Hi all iam trying to deploy loadbalance and failover My setup description --Fedora Core 4 --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 GNU/Linux --tc utility, iproute2-ss050314 --ip utility, iproute2-ss050314 --iptables v1.3.0 And i had deployed Following configuration #table main with priority 50, the highest one ip rule add prio 50 table main #table 201 ip rule add prio 201 from x.x.x.234 table 201 ip route add default via x.x.x..233 dev eth1 src x.x.x.234 proto static table 201 ip route append prohibit default table 201 metric 1 proto static #table 202 ip rule add prio 202 from y.y.y.10 table 202 ip route add default via y.y.y.9 dev eth0 src y.y.y.10 proto static table 202 ip route append prohibit default table 202 metric 1 proto static #table 222 ip rule add prio 222 table 222 ip route add default equalize table 222 proto static nexthop via x.x.x.233 dev eth1 nexthop via y.y.y.9 dev eth0 #essential masquerade option iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE Above is my setup when try to traceroute to yahoo.com iam able to see the trafffic going to both interfaces.. till now works fine when i connected to eth2 ( eth2 of linux box configured IP 192.168.3.2) with my Laptop using ip 192.168.3.1 gateway 192.168.3.2( linux box eth2) when try to traceroute its always going to y.y.y.9 when i go and check whatismyip.com and findmyip.com its shows only y.y.y.10 IP, why my traffic is not balancing using both the routes ?? when i change the my rule like following ip route replace default equalize table 222 proto static nexthop via x.x.x.233 dev eth1 when try to traceroute its always going to y.y.y.233 when i go and check whatismyip.com and findmyip.com its shows only y.y.y.234 IP, could some one help me to resolve this issue and suggest me what is need to be done if i want nat and other IP''s to be loadbalance may be i call it per packet loadbalance thanks in advance hare
hareram wrote:> > Hi all > > iam trying to deploy loadbalance and failover > > My setup description > --Fedora Core 4 > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 > GNU/Linux > --tc utility, iproute2-ss050314 > --ip utility, iproute2-ss050314 > --iptables v1.3.0You say nothing about Julian''s patch, so I assume you did not patch your kernel. You must do that. http://www.ssi.bg/~ja/ http://www.geocities.com/mctiew/ffw/dual.htm I''m not sure this is still a good link http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking so here is an old copy http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -- gypsy
Hi sorry i was not mentioned that yes i did with the patch patch-2.6.12-ja1.diff yes iam also seen the document of Dual and try to see how can make that kind of setup any help will be apprciate hare ----- Original Message ----- From: "gypsy" <gypsy@iswest.com> To: <lartc@mailman.ds9a.nl> Cc: "hareram" <hareram@sol.net.in> Sent: Monday, August 08, 2005 7:16 PM Subject: Re: [LARTC] Loadbalancing and failover using TC and Iptables> hareram wrote: >> >> Hi all >> >> iam trying to deploy loadbalance and failover >> >> My setup description >> --Fedora Core 4 >> --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 >> GNU/Linux >> --tc utility, iproute2-ss050314 >> --ip utility, iproute2-ss050314 >> --iptables v1.3.0 > > You say nothing about Julian''s patch, so I assume you did not patch your > kernel. You must do that. > http://www.ssi.bg/~ja/ > > http://www.geocities.com/mctiew/ffw/dual.htm > > I''m not sure this is still a good link > http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking > so here is an old copy > http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html > -- > gypsy > >
:: L i n u XK i D ::
2005-Aug-08 17:35 UTC
RE: Loadbalancing and failover using TC and Iptables
I''ve read next link: -> I''m not sure this is still a good link -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking is really neccessary mark pakets on this way ? [... snip ...] # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ -m state --state NEW -o ppp0 # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ -m state --state NEW -o ppp1 # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ -m state --state NEW [... snip ...] # iptables -A POSTROUTING -t nat -m mark --mark 1 \ -j SNAT --to-source 11.1.1.1 # iptables -A POSTROUTING -t nat -m mark --mark 2 \ -j SNAT --to-source 22.2.2.2 -> hareram wrote: -> > -> > Hi all -> > -> > iam trying to deploy loadbalance and failover -> > -> > My setup description -> > --Fedora Core 4 -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 -> > GNU/Linux -> > --tc utility, iproute2-ss050314 -> > --ip utility, iproute2-ss050314 -> > --iptables v1.3.0 -> -> You say nothing about Julian''s patch, so I assume you did not patch your -> kernel. You must do that. -> http://www.ssi.bg/~ja/ -> -> http://www.geocities.com/mctiew/ffw/dual.htm -> -> I''m not sure this is still a good link -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> so here is an old copy -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -> -- -> gypsy -> _______________________________________________ -> LARTC mailing list -> LARTC@mailman.ds9a.nl -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Hi yes i have tried with the docs but from the box iam not able to go out even i configureed on of client and try to access the internet, iam not able to ?? any suggestions hare ----- Original Message ----- From: ":: L i n u XK i D ::" <gregoriandres@yahoo.com.ar> To: "lartc" <lartc@mailman.ds9a.nl> Sent: Monday, August 08, 2005 11:05 PM Subject: RE: [LARTC] Loadbalancing and failover using TC and Iptables> > I''ve read next link: > > -> I''m not sure this is still a good link > -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking > > > is really neccessary mark pakets on this way ? > > > [... snip ...] > > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ > -m state --state NEW -o ppp0 > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ > -m state --state NEW -o ppp1 > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ > -m state --state NEW > > [... snip ...] > > > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ > -j SNAT --to-source 11.1.1.1 > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ > -j SNAT --to-source 22.2.2.2 > > > > > > > > -> hareram wrote: > -> > > -> > Hi all > -> > > -> > iam trying to deploy loadbalance and failover > -> > > -> > My setup description > -> > --Fedora Core 4 > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 > -> > GNU/Linux > -> > --tc utility, iproute2-ss050314 > -> > --ip utility, iproute2-ss050314 > -> > --iptables v1.3.0 > -> > -> You say nothing about Julian''s patch, so I assume you did not patch > your > -> kernel. You must do that. > -> http://www.ssi.bg/~ja/ > -> > -> http://www.geocities.com/mctiew/ffw/dual.htm > -> > -> I''m not sure this is still a good link > -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking > -> so here is an old copy > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html > -> -- > -> gypsy > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > >
:: L i n u XK i D :: wrote:> > I''ve read next link: > > -> I''m not sure this is still a good link > -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking > > is really neccessary mark pakets on this way ?>From the machine on which the 2 ISPs are connected to two differentNICs, no. It will send and receive packets without marking. Where I have a problem is with NATted users; they are tied to one or the other ISP (even though I run ''ip route flush cache'') unless I mark. Maybe Julian will give us some hints <grin>? -- gypsy> [... snip ...] > > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ > -m state --state NEW -o ppp0 > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ > -m state --state NEW -o ppp1 > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ > -m state --state NEW > > [... snip ...] > > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ > -j SNAT --to-source 11.1.1.1 > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ > -j SNAT --to-source 22.2.2.2 > > -> hareram wrote: > -> > > -> > Hi all > -> > > -> > iam trying to deploy loadbalance and failover > -> > > -> > My setup description > -> > --Fedora Core 4 > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 > -> > GNU/Linux > -> > --tc utility, iproute2-ss050314 > -> > --ip utility, iproute2-ss050314 > -> > --iptables v1.3.0 > -> > -> You say nothing about Julian''s patch, so I assume you did not patch your > -> kernel. You must do that. > -> http://www.ssi.bg/~ja/ > -> > -> http://www.geocities.com/mctiew/ffw/dual.htm > -> > -> I''m not sure this is still a good link > -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking > -> so here is an old copy > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html > -> -- > -> gypsy > -> _______________________________________________ > -> LARTC mailing list > -> LARTC@mailman.ds9a.nl > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Another question related with this. I''ve 4 ADSLs and I already use CONNMARK to MARK out/in traffic from ADSLs in order to make a QoS. # iptables -L -t mangle [... snip ...] Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes) pkts bytes target prot opt in out source destination 989K 299M MYSHAPER-OUT all -- * ppp3 0.0.0.0/0 0.0.0.0/0 985K 222M MYSHAPER-OUT all -- * ppp2 0.0.0.0/0 0.0.0.0/0 856K 163M MYSHAPER-OUT all -- * ppp1 0.0.0.0/0 0.0.0.0/0 841K 164M MYSHAPER-OUT all -- * ppp0 0.0.0.0/0 0.0.0.0/0 [... snip ...] Chain MYSHAPER-OUT (4 references) pkts bytes target prot opt in out source destination 39254 7491K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:0:1024 MARK set 0x17 1920K 221M MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x17 1882 153K MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 MARK set 0x1a 174 9457 MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5190 MARK set 0x17 142K 19M MARK tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1863 MARK set 0x17 [... snip ...] Later, with that MARK I put traffic on a HTB class. ... $TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX fw flowid nn:yy ... MY Question is: is possible re-mark traffic or put another mark in order to know which PPP interface going out ? Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs to know which PPP interface going out ? best regards. andres -> -> :: L i n u XK i D :: wrote: -> > -> > I''ve read next link: -> > -> > -> I''m not sure this is still a good link -> > -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> > is really neccessary mark pakets on this way ? -> -> From the machine on which the 2 ISPs are connected to two different -> NICs, no. It will send and receive packets without marking. Where I -> have a problem is with NATted users; they are tied to one or the other -> ISP (even though I run ''ip route flush cache'') unless I mark. -> -> Maybe Julian will give us some hints <grin>? -> -- -> gypsy -> -> > [... snip ...] -> > -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ -> > -m state --state NEW -o ppp0 -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ -> > -m state --state NEW -o ppp1 -> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ -> > -m state --state NEW -> > -> > [... snip ...] -> > -> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ -> > -j SNAT --to-source 11.1.1.1 -> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ -> > -j SNAT --to-source 22.2.2.2 -> > -> > -> hareram wrote: -> > -> > -> > -> > Hi all -> > -> > -> > -> > iam trying to deploy loadbalance and failover -> > -> > -> > -> > My setup description -> > -> > --Fedora Core 4 -> > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 -> i686 i686 i386 -> > -> > GNU/Linux -> > -> > --tc utility, iproute2-ss050314 -> > -> > --ip utility, iproute2-ss050314 -> > -> > --iptables v1.3.0 -> > -> -> > -> You say nothing about Julian''s patch, so I assume you did -> not patch your -> > -> kernel. You must do that. -> > -> http://www.ssi.bg/~ja/ -> > -> -> > -> http://www.geocities.com/mctiew/ffw/dual.htm -> > -> -> > -> I''m not sure this is still a good link -> > -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> so here is an old copy -> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -> > -> -- -> > -> gypsy -> > -> _______________________________________________ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > _______________________________________________ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
I''ve tried this on my 4 adsl Linux + 10 hosts lan... but works better without "marks" -> -> Another question related with this. -> -> I''ve 4 ADSLs and I already use CONNMARK -> to MARK out/in traffic from ADSLs in order -> to make a QoS. -> -> # iptables -L -t mangle -> -> [... snip ...] -> -> Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes) -> pkts bytes target prot opt in out source -> destination -> 989K 299M MYSHAPER-OUT all -- * ppp3 0.0.0.0/0 -> 0.0.0.0/0 -> 985K 222M MYSHAPER-OUT all -- * ppp2 0.0.0.0/0 -> 0.0.0.0/0 -> 856K 163M MYSHAPER-OUT all -- * ppp1 0.0.0.0/0 -> 0.0.0.0/0 -> 841K 164M MYSHAPER-OUT all -- * ppp0 0.0.0.0/0 -> 0.0.0.0/0 -> -> [... snip ...] -> -> Chain MYSHAPER-OUT (4 references) -> pkts bytes target prot opt in out source -> destination -> 39254 7491K MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp spts:0:1024 MARK set 0x17 -> 1920K 221M MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpts:0:1024 MARK set 0x17 -> 1882 153K MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:20 MARK set 0x1a -> 174 9457 MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:5190 MARK set 0x17 -> 142K 19M MARK tcp -- * * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:1863 MARK set 0x17 -> [... snip ...] -> -> -> Later, with that MARK I put traffic on a HTB class. -> ... -> $TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX -> fw flowid -> nn:yy -> ... -> -> MY Question is: -> is possible re-mark traffic or put another mark in order -> to know which PPP interface going out ? -> -> Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs -> to know which PPP interface going out ? -> -> best regards. -> -> andres -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> :: L i n u XK i D :: wrote: -> -> > -> -> -> > I''ve read next link: -> -> > -> -> > -> I''m not sure this is still a good link -> -> > -> -> -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> -> > -> -> > is really neccessary mark pakets on this way ? -> -> -> -> From the machine on which the 2 ISPs are connected to two different -> -> NICs, no. It will send and receive packets without marking. Where I -> -> have a problem is with NATted users; they are tied to one or the other -> -> ISP (even though I run ''ip route flush cache'') unless I mark. -> -> -> -> Maybe Julian will give us some hints <grin>? -> -> -- -> -> gypsy -> -> -> -> > [... snip ...] -> -> > -> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \ -> -> > -m state --state NEW -o ppp0 -> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \ -> -> > -m state --state NEW -o ppp1 -> -> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \ -> -> > -m state --state NEW -> -> > -> -> > [... snip ...] -> -> > -> -> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \ -> -> > -j SNAT --to-source 11.1.1.1 -> -> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \ -> -> > -j SNAT --to-source 22.2.2.2 -> -> > -> -> > -> hareram wrote: -> -> > -> > -> -> > -> > Hi all -> -> > -> > -> -> > -> > iam trying to deploy loadbalance and failover -> -> > -> > -> -> > -> > My setup description -> -> > -> > --Fedora Core 4 -> -> > -> > --Linux 2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 -> -> i686 i686 i386 -> -> > -> > GNU/Linux -> -> > -> > --tc utility, iproute2-ss050314 -> -> > -> > --ip utility, iproute2-ss050314 -> -> > -> > --iptables v1.3.0 -> -> > -> -> -> > -> You say nothing about Julian''s patch, so I assume you did -> -> not patch your -> -> > -> kernel. You must do that. -> -> > -> http://www.ssi.bg/~ja/ -> -> > -> -> -> > -> http://www.geocities.com/mctiew/ffw/dual.htm -> -> > -> -> -> > -> I''m not sure this is still a good link -> -> > -> -> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking -> > -> so here is an old copy -> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html -> > -> -- -> > -> gypsy -> > -> _______________________________________________ -> > -> LARTC mailing list -> > -> LARTC@mailman.ds9a.nl -> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc -> > _______________________________________________ -> > LARTC mailing list -> > LARTC@mailman.ds9a.nl -> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc