On Thu, Sep 27, 2012 at 7:04 PM, Steve Clark sclark@netwolves.com wrote:
On 09/26/2012 11:57 PM, Manish Kathuria wrote:
On Thu, Sep 27, 2012 at 7:46 AM, Gordon Messmer yinyang@eburg.com wrote:
On 09/26/2012 09:15 AM, Steve Clark wrote:
Is there a way to make this work correctly?
In addition, you should ideally applying the following patches for Static, Alternative Routes, Dead Gateway Detection & NAT and recompile the kernel:
Hmmm... not being a kernel guru, correct me if I am wrong but isn't the route patch used to detect dead nexthops? I am already doing that from userspace.
The second set looks like is calls the routing logic after the SNAT, is that correct? This could solve the problem. Why aren't these patches in the kernel?
Thanks,
The routes-x.y-z.diff is a unified patch containing different parts which include support for Dead Gateway Detection as well. However, since that is limited to the first hop, it is preferable to have a userspace script as you are doing. I also use a script to check the accessibility of a remote popular site from each of the ISPs and based upon the response the links are treated alive or dead and the default gateway is changed. However, the routing problem as described by you will only be solved after applying this patch (routes-x.y-z.diff).
As for marking the incoming packets to ensure that they go out from the same interface they came from, you could do something like the following:
Using iptables mark the incoming traffic from external interfaces
/sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark /sbin/iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark /sbin/iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING -i eth2 -j CONNMARK --save-mark
Add the following rules to your existing ones for policy routing
/sbin/ip rule add fwmark 1 table T1 /sbin/ip rule add fwmark 2 table T2
Thanks,
On 09/27/2012 11:01 AM, Manish Kathuria wrote:
On Thu, Sep 27, 2012 at 7:04 PM, Steve Clark sclark@netwolves.com wrote:
On 09/26/2012 11:57 PM, Manish Kathuria wrote:
On Thu, Sep 27, 2012 at 7:46 AM, Gordon Messmer yinyang@eburg.com wrote:
On 09/26/2012 09:15 AM, Steve Clark wrote:
The routes-x.y-z.diff is a unified patch containing different parts which include support for Dead Gateway Detection as well. However, since that is limited to the first hop, it is preferable to have a userspace script as you are doing. I also use a script to check the accessibility of a remote popular site from each of the ISPs and based upon the response the links are treated alive or dead and the default gateway is changed. However, the routing problem as described by you will only be solved after applying this patch (routes-x.y-z.diff).
As for marking the incoming packets to ensure that they go out from the same interface they came from, you could do something like the following:
Using iptables mark the incoming traffic from external interfaces
/sbin/iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark /sbin/iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 1 /sbin/iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --save-mark /sbin/iptables -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 2 /sbin/iptables -t mangle -A PREROUTING -i eth2 -j CONNMARK --save-mark
Add the following rules to your existing ones for policy routing
/sbin/ip rule add fwmark 1 table T1 /sbin/ip rule add fwmark 2 table T2
Hi Manish,
Thanks for the info. The one question I have is about /sbin/iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
I thought the OUTPUT chain was only for packets originating locally. I am only concerned with clients behind my Linux router, do I still need this?
Again, thanks much for responding.
-
Manish Kathuria -
Steve Clark