LARTC - Jun 2005 - routing for multiple uplinks + DNAT (LVS in my case)

Hi.

Contents:

1) Introduction
2) 2 Questions

* Introduction:

I used this HOWTO to use multiple providers.

http://lartc.org/howto/lartc.rpdb.multiple-links.html

The box is a load balancer, using the Linux Virtual Server.

We have a problem with lost connections, and it seems you
get issues when you combine this setup with DNAT [1].

The proposed solution [1] is to use these rules to mark packages with the
conntrack module ... so I guess you mark all the packages that belong to
the connection when it''s established (and every package before they
get DNATted).

# iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j
MARK --set-mark=1
# iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j
MARK --set-mark=2

And then use the mark to route the outgoing packages correctly.

# ip rule add fwmark 1 table T1
# ip rule add fwmark 2 table T2

[1] (Spanish) http://bulma.net/body.phtml?nIdNoticia=2145&nIdPage=last

*  Questions

- Has anybody in this list experienced similar problems?

- I haven''t tried this solution but I will today. I''d like to
know if
there''s a way to
  solve this problem without using fwmark.

  I''m using fwmarks already to ease the configuration of keepalived
and I''ll need
  to find a workaround to another problem if I have to use fwmarks. It
is: I have 2
  redundant routers and I use heartbeat to set up the real (internet) IPs.

http://cgi.afc.no-ip.info/svnwiki.cgi/default/Keepalived%20with%20fwmark%20and%20no%20VIP

Regards,
Nelson.-

BTW: There should be a warning in the HOWTO for this DNAT issue, since this
         setup if fair common (I guess).

-- 
Homepage : http://geocities.com/arhuaco

The first principle is that you must not fool yourself
and you are the easiest person to fool.
     -- Richard Feynman.