On 05/02/2013 01:01 AM, anax wrote:
On 2013-05-01 22:05, Michael Mol wrote:
I'm attempting to configure source-specific routing so that my servers can exist on multiple subnets from multiple upstream providers.
A rough diagram of the network layout:
ISP1 router (blackbox, routes subnet A, address on subnet A) \ -----------eth0(firewall)eth1---((servers)) / ISP2 router (blackbox, routes subnet B, address on subnet B)
The aim is to allow the servers to use both subnet A and subnet B. To allow this, any machine on both subnets must have source-specific routing configured, else packets originating from one ISP's AS will be directed at the other's router, and neither ISP cares for that.
At the moment, I'm focusing on getting the second ISP properly added to the firewall box. The firewall box is using CentOS 6.4, and normally passes traffic back and forth via proxy_arp. None of my interfaces are NM_CONTROLLED, and NetworkManager is not installed, much less started.
I've created a route-eth0:1 file that looks roughly like this:
10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29
default via 10.0.0.1 dev eth0:1 \ src 10.0.0.2 \ from 10.0.0.0/29
(Treat indented lines as continuations of the previous line) (No, the ISPs aren't giving me RFC1918 addresses; these are redacted.)
If I run "ifup eth0:1", "ip route show" includes the lines:
10.0.0.1 dev eth0 scope link src 10.0.0.2 10.0.0.0/29 dev eth0 proto kernel scope link src 10.0.0.2 default via 10.0.0.1 dev eth0
Note that the "from 10.0.0.0/29" clause is missing. With the addition of a second default route on my firewall/gateway without any restriction on which traffic should go that way, my whole network, of course, tanks.
I'm surprised it's been such a pain; I would have expected it to be a relatively common configuration. What's the proper way of doing source-specific routing on CentOS?
http://www.linuxjournal.com/article/7291 http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.html
might probably help you
suomi
Read that whole document before writing a line of code.
Also of use, in case anyone else comes across this thread: Network Warrior, by Gary A. Donahue The TCP/IP Guide, by Charles M. Kozierok NIST SP 800-800-119, Guidelines for the Secure Deployment of IPv6 IPv6 Network Administration, by Niall Richard Murphy & David Malone Content Delivery Networks, edited by Rajkumar Buyya, Mukaddim Pathan, Athena Vakali (In particular, see DNS-based network management)
That's most of the relevant network-related stuff I've got in my library.