aristo7514 aristo7514
2005-Jun-04 23:56 UTC
2-3 uplinks, nat and failover...is it possible?
Hello,
I am trying something crazy here. I have gone through the old
archives, lartc.org and lot''s of documentation, but still something is
wrong.
Here is the situation;
The server is Fedora core 2 running kernel 2.6.5
I have 2 uplinks to two different ISP''s. (It will be 3-4 in the
future).
These ISP''s should serve the bandwith to local clients with multiple
subnets.
The eth0 of linux server is connected to my internal network and also
have some aliases.
I have a public IP block
81.8.124.1-81.8.124.63
and also some private IP blocks on the eth0 as aliases.
The diagram of my network is : http://www.asigiz.biz/mynetwork.gif
Here is the list for my ip addresses.
eth0 has ip 172.16.55.1/255.255.255.0
eth0:1 has ip 172.17.56.1/255.255.255.0
eth0:2 has ip 172.17.57.1/255.255.255.0
eth0:3 has ip 172.17.58.1/255.255.255.0
eth0:4 has ip 81.8.124.1/255.255.255.192
eth1 has ip 81.8.120.18/255.255.255.252
eth3 has ip 172.18.10.30/255.255.255.0
One of my internet connection is 81.8.120.18/255.255.255.252 with
gateway of 81.8.120.17 (Public)
The other one is 172.18.10.30/255.255.255.0 with gateway of
172.18.10.2 (Behind an ADSL router)
I would like 172.16.55.0/24 to be natted to 81.8.120.18
172.16.56.0/24 to 172.18.10.30
172.16.57.0/24 to 172.18.10.30
172.16.58.0/24 to 81.8.120.18
and 81.8.124.0/24 to go directly. (will be natted to 172.18.10.30 when
the link fails)
My nat config is very simple;
INT=eth0 # DSLAM
EXT=eth1 # ISP
EXT2=eth3 # ISP-ADSL
MASQ_NET=172.16.55.0/255.255.255.0 # DSLAM 1
MASQ_NET2=172.16.56.0/255.255.255.0 # DSLAM 2
MASQ_NET3=172.16.57.0/255.255.255.0 # DSLAM 3
MASQ_NET4=172.16.58.0/255.255.255.0 # DSLAM 4
iptables -t nat -F
iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET2 -o $EXT2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET3 -o $EXT2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET4 -o $EXT -j MASQUERADE
... So, up to now most of the things work with only one gateway. Also
if one of the link fails, the other one automatically takes over with
another script
The problem here is the default gw;
route add default gw 81.8.120.17 # now only the certain networks work
if I want to switch over to the other one;
route del default gw 81.8.120.17
route add default gw 172.18.10.30
Then the other one starts working (with some nat modifications)
So, how can I make this work all the time (I mean split access/policy
based routing) Currently, I can have only one gateway working at a
time.
This is what I have tried so far.
ip route add 81.8.120.16/30 dev eth1 src 81.8.120.18 table 1
ip route add default via 81.8.120.17 table 1
ip route add 172.18.10.0/24 dev eth3 src 172.18.10.30 table 2
ip route add default via 172.18.10.2 table 1
ip rule add from 81.8.120.16/30 lookup 1
ip rule add from 172.18.10.0/24 lookup 2
ip route add default scope global nexthop via 172.18.10.30 dev eth3
weight 1 nexthop via 81.8.124.17 dev eth1 weight 1
Well, any help will be greatly appreciated. I will try some more
modifications but just going crazy...
I know that I can use both gateways at the same time, but, there
should be something I am doing wrong.
Thanks in advance,
Aristo
Here are some more details;
[root@iltekrouter root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff
inet 172.16.55.1/24 brd 172.16.55.255 scope global eth0
inet 172.16.56.1/24 brd 172.16.255.255 scope global eth0:1
inet 172.16.57.1/24 brd 172.16.255.255 scope global eth0:2
inet 172.16.58.1/24 brd 172.16.255.255 scope global eth0:3
inet 81.8.124.1/26 brd 81.255.255.255 scope global eth0:4
inet6 fe80::220:edff:fe56:bbd/64 scope link
valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff
inet 81.8.120.18/30 brd 81.8.120.19 scope global eth1
inet6 fe80::201:2ff:fea7:e4b6/64 scope link
valid_lft forever preferred_lft forever
8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.10.30/24 brd 172.18.10.255 scope global eth3
inet6 fe80::208:a1ff:fe80:3b02/64 scope link
valid_lft forever preferred_lft forever
9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff
inet6 fe80::208:a1ff:fe80:517e/64 scope link
valid_lft forever preferred_lft forever
10: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root@iltekrouter root]# ip link list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff
7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff
8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff
9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff
10: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
[root@iltekrouter root]# ip route show
81.8.120.16/30 dev eth1 scope link
81.8.124.0/26 dev eth0 proto kernel scope link src 81.8.124.1
172.16.55.0/24 dev eth0 scope link
172.18.10.0/24 dev eth3 scope link
172.16.58.0/24 dev eth0 proto kernel scope link src 172.16.58.1
172.16.57.0/24 dev eth0 proto kernel scope link src 172.16.57.1
172.16.56.0/24 dev eth0 proto kernel scope link src 172.16.56.1
169.254.0.0/16 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 81.8.120.17 dev eth1
[root@iltekrouter root]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
81.8.120.16 * 255.255.255.252 U 0 0 0 eth1
81.8.124.0 * 255.255.255.192 U 0 0 0 eth0
172.16.55.0 * 255.255.255.0 U 0 0 0 eth0
172.18.10.0 * 255.255.255.0 U 0 0 0 eth3
172.16.58.0 * 255.255.255.0 U 0 0 0 eth0
172.16.57.0 * 255.255.255.0 U 0 0 0 eth0
172.16.56.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth3
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 81.8.120.17 0.0.0.0 UG 0 0 0 eth1
[root@iltekrouter root]# uname -a
Linux iltekrouter.iltek.net 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004
i686 i686 i386 GNU/Linux
aristo7514 aristo7514 wrote:> I have a public IP block > 81.8.124.1-81.8.124.63and 172.17.whatever as well as 172.18.whatever and 81.8.120 :( ... Why do you confuse us with just the one?> Here is the list for my ip addresses. > > eth0 has ip 172.16.55.1/255.255.255.0 > eth0:1 has ip 172.17.56.1/255.255.255.0 > eth0:2 has ip 172.17.57.1/255.255.255.0 > eth0:3 has ip 172.17.58.1/255.255.255.0 > eth0:4 has ip 81.8.124.1/255.255.255.192I doubt that eth0:# is ever going to work because others have reported failure to this ML under similar circumstances.> eth1 has ip 81.8.120.18/255.255.255.252 > eth3 has ip 172.18.10.30/255.255.255.0 > > One of my internet connection is 81.8.120.18/255.255.255.252 with > gateway of 81.8.120.17 (Public) > > The other one is 172.18.10.30/255.255.255.0 with gateway of > 172.18.10.2 (Behind an ADSL router)Have you read Martin Brown''s stuff at http://linux-ip.net/ ? If not, you''ve missed (what I consider to be) the most understandable documentation on the internet. With Julian''s patch, nano.txt and a reading of Martin you should be able to use all the internet connections. Dead Gateway Detection may not work depending on the number of hops to the dead gateway. -- gypsy
Carl-Daniel Hailfinger
2005-Jun-05 21:03 UTC
Re: 2-3 uplinks, nat and failover...is it possible?
gypsy schrieb:> aristo7514 aristo7514 wrote: > > >>I have a public IP block >>81.8.124.1-81.8.124.63 > > > and 172.17.whatever > as well as 172.18.whatever > and 81.8.120 > :( ... Why do you confuse us with just the one?Because 172.16/12 is a private range? Regards, Carl-Daniel -- http://www.hailfinger.org/