Shashikant Mundlik
2006-Apr-17 07:02 UTC
Re:Problems in Dead Gateway Detection / Failover - MultipleISP Links
Hi There, I am also trying to do the same for my network. I have two links from different ISPs and I want to configure a failover and load balancing Linux router. I am facing same problem here, that how to detect link failure and let Linux box switch the gateway. I know it works when the first gateway is physically down and not reachable. But what to do if my link is up but there is problem at nexthop level and its not routing packets to destination. Please tell me if this can be overcome by setting multipath routing. Another way I can think of doing this is to use a script which will check if the default route is alive every 15 mins and if not it will make changes in routing table and route the packets through different link. I don''t know if this is the best way to do this. If any one know how to do this better please share. If you guys thinks this can work, lets help each other to write such scrip. I am new to LARTC and just now started learning it to solve my network problems. Please help me to achieve this. Thanks in advance. Regards, Shashikant Mundlik Pune, India. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Alessandro Ren
2006-Apr-17 14:01 UTC
Re: Problems in Dead Gateway Detection / Failover - MultipleISP Links
I have a script that connects to 20 diferent sites on the port 80
coming from each link interface a have on my linux router.
If I reach less than 20% of my sites, I assume the link is down and
do all the routing and firewall adjustments to make the traffic goes to
other routes, removing the problematic link out, setting ip rules,
routes in tables and the main multipath default route and commenting in
the firewall the MARKs the would go via the link thats down and it also
sets QoS and tries to bring the link that is down back UP.
Althought I''ve tested with only 3 links, it supports any number of
them.
It''s works very nice so far.
[]s.
Shashikant Mundlik wrote:> Hi There,
>
> I am also trying to do the same for my network.
> I have two links from different ISPs and I want to configure a
> failover and load balancing Linux router.
>
> I am facing same problem here, that how to detect link failure and let
> Linux box switch the gateway.
>
> I know it works when the first gateway is physically down and not
> reachable. But what to do if my link is up but there is problem at
> nexthop level and its not routing packets to destination.
>
> Please tell me if this can be overcome by setting multipath routing.
>
> Another way I can think of doing this is to use a script which will
> check if the default route is alive every 15 mins and if not it will
> make changes in routing table and route the packets through different
> link.
>
> I don''t know if this is the best way to do this. If any one know
how
> to do this better please share.
>
> If you guys thinks this can work, lets help each other to write such
> scrip.
>
> I am new to LARTC and just now started learning it to solve my network
> problems.
>
> Please help me to achieve this.
>
> Thanks in advance.
>
> Regards,
>
>
> Shashikant Mundlik
>
> Pune, India.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
--
__________________________________________________
*Alessandro Ren*
/*OpServices*/
/*Luciana de Abreu, 471 - Sala 403*/
/*Porto Alegre, RS - CEP 90570-060*/
*(* phone 55(51)3061-3588
*4* fax 55(51)3061-3588
*Q* mobile 55(51)8151-8212
*:* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Shashikant Mundlik
2006-Apr-17 15:10 UTC
RE: Problems in Dead Gateway Detection / Failover - MultipleISP Links
Hi Ren,
Thanks for your help. But how do you check that you reach less than 20 of
your sites. (do you mean 20 websites?).
Will you able to share the script?
That will be great help.
Thanks and regards,
Shashikant Mundlik
System Administrator
UBICS, Pune
Phone: 91 20 2729 1004 x 138
Mobile : 91 9372 044015
www.ubics.com <blocked::http://www.ubics.com/>
The UB Group
DISCLAIMER AND PRIVILEGE NOTICE:
This e-mail message contains confidential, copyright, proprietary and
legally privileged information. It should not be used by anyone who is not
the original intended recipient. If you have erroneously received this
message, please delete it immediately and notify the sender. The recipient
must note and understand that any views expressed in this message are those
of the individual sender and no binding nature of the message shall be
implied or assumed unless the sender does so expressly with due authority of
UBICS, Inc.
_____
From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br]
Sent: Monday, April 17, 2006 7:31 PM
To: smundlik@ubicsindia.com
Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover -
MultipleISP Links
I have a script that connects to 20 diferent sites on the port 80 coming
from each link interface a have on my linux router.
If I reach less than 20% of my sites, I assume the link is down and do
all the routing and firewall adjustments to make the traffic goes to other
routes, removing the problematic link out, setting ip rules, routes in
tables and the main multipath default route and commenting in the firewall
the MARKs the would go via the link thats down and it also sets QoS and
tries to bring the link that is down back UP.
Althought I''ve tested with only 3 links, it supports any number of
them.
It''s works very nice so far.
[]s.
Shashikant Mundlik wrote:
Hi There,
I am also trying to do the same for my network.
I have two links from different ISPs and I want to configure a failover and
load balancing Linux router.
I am facing same problem here, that how to detect link failure and let Linux
box switch the gateway.
I know it works when the first gateway is physically down and not reachable.
But what to do if my link is up but there is problem at nexthop level and
its not routing packets to destination.
Please tell me if this can be overcome by setting multipath routing.
Another way I can think of doing this is to use a script which will check if
the default route is alive every 15 mins and if not it will make changes in
routing table and route the packets through different link.
I don''t know if this is the best way to do this. If any one know how to
do
this better please share.
If you guys thinks this can work, lets help each other to write such scrip.
I am new to LARTC and just now started learning it to solve my network
problems.
Please help me to achieve this.
Thanks in advance.
Regards,
Shashikant Mundlik
Pune, India.
_____
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
__________________________________________________
Alessandro Ren
OpServices
Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060
* phone 55(51)3061-3588
* fax 55(51)3061-3588
* mobile 55(51)8151-8212
* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Alessandro Ren
2006-Apr-17 15:16 UTC
Re: Problems in Dead Gateway Detection / Failover - MultipleISP Links
I bind to the interface IP and connect to 20 different sites or
more, the sites are listed in a text file, using the TCP connect in perl.
Off course, the ip rule tables the the marks in the firewall must be
set correcly so you know that the connections are going through the
right interface.
I can share de script, it''s a litle complex in its structus, as it
depends on some external scripts, but I will try the share and problably
get more and better ideas to do the fail over / multi path routing.
I will prepare and sent a email with it shortly.
[]s.
Shashikant Mundlik wrote:> Hi Ren,
>
> Thanks for your help. But how do you check that you reach less than 20
> of your sites. (do you mean 20 websites?).
> Will you able to share the script?
> That will be great help.
>
> Thanks and regards,
>
>
> *Shashikant** Mundlik *
>
>
>
> System Administrator
>
> UBICS, Pune
> Phone: 91 20 2729 1004 x 138
> Mobile : 91 9372 044015
>
>
>
> www.ubics.com <blocked::http://www.ubics.com/>
>
> The UB Group
>
> DISCLAIMER AND PRIVILEGE NOTICE:
> This e-mail message contains confidential, copyright, proprietary and
> legally privileged information. It should not be used by anyone who is
> not the original intended recipient. If you have erroneously received
> this message, please delete it immediately and notify the sender. The
> recipient must note and understand that any views expressed in this
> message are those of the individual sender and no binding nature of
> the message shall be implied or assumed unless the sender does so
> expressly with due authority of UBICS, Inc.
>
>
>
>
>
> ------------------------------------------------------------------------
> *From:* Alessandro Ren [mailto:alessandro.ren@opservices.com.br]
> *Sent:* Monday, April 17, 2006 7:31 PM
> *To:* smundlik@ubicsindia.com
> *Cc:* manish@tuxspace.com; lartc@mailman.ds9a.nl
> *Subject:* Re: [LARTC] Problems in Dead Gateway Detection / Failover -
> MultipleISP Links
>
>
> I have a script that connects to 20 diferent sites on the port 80
> coming from each link interface a have on my linux router.
> If I reach less than 20% of my sites, I assume the link is down
> and do all the routing and firewall adjustments to make the traffic
> goes to other routes, removing the problematic link out, setting ip
> rules, routes in tables and the main multipath default route and
> commenting in the firewall the MARKs the would go via the link thats
> down and it also sets QoS and tries to bring the link that is down
> back UP.
> Althought I''ve tested with only 3 links, it supports any
number of
> them.
> It''s works very nice so far.
>
> []s.
>
>
> Shashikant Mundlik wrote:
>> Hi There,
>>
>> I am also trying to do the same for my network.
>> I have two links from different ISPs and I want to configure a
>> failover and load balancing Linux router.
>>
>> I am facing same problem here, that how to detect link failure and
>> let Linux box switch the gateway.
>>
>> I know it works when the first gateway is physically down and not
>> reachable. But what to do if my link is up but there is problem at
>> nexthop level and its not routing packets to destination.
>>
>> Please tell me if this can be overcome by setting multipath routing.
>>
>> Another way I can think of doing this is to use a script which will
>> check if the default route is alive every 15 mins and if not it will
>> make changes in routing table and route the packets through different
>> link.
>>
>> I don''t know if this is the best way to do this. If any one
know how
>> to do this better please share.
>>
>> If you guys thinks this can work, lets help each other to write such
>> scrip.
>>
>> I am new to LARTC and just now started learning it to solve my
>> network problems.
>>
>> Please help me to achieve this.
>>
>> Thanks in advance.
>>
>> Regards,
>>
>>
>> Shashikant Mundlik
>>
>> Pune, India.
>>
>>
------------------------------------------------------------------------
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
> --
> __________________________________________________
> *Alessandro Ren*
> /*OpServices*/
> /*Luciana de Abreu, 471 - Sala 403*/
> /*Porto Alegre, RS - CEP 90570-060*/
>
> *(* phone 55(51)3061-3588
> *4* fax 55(51)3061-3588
> *Q* mobile 55(51)8151-8212
> *:* email alessandro.ren@opservices.com.br
> <mailto:%22alessandro.ren@opservices.com.br%22>
>
> __________________________________________________
--
__________________________________________________
*Alessandro Ren*
/*OpServices*/
/*Luciana de Abreu, 471 - Sala 403*/
/*Porto Alegre, RS - CEP 90570-060*/
*(* phone 55(51)3061-3588
*4* fax 55(51)3061-3588
*Q* mobile 55(51)8151-8212
*:* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Shashikant Mundlik
2006-Apr-17 15:40 UTC
RE: Problems in Dead Gateway Detection / Failover - MultipleISP Links
Thanks a lot Ren!
That will be a great help.
Thanks,
Shashikant Mundlik
_____
From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br]
Sent: Monday, April 17, 2006 8:47 PM
To: smundlik@ubicsindia.com
Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover -
MultipleISP Links
I bind to the interface IP and connect to 20 different sites or more,
the sites are listed in a text file, using the TCP connect in perl.
Off course, the ip rule tables the the marks in the firewall must be set
correcly so you know that the connections are going through the right
interface.
I can share de script, it''s a litle complex in its structus, as it
depends on some external scripts, but I will try the share and problably get
more and better ideas to do the fail over / multi path routing.
I will prepare and sent a email with it shortly.
[]s.
Shashikant Mundlik wrote:
Hi Ren,
Thanks for your help. But how do you check that you reach less than 20 of
your sites. (do you mean 20 websites?).
Will you able to share the script?
That will be great help.
Thanks and regards,
Shashikant Mundlik
System Administrator
UBICS, Pune
Phone: 91 20 2729 1004 x 138
Mobile : 91 9372 044015
www.ubics.com <blocked::http://www.ubics.com/>
The UB Group
DISCLAIMER AND PRIVILEGE NOTICE:
This e-mail message contains confidential, copyright, proprietary and
legally privileged information. It should not be used by anyone who is not
the original intended recipient. If you have erroneously received this
message, please delete it immediately and notify the sender. The recipient
must note and understand that any views expressed in this message are those
of the individual sender and no binding nature of the message shall be
implied or assumed unless the sender does so expressly with due authority of
UBICS, Inc.
_____
From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br]
Sent: Monday, April 17, 2006 7:31 PM
To: smundlik@ubicsindia.com
Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover -
MultipleISP Links
I have a script that connects to 20 diferent sites on the port 80 coming
from each link interface a have on my linux router.
If I reach less than 20% of my sites, I assume the link is down and do
all the routing and firewall adjustments to make the traffic goes to other
routes, removing the problematic link out, setting ip rules, routes in
tables and the main multipath default route and commenting in the firewall
the MARKs the would go via the link thats down and it also sets QoS and
tries to bring the link that is down back UP.
Althought I''ve tested with only 3 links, it supports any number of
them.
It''s works very nice so far.
[]s.
Shashikant Mundlik wrote:
Hi There,
I am also trying to do the same for my network.
I have two links from different ISPs and I want to configure a failover and
load balancing Linux router.
I am facing same problem here, that how to detect link failure and let Linux
box switch the gateway.
I know it works when the first gateway is physically down and not reachable.
But what to do if my link is up but there is problem at nexthop level and
its not routing packets to destination.
Please tell me if this can be overcome by setting multipath routing.
Another way I can think of doing this is to use a script which will check if
the default route is alive every 15 mins and if not it will make changes in
routing table and route the packets through different link.
I don''t know if this is the best way to do this. If any one know how to
do
this better please share.
If you guys thinks this can work, lets help each other to write such scrip.
I am new to LARTC and just now started learning it to solve my network
problems.
Please help me to achieve this.
Thanks in advance.
Regards,
Shashikant Mundlik
Pune, India.
_____
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
__________________________________________________
Alessandro Ren
OpServices
Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060
* phone 55(51)3061-3588
* fax 55(51)3061-3588
* mobile 55(51)8151-8212
* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
--
__________________________________________________
Alessandro Ren
OpServices
Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060
* phone 55(51)3061-3588
* fax 55(51)3061-3588
* mobile 55(51)8151-8212
* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
LinuXKiD
2006-Apr-17 16:30 UTC
RE: Problems in Dead Gateway Detection / Failover- MultipleISP Links
Hi,
I''ve some similar:
I croned a perl script that every 2 minutes check via ICMP
some referential host ( for each "default route").
If some route is down , I take off it from "default routes table".
But I think that make it by TCP connect at 80 port is better.
bests.
andres
-----Mensaje original-----
De: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]En
nombre de Alessandro Ren
Enviado el: Lunes, 17 de Abril de 2006 12:17 p.m.
Para: smundlik@ubicsindia.com
CC: lartc@mailman.ds9a.nl
Asunto: Re: [LARTC] Problems in Dead Gateway Detection / Failover-
MultipleISP Links
I bind to the interface IP and connect to 20 different sites or more,
the sites are listed in a text file, using the TCP connect in perl.
Off course, the ip rule tables the the marks in the firewall must be set
correcly so you know that the connections are going through the right
interface.
I can share de script, it''s a litle complex in its structus, as it
depends on some external scripts, but I will try the share and problably get
more and better ideas to do the fail over / multi path routing.
I will prepare and sent a email with it shortly.
[]s.
Shashikant Mundlik wrote:
Hi Ren,
Thanks for your help. But how do you check that you reach less than 20 of
your sites. (do you mean 20 websites?).
Will you able to share the script?
That will be great help.
Thanks and regards,
Shashikant Mundlik
System Administrator
UBICS, Pune
Phone: 91 20 2729 1004 x 138
Mobile : 91 9372 044015
www.ubics.com
The UB Group
DISCLAIMER AND PRIVILEGE NOTICE:
This e-mail message contains confidential, copyright, proprietary and
legally privileged information. It should not be used by anyone who is not
the original intended recipient. If you have erroneously received this
message, please delete it immediately and notify the sender. The recipient
must note and understand that any views expressed in this message are those
of the individual sender and no binding nature of the message shall be
implied or assumed unless the sender does so expressly with due authority of
UBICS, Inc.
From: Alessandro Ren [mailto:alessandro.ren@opservices.com.br]
Sent: Monday, April 17, 2006 7:31 PM
To: smundlik@ubicsindia.com
Cc: manish@tuxspace.com; lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Problems in Dead Gateway Detection / Failover -
MultipleISP Links
I have a script that connects to 20 diferent sites on the port 80 coming
from each link interface a have on my linux router.
If I reach less than 20% of my sites, I assume the link is down and do
all the routing and firewall adjustments to make the traffic goes to other
routes, removing the problematic link out, setting ip rules, routes in
tables and the main multipath default route and commenting in the firewall
the MARKs the would go via the link thats down and it also sets QoS and
tries to bring the link that is down back UP.
Althought I''ve tested with only 3 links, it supports any number of
them.
It''s works very nice so far.
[]s.
Shashikant Mundlik wrote:
Hi There,
I am also trying to do the same for my network.
I have two links from different ISPs and I want to configure a failover and
load balancing Linux router.
I am facing same problem here, that how to detect link failure and let Linux
box switch the gateway.
I know it works when the first gateway is physically down and not reachable.
But what to do if my link is up but there is problem at nexthop level and
its not routing packets to destination.
Please tell me if this can be overcome by setting multipath routing.
Another way I can think of doing this is to use a script which will check if
the default route is alive every 15 mins and if not it will make changes in
routing table and route the packets through different link.
I don''t know if this is the best way to do this. If any one know how to
do
this better please share.
If you guys thinks this can work, lets help each other to write such scrip.
I am new to LARTC and just now started learning it to solve my network
problems.
Please help me to achieve this.
Thanks in advance.
Regards,
Shashikant Mundlik
Pune, India.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
__________________________________________________
Alessandro Ren
OpServices
Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060
( phone 55(51)3061-3588
4 fax 55(51)3061-3588
Q mobile 55(51)8151-8212
: email alessandro.ren@opservices.com.br
__________________________________________________
--
__________________________________________________
Alessandro Ren
OpServices
Luciana de Abreu, 471 - Sala 403
Porto Alegre, RS - CEP 90570-060
( phone 55(51)3061-3588
4 fax 55(51)3061-3588
Q mobile 55(51)8151-8212
: email alessandro.ren@opservices.com.br
__________________________________________________
Alessandro Ren
2006-Apr-17 17:11 UTC
Re: Problems in Dead Gateway Detection / Failover - MultipleISP Links
So, I will try to explain how all the parts get together but in any
doubt, just ask me:
The main script is check_links_balanced.pl and it runs on the
crontab in my case each minute or 2 minutes. In the beginning of the
script there are some setups:
$OPNET_CONF="/usr/local/scripts/opnet.conf";
We have a service the we call OpNet, that''s why the OPNET thing,
so, this is where the configurations for the links are, I will attach my
configuration so you can base yours, very simple.
$RCFIREWALL="/etc/rc.d/rc.firewall";
Where your firewall script is, the main script need to check if the
firewall is ok and change it if a link goes DOWN ou UP.
# hosts file
$HOSTS_FILE="/usr/local/scripts/hosts.txt";
The lists of hosts, can be IPs ou names.
# logfile
$LOGFILE="/var/log/check_links_balanced.log";
Well, the log ifle to see how things are going
# mininal % os hosts that must be UP to consider a link UP
$CRITICAL=30;
So, you have to create an entry for each link and the
/etc/iproute2/rt_tables using LINK1 , LINK2 and so on for the table name
for each link that you have. This is important, because everything in
connected to the link number, like, LINK1, the firewall mark 1 will send
packets to the LINK1, will use the configurations of the rc.LINK1, will
set the wshaper.LINK1 script and so on.
Ok, so you will have a /etc/rc.d/rc.LINKx and /etc/rc.d/wshaper.LINKx
for each link, these rc.LINKx will set the routing table LINKx properly
and put the link UP, whether its a ethernet or ADSL with a PPP interface.
For PPP interfaces, we will have some extra configurations in
/etc/ppp, like /etc/ppp/ip-up that will have to set some routes when the
ADSL goes UP, based on th interface, it will set default route for the
table LINKx and set up rules, removing old rules if the IP is dynamic
and setting the new one for the new IP interface. In /etc/ppp/peers you
must create one configuraion for each PPP interface you have and each
one gets an fixed name, using unit x, so I know the PPP0 will always be
the same ADSL, otherwise linux will choose the number of the PPP
interface dynamicly, and everything would be lost. I also have one
configuration for each PPPOE interface.
The only thing that I can not do yet is work widh DHCP interfaces, I
have still to see show dhclient can be used to to the same thing a I do
with the PPP interfaces.
The firewall has to have the following in mangle:
# here, one for each link wiht a MARK, in this case
# LINK1 - eth1 - is a cable with fixed IP. and LINK2 is and ADSL
$iptables -A OUTPUT -t mangle -o eth1 -j MARK --set-mark 1
$iptables -A OUTPUT -t mangle -o ppp0 -j MARK --set-mark 2
# CONNMARK PREROUTING
# pakets with state invalid can not be used with CONNMARK
$iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m state --state
INVALID
$iptables -t mangle -A PREROUTING -j RETURN -m state --state INVALID
# if the paket belongs to an already known an "tagged" connection
# then copy conmark -> mark and go ahead with routing
$iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
$iptables -t mangle -A PREROUTING -j RETURN -m mark ! --mark 0
# if it is a "untagged" connection and coming from an outside inteface
# then save this as connmark and copy connmark -> mark
$iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 1 -i eth1
$iptables -t mangle -A PREROUTING -j CONNMARK --set-mark 2 -i ppp0
$iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
# CONNMARK POSTROUTING
$iptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j RETURN
$iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 -m state --state
NEW -o eth1
$iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 -m state --state
NEW -o ppp0
$iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark -m state
--state NEW
This will balanced the internet access and you can set some
connections to go a specific link
# Secure sites always via the same link, to keep integrity
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000
-j MARK --set-mark 1
So here LAN access to port TCP 5000 will always get out via LINK1,
when LINK1 is DOWN, the main scripts will comment this line OUT and run
rc.firewall, so this packets will the go though the other links.
See if you have tree links, you culd do that
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000
-j MARK --set-mark 3
$iptables -A PREROUTING -p tcp -t mangle -s 192.168.0.0/16 --dport 5000
-j MARK --set-mark 2
I will mark the same packts three time, CPU waste, but the packet
would via LINK2, if LINK2 goes down, they would go via LINK3, if LINK3
and LINK2 goes down, the lines get commented, the packets go via the
remaing link or links.
In the end of the scripts you have to have the NAT part
# NAT eth1
IP=`/usr/local/scripts/get_ip_interface.pl eth1`
$iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source $IP
# NAT ppp0
IP=`/usr/local/scripts/get_ip_interface.pl ppp0`
$iptables -A POSTROUTING -t nat -m mark --mark 2 -j SNAT --to-source $IP
You see that I first get the interface IP, that because the IP can
change for dynamic links and the NAT must be reset to the new IP.
Well, attached are the main script, the main configuration, the
rc.LINKx and wshaper.LINKx that I use for my links as the ADSL
configuration that I use here.
I know this setup is complex and it took me a long time to get to
it. I will answer any questions regarding it to try and help.
I am using kernel 2.6.x and it also works for kernel 2.4.x with the
CONNMAK patch.
So, I am also attaching configure.pl script that generates all these
configurations, yes, I''ve made it easy even for me.
You can download the scripts and examples from here
http://www.opservices.com.br/check_links_balanced.tgz
Any help or improvements, let me now.
[]s.
--
__________________________________________________
*Alessandro Ren*
/*OpServices*/
/*Luciana de Abreu, 471 - Sala 403*/
/*Porto Alegre, RS - CEP 90570-060*/
*(* phone 55(51)3061-3588
*4* fax 55(51)3061-3588
*Q* mobile 55(51)8151-8212
*:* email alessandro.ren@opservices.com.br
<mailto:%22alessandro.ren@opservices.com.br%22>
__________________________________________________
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc