aristo7514 aristo7514
2005-Jun-04 23:56 UTC
2-3 uplinks, nat and failover...is it possible?
Hello, I am trying something crazy here. I have gone through the old archives, lartc.org and lot''s of documentation, but still something is wrong. Here is the situation; The server is Fedora core 2 running kernel 2.6.5 I have 2 uplinks to two different ISP''s. (It will be 3-4 in the future). These ISP''s should serve the bandwith to local clients with multiple subnets. The eth0 of linux server is connected to my internal network and also have some aliases. I have a public IP block 81.8.124.1-81.8.124.63 and also some private IP blocks on the eth0 as aliases. The diagram of my network is : http://www.asigiz.biz/mynetwork.gif Here is the list for my ip addresses. eth0 has ip 172.16.55.1/255.255.255.0 eth0:1 has ip 172.17.56.1/255.255.255.0 eth0:2 has ip 172.17.57.1/255.255.255.0 eth0:3 has ip 172.17.58.1/255.255.255.0 eth0:4 has ip 81.8.124.1/255.255.255.192 eth1 has ip 81.8.120.18/255.255.255.252 eth3 has ip 172.18.10.30/255.255.255.0 One of my internet connection is 81.8.120.18/255.255.255.252 with gateway of 81.8.120.17 (Public) The other one is 172.18.10.30/255.255.255.0 with gateway of 172.18.10.2 (Behind an ADSL router) I would like 172.16.55.0/24 to be natted to 81.8.120.18 172.16.56.0/24 to 172.18.10.30 172.16.57.0/24 to 172.18.10.30 172.16.58.0/24 to 81.8.120.18 and 81.8.124.0/24 to go directly. (will be natted to 172.18.10.30 when the link fails) My nat config is very simple; INT=eth0 # DSLAM EXT=eth1 # ISP EXT2=eth3 # ISP-ADSL MASQ_NET=172.16.55.0/255.255.255.0 # DSLAM 1 MASQ_NET2=172.16.56.0/255.255.255.0 # DSLAM 2 MASQ_NET3=172.16.57.0/255.255.255.0 # DSLAM 3 MASQ_NET4=172.16.58.0/255.255.255.0 # DSLAM 4 iptables -t nat -F iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE iptables -t nat -A POSTROUTING -s $MASQ_NET2 -o $EXT2 -j MASQUERADE iptables -t nat -A POSTROUTING -s $MASQ_NET3 -o $EXT2 -j MASQUERADE iptables -t nat -A POSTROUTING -s $MASQ_NET4 -o $EXT -j MASQUERADE ... So, up to now most of the things work with only one gateway. Also if one of the link fails, the other one automatically takes over with another script The problem here is the default gw; route add default gw 81.8.120.17 # now only the certain networks work if I want to switch over to the other one; route del default gw 81.8.120.17 route add default gw 172.18.10.30 Then the other one starts working (with some nat modifications) So, how can I make this work all the time (I mean split access/policy based routing) Currently, I can have only one gateway working at a time. This is what I have tried so far. ip route add 81.8.120.16/30 dev eth1 src 81.8.120.18 table 1 ip route add default via 81.8.120.17 table 1 ip route add 172.18.10.0/24 dev eth3 src 172.18.10.30 table 2 ip route add default via 172.18.10.2 table 1 ip rule add from 81.8.120.16/30 lookup 1 ip rule add from 172.18.10.0/24 lookup 2 ip route add default scope global nexthop via 172.18.10.30 dev eth3 weight 1 nexthop via 81.8.124.17 dev eth1 weight 1 Well, any help will be greatly appreciated. I will try some more modifications but just going crazy... I know that I can use both gateways at the same time, but, there should be something I am doing wrong. Thanks in advance, Aristo Here are some more details; [root@iltekrouter root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff inet 172.16.55.1/24 brd 172.16.55.255 scope global eth0 inet 172.16.56.1/24 brd 172.16.255.255 scope global eth0:1 inet 172.16.57.1/24 brd 172.16.255.255 scope global eth0:2 inet 172.16.58.1/24 brd 172.16.255.255 scope global eth0:3 inet 81.8.124.1/26 brd 81.255.255.255 scope global eth0:4 inet6 fe80::220:edff:fe56:bbd/64 scope link valid_lft forever preferred_lft forever 7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff inet 81.8.120.18/30 brd 81.8.120.19 scope global eth1 inet6 fe80::201:2ff:fea7:e4b6/64 scope link valid_lft forever preferred_lft forever 8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff inet 172.18.10.30/24 brd 172.18.10.255 scope global eth3 inet6 fe80::208:a1ff:fe80:3b02/64 scope link valid_lft forever preferred_lft forever 9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff inet6 fe80::208:a1ff:fe80:517e/64 scope link valid_lft forever preferred_lft forever 10: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 [root@iltekrouter root]# ip link list 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff 7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff 8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff 9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff 10: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0 [root@iltekrouter root]# ip route show 81.8.120.16/30 dev eth1 scope link 81.8.124.0/26 dev eth0 proto kernel scope link src 81.8.124.1 172.16.55.0/24 dev eth0 scope link 172.18.10.0/24 dev eth3 scope link 172.16.58.0/24 dev eth0 proto kernel scope link src 172.16.58.1 172.16.57.0/24 dev eth0 proto kernel scope link src 172.16.57.1 172.16.56.0/24 dev eth0 proto kernel scope link src 172.16.56.1 169.254.0.0/16 dev eth3 scope link 127.0.0.0/8 dev lo scope link default via 81.8.120.17 dev eth1 [root@iltekrouter root]# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 81.8.120.16 * 255.255.255.252 U 0 0 0 eth1 81.8.124.0 * 255.255.255.192 U 0 0 0 eth0 172.16.55.0 * 255.255.255.0 U 0 0 0 eth0 172.18.10.0 * 255.255.255.0 U 0 0 0 eth3 172.16.58.0 * 255.255.255.0 U 0 0 0 eth0 172.16.57.0 * 255.255.255.0 U 0 0 0 eth0 172.16.56.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth3 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 81.8.120.17 0.0.0.0 UG 0 0 0 eth1 [root@iltekrouter root]# uname -a Linux iltekrouter.iltek.net 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i686 i686 i386 GNU/Linux
aristo7514 aristo7514 wrote:> I have a public IP block > 81.8.124.1-81.8.124.63and 172.17.whatever as well as 172.18.whatever and 81.8.120 :( ... Why do you confuse us with just the one?> Here is the list for my ip addresses. > > eth0 has ip 172.16.55.1/255.255.255.0 > eth0:1 has ip 172.17.56.1/255.255.255.0 > eth0:2 has ip 172.17.57.1/255.255.255.0 > eth0:3 has ip 172.17.58.1/255.255.255.0 > eth0:4 has ip 81.8.124.1/255.255.255.192I doubt that eth0:# is ever going to work because others have reported failure to this ML under similar circumstances.> eth1 has ip 81.8.120.18/255.255.255.252 > eth3 has ip 172.18.10.30/255.255.255.0 > > One of my internet connection is 81.8.120.18/255.255.255.252 with > gateway of 81.8.120.17 (Public) > > The other one is 172.18.10.30/255.255.255.0 with gateway of > 172.18.10.2 (Behind an ADSL router)Have you read Martin Brown''s stuff at http://linux-ip.net/ ? If not, you''ve missed (what I consider to be) the most understandable documentation on the internet. With Julian''s patch, nano.txt and a reading of Martin you should be able to use all the internet connections. Dead Gateway Detection may not work depending on the number of hops to the dead gateway. -- gypsy
Carl-Daniel Hailfinger
2005-Jun-05 21:03 UTC
Re: 2-3 uplinks, nat and failover...is it possible?
gypsy schrieb:> aristo7514 aristo7514 wrote: > > >>I have a public IP block >>81.8.124.1-81.8.124.63 > > > and 172.17.whatever > as well as 172.18.whatever > and 81.8.120 > :( ... Why do you confuse us with just the one?Because 172.16/12 is a private range? Regards, Carl-Daniel -- http://www.hailfinger.org/