FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 12-23-2009, 07:10 AM
David Hl├í─Źik
 
Default Advanced routing, 2ISP

Guys,
┬*
please I have no luck with this. I have 2 ISPS. I have working configuration with ip route a 2 routing tables in a way, that matching local subnet uses second provider while all the others are using the first one - main.

┬*
The main problem I am having is, that I am unable to reach my router via public ip address of that second ISP.
┬*
This is my default routing table
┬*
[root@sx1 cron.hourly]# ip route show table main
194.228.196.39 dev ppp0┬* proto kernel┬* scope link┬* src 90.178.76.117
10.123.50.101 dev ppp2┬* proto kernel┬* scope link┬* src 10.123.50.1
10.123.50.100 dev ppp1┬* proto kernel┬* scope link┬* src 10.123.50.1

213.194.242.0/24 dev eth1┬* proto kernel┬* scope link┬* src 213.194.242.198
10.123.20.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.20.1

10.123.10.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.10.11
10.123.11.0/24 dev eth0.8┬* proto kernel┬* scope link┬* src 10.123.11.1
10.123.42.0/24 dev eth0.5┬* proto kernel┬* scope link┬* src 10.123.42.1

10.123.123.0/24 dev eth0.7┬* proto kernel┬* scope link┬* src 10.123.123.1
10.123.40.0/24 dev eth0.4┬* proto kernel┬* scope link┬* src 10.123.40.1

10.123.30.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.30.1
10.123.44.0/24 dev eth0.6┬* proto kernel┬* scope link┬* src 10.123.44.1
169.254.0.0/16 dev eth0.8┬* scope link

default via 213.194.242.1 dev eth1
┬*
As you can see , my default provider has gateway 213.192.252.1 , connected via eth1 . This works fine for me.
┬*
Second configuration is ip rule based, when subnet 10.123.123.0/24 goes to routing table adsl
┬*
[root@sx1 cron.hourly]# ip rule show
0:┬*from all lookup 255
32764:┬*from all fwmark 0x1 lookup adsl-vpn
32765:┬*from 10.123.123.0/24 lookup adsl
32766:┬*from all lookup main

32767:┬*from all lookup default
┬*
[root@sx1 cron.hourly]# ip route show table adsl
194.228.196.39 dev ppp0┬* scope link┬* src 90.178.76.117
10.123.123.0/24 dev eth0.7┬* scope link┬* src 10.123.123.1
default via 194.228.196.39 dev ppp0

┬*
As you can see in this case, all trafic goes via ppp0 (my second internet provider connected via ppp0 - adsl ppoe).
┬*
This works fine.
┬*
What I want to achieve is, now being able to ping /access/whatever to my server via second public IP address of my adsl provider (90.178.76.117).
To achieve this i have added iptables rule, which marks all packets comming via ppp0 (iptables -t mangle -A PREROUTING -i ppp0 -j MARK --set-mark 0x1).
┬*
And created another routing table named adsl-vpn
┬*
[root@sx1 cron.hourly]# ip route show table adsl-vpn
194.228.196.39 dev ppp0┬* scope link┬* src 90.178.76.117
10.123.10.0/24 dev eth0┬* scope link┬* src 10.123.10.11
default via 194.228.196.39 dev ppp0

┬*
Now i have added ip rule, which for all packets marked as 1 , which are the ones which came trough ppp0 = my second ISP, uses table adsl-vpn
┬*
[root@sx1 cron.hourly]# ip rule show
0:┬*from all lookup 255
32764:┬*from all fwmark 0x1 lookup adsl-vpn┬* <--- this one
32765:┬*from 10.123.123.0/24 lookup adsl
32766:┬*from all lookup main

32767:┬*from all lookup default
┬*
Well, now I should be able definitely to ping my server from outside, but it does not works
┬*
Pinging from windows machine in outside world :
┬*
C:Usersoss>ping 90.178.76.117
Pinging 90.178.76.117 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 90.178.76.117:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
┬*
If i will tcpdump my ppp0 interface on my router I see the ICMP echo requests are comming
┬*
[root@sx1 cron.hourly]# tcpdump -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
09:08:27.743789 IP adsl-dyn118.78-98-105.t-com.sk > gw2.cz.polarion.com: ICMP echo request, id 1, seq 72, length 40

┬*
But, echo┬*responses ┬*from my server NOT, instead of that, responses are comming out of eth1 interface , which is my first ISP!
┬*
[root@sx1 cron.hourly]# tcpdump -i eth1 |grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:09:30.451706 IP gw2.cz.polarion.com > adsl-dyn118.78-98-105.t-com.sk: ICMP echo reply, id 1, seq 73, length 40

09:09:35.409704 IP gw2.cz.polarion.com > adsl-dyn118.78-98-105.t-com.sk: ICMP echo reply, id 1, seq 74, length 40
┬*
This means that either mange is not working or ip rule is not working .
┬*
Please help,
David
┬*
┬*
┬*
┬*
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 
Old 12-23-2009, 07:10 AM
David Hl├í─Źik
 
Default advanced routing, 2isp

Guys,

please I have no luck with this. I have 2 ISPS. I have working
configuration with ip route a 2 routing tables in a way, that matching
local subnet uses second provider while all the others are using the
first one - main.

The main problem I am having is, that I am unable to reach my router
via public ip address of that second ISP.

This is my default routing table

[root@sx1 cron.hourly]# ip route show table main
194.228.196.39 dev ppp0┬* proto kernel┬* scope link┬* src 90.178.76.117
10.123.50.101 dev ppp2┬* proto kernel┬* scope link┬* src 10.123.50.1
10.123.50.100 dev ppp1┬* proto kernel┬* scope link┬* src 10.123.50.1
213.194.242.0/24 dev eth1┬* proto kernel┬* scope link┬* src 213.194.242.198
10.123.20.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.20.1
10.123.10.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.10.11
10.123.11.0/24 dev eth0.8┬* proto kernel┬* scope link┬* src 10.123.11.1
10.123.42.0/24 dev eth0.5┬* proto kernel┬* scope link┬* src 10.123.42.1
10.123.123.0/24 dev eth0.7┬* proto kernel┬* scope link┬* src 10.123.123.1
10.123.40.0/24 dev eth0.4┬* proto kernel┬* scope link┬* src 10.123.40.1
10.123.30.0/24 dev eth0┬* proto kernel┬* scope link┬* src 10.123.30.1
10.123.44.0/24 dev eth0.6┬* proto kernel┬* scope link┬* src 10.123.44.1
169.254.0.0/16 dev eth0.8┬* scope link
default via 213.194.242.1 dev eth1

As you can see , my default provider has gateway 213.192.252.1 ,
connected via eth1 . This works fine for me.

Second configuration is ip rule based, when subnet 10.123.123.0/24
goes to routing table adsl

[root@sx1 cron.hourly]# ip rule show
0:┬*from all lookup 255
32764:┬*from all fwmark 0x1 lookup adsl-vpn
32765:┬*from 10.123.123.0/24 lookup adsl
32766:┬*from all lookup main
32767:┬*from all lookup default

[root@sx1 cron.hourly]# ip route show table adsl
194.228.196.39 dev ppp0┬* scope link┬* src 90.178.76.117
10.123.123.0/24 dev eth0.7┬* scope link┬* src 10.123.123.1
default via 194.228.196.39 dev ppp0

As you can see in this case, all trafic goes via ppp0 (my second
internet provider connected via ppp0 - adsl ppoe).

This works fine.

What I want to achieve is, now being able to ping /access/whatever to
my server via second public IP address of my adsl provider
(90.178.76.117).
To achieve this i have added iptables rule, which marks all packets
comming via ppp0 (iptables -t mangle -A PREROUTING -i ppp0 -j MARK
--set-mark 0x1).

And created another routing table named adsl-vpn

[root@sx1 cron.hourly]# ip route show table adsl-vpn
194.228.196.39 dev ppp0┬* scope link┬* src 90.178.76.117
10.123.10.0/24 dev eth0┬* scope link┬* src 10.123.10.11
default via 194.228.196.39 dev ppp0

Now i have added ip rule, which for all packets marked as 1 , which
are the ones which came trough ppp0 = my second ISP, uses table
adsl-vpn

[root@sx1 cron.hourly]# ip rule show
0:┬*from all lookup 255
32764:┬*from all fwmark 0x1 lookup adsl-vpn┬* <--- this one
32765:┬*from 10.123.123.0/24 lookup adsl
32766:┬*from all lookup main
32767:┬*from all lookup default

Well, now I should be able definitely to ping my server from outside,
but it does not works

Pinging from windows machine in outside world :

C:Usersoss>ping 90.178.76.117
Pinging 90.178.76.117 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 90.178.76.117:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),

If i will tcpdump my ppp0 interface on my router I see the ICMP echo
requests are comming

[root@sx1 cron.hourly]# tcpdump -i ppp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
09:08:27.743789 IP adsl-dyn118.78-98-105.t-com.sk >
gw2.cz.polarion.com: ICMP echo request, id 1, seq 72, length 40

But, echo┬*responses ┬*from my server NOT, instead of that, responses
are comming out of eth1 interface , which is my first ISP!

[root@sx1 cron.hourly]# tcpdump -i eth1 |grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:09:30.451706 IP gw2.cz.polarion.com >
adsl-dyn118.78-98-105.t-com.sk: ICMP echo reply, id 1, seq 73, length
40
09:09:35.409704 IP gw2.cz.polarion.com >
adsl-dyn118.78-98-105.t-com.sk: ICMP echo reply, id 1, seq 74, length
40

This means that either mange is not working or ip rule is not working .

Please help,
David
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 12-24-2009, 06:50 PM
Nathan Grennan
 
Default Advanced routing, 2ISP

On 12/23/2009 12:10 AM, David Hl├í─Źik wrote:

This means that either mange is not working or ip rule is not working .
Please help,


I think you want my same in/same out script. I didn't write most of
it, and it isn't perfect. It does get the job done.


I have previously used this at home when I had both business DSL with
static ips and residential cable with a dynamic ip. I am currently using
it in a production environment on web servers with a load balancer. They
talk to the load balancer on one interface for production traffic. On
the other you can have direct access to a certain web server.


With slight modification you can even load balance your traffic
across both internet connections. The one down side I have seen with
this in the past is AIM uses an authentication server separate from
their IM server. They expect you to talk to the IM server from the same
IP address that you used to talk to the authentication server.


You probably already know about it, but a useful site is
http://lartc.org/ .


1. Put policyroute.conf in /etc
2. Put policyroute in /etc/rc.d/init.d
3. Run chkconfig policyroute on
4. Edit /etc/policyroute.conf to your situation
5. service policyroute start


http://proton.cygnusx-1.org/~edgan/policyroute/

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
 

Thread Tools




All times are GMT. The time now is 01:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org