAT       all  --  any    eth1    invalid.168.192.in-addr.arpa/24 
  anywhere           to:cc.dd.69.83
  7246  608K keep_state  all  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 keep_state  all  --  any    any     anywhere             anywhere

Chain keep_state (3 references)
  pkts bytes target     prot opt in     out     source               destination
     0     0 ACCEPT     all  --  any    any     anywhere             anywhere 
         state RELATED,ESTABLISHED
  8637  687K RETURN     all  --  any    any     anywhere             anywhere
root@scyther:~#

 From the laptop on the private network, I can ping both WAN interfaces,
  but only can ping out through one of them (currently cc.dd).  I can browse to
  the internet, but if I pull the cable on the interface, I don''t seem
to
  switch to the other.  What should I be checking for to figure this out.

Thanks for any help.
-- 
Bob Beers

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Bob Beers wrote:
> But I''ve done something wrong, obviously(?).
> 
> I suspect a typo or other oversight, but haven''t found it yet.
> 

Ok, after re-checking the cabling ( <- error here), and
  re-checking the commands (verbatim from the nano.txt) it does work!
  (in my static ethernet setup).  Great stuff!

Will it be the same when I introduce the dynamic ppp0 for IFE1?
The IPE1 will be a NAT''d public IP, but the GWE1 will be
  the P-t-P link.

Also, what steps can be taken to expedite the detection and
  route adjustment?
Is it enough to decrease the sleep time in the ping_daemon?
Are there some /proc/sys/.../whatever that can/should be tweaked?

Thanks for any help.

-- 
Bob Beers


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Bob Beers wrote:
 
> Will it be the same when I introduce the dynamic ppp0 for IFE1?
> The IPE1 will be a NAT''d public IP, but the GWE1 will be
>   the P-t-P link.
If you use the correct syntax, yes.  Something like
ip addr add IP/MASK peer BROADCAST dev PPP0
substituting the point-to-point remote IP for BROADCAST and the correct
device for PPP0 (IIRC.  Sorry, it has been a long time.  Regardless, the
keyword here is "peer".)
> Also, what steps can be taken to expedite the detection and
>   route adjustment?
Flush the cache.  Again, IIRC
ip route flush
but a search of the archive will turn up the correct command.  If you
can arrange it, a remote computer pinging each IP and messaging you when
the ping fails can be used to trigger the flush.  Otherwise, "ping -c 1
-I PPP0 IP" (alternate between the devices for each ping) internally is
about the best you can do; ping NEVER failed for me (see below) but
YMMV.
> Is it enough to decrease the sleep time in the ping_daemon?
No help at all.  AFAIC, less often is better, not worse.
> Are there some /proc/sys/.../whatever that can/should be tweaked?
Nope.  And nothing anywhere else, either.  DGD is _very_ hard because
usually the next hop is OK, it is the one after it that is bad.  I
don''t
think that even Julian can deal with "next in the route is OK but his
peer is dead".  In my case, the net card could speak just fine to the
DSL router; it was the modem (router) that could not I/O because it was
dead.  Of course, DGD knew the modem was OK so it thought the link was
alive...

gypsy
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/