[CentOS] Configuring source-specific routing

Wed May 1 21:15:57 UTC 2013
Michael H. Warfield <mhw at WittsEnd.com>

On Wed, 2013-05-01 at 16:05 -0400, Michael Mol wrote:
> I'm attempting to configure source-specific routing so that my servers
> can exist on multiple subnets from multiple upstream providers.

Kinda curious why you are attempting this without getting involved in
dynamic routing (BGP)...  It's usually someone trying to do multihoming
or multi-link load balancing on the cheap without involving their ISPs
(which tends to be expensive as soon as you're talking with them about
redundant / backup loops, provider independent addresses, and BGP
peering).  Generally equates to "champagne taste on a beer budget" but
there are exceptions and reasons, as I know from personal experience.
It often doesn't end well and is unreliable as network conditions
change.  But that depends on your requirements and application.  I'm not
one to judge - just pointing out the pitfalls.

I have done this a number of times in the past (mostly for VPN's and
redundant load-balancing links).  You're probably going to have get real
down and dirty into policy routing rules and tables with iproute2.  I
don't honestly believe you will be able to pull it off with the basic
stuff provided in the ifcfg-*, route-*, or static-route files (proviso
below).

I had to do it using completely custom files utilizing "ip rule" and "ip
route {add|delete} table [n]" subcommands to "ip" to build custom
matching rules and mapping them to different routing tables containing
different routes and priorities.  In some cases, with OpenVPN VPNs, I
also had to incorporate iptables filtering commands to mark and match
packets and interact with the ip rule tables but I doubt you're going
that deep.

man ip-rule

--
       In some circumstances we want to route packets differently depending
       not only on destination addresses, but also on other packet fields:
       source address, IP protocol, transport protocol ports or even packet
       payload.  This task is called 'policy routing'.

       To solve this task, the conventional destination based routing table,
       ordered according to the longest match rule, is replaced with a 'rout‐
       ing policy database' (or RPDB), which selects routes by executing some
       set of rules.
-- 

This is way beyond what the network-scripts were designed for and WAY
WAY beyond NetworkMangler's capabilities.  It can be done but it's
difficult to get right and very dependent on your exact peculiar
configuration.  It can be real twitchy to make work right and real
difficult to debug when it's not working right.  It's also prone to
asymmetrical / triangular routes that can break things if you don't get
it right.  It also will not behave robustly if one link or another goes
down (no automatic failover).

It's beyond my ability to tell you generically how to make it work (I
can't even find those old config files I use to use for multiple ISDN
links years ago).  The devil is in the (your) details and here there be
dragons.

It will end up looking something like this (and these addresses are in
my real address blocks...):

ip addr add 130.205.16.16/24 dev eth0
ip addr add 130.205.17.16/24 dev eth0

ip route add table 16 default via 130.205.16.1
ip route add table 17 default via 130.205.17.1

ip rule add from 130.205.16.0/24 table 16
ip rule add from 130.205.17.0/24 table 17

Those are just from memory and may not be perfectly accurate.  I haven't
needed to do any of this in years.  It's just possible that the above
commands could be incorporated into the route-* files.  Last time I
tried this was before iproute2 was fully integrated and I could only use
the static-routes file, which used the "route" command and would NOT
work.  Since the route-* files use the ip (iproute2) command, you should
be able to integrate the appropriate rule and route add commands into
those files, but I've not done it that way so I can't really vouch for
it.

You can then see your match rules with this command:

[root at canyon ~]# ip rule ls
0:	from all lookup local 
32764:	from 130.205.17.0/24 lookup 17 
32765:	from 130.205.16.0/24 lookup 16 
32766:	from all lookup main 
32767:	from all lookup default 

And your route tables (including my default) like this:

[root at complex ~]# ip route ls table 16
default via 130.205.16.1 dev eth0 
[root at complex ~]# ip route ls table 17
default via 130.205.17.1 dev eth0 
[root at complex ~]# ip route ls
default via 99.104.36.1 dev eth2 
99.104.36.0/22 dev eth2  proto kernel  scope link  src 99.104.38.187 
130.205.16.0/24 dev eth0  proto kernel  scope link  src 130.205.16.16 
130.205.17.0/24 dev eth0  proto kernel  scope link  src 130.205.17.16 
130.205.38.0/24 dev br0  proto kernel  scope link  src 130.205.38.1 
169.254.0.0/16 dev eth2  scope link  metric 1003 
169.254.0.0/16 dev br0  scope link  metric 1007 

There MAY be other ways of doing it but this was what use to work for
me, when I needed it many ages ago.

Regards,
Mike

> A rough diagram of the network layout:

> ISP1 router (blackbox, routes subnet A, address on subnet A)
>   \
>    -----------eth0(firewall)eth1---((servers))
>   /
> ISP2 router (blackbox, routes subnet B, address on subnet B)
> 
> The aim is to allow the servers to use both subnet A and subnet B. To
> allow this, any machine on both subnets must have source-specific
> routing configured, else packets originating from one ISP's AS will be
> directed at the other's router, and neither ISP cares for that.
> 
> At the moment, I'm focusing on getting the second ISP properly added to
> the firewall box. The firewall box is using CentOS 6.4, and normally
> passes traffic back and forth via proxy_arp. None of my interfaces are
> NM_CONTROLLED, and NetworkManager is not installed, much less started.
> 
> I've created a route-eth0:1 file that looks roughly like this:
> 
> 10.0.0.1 dev eth0:1 \
>   src 10.0.0.2 \
>   from 10.0.0.0/29
> 
> default via 10.0.0.1 dev eth0:1 \
>   src 10.0.0.2 \
>   from 10.0.0.0/29
> 
> (Treat indented lines as continuations of the previous line)
> (No, the ISPs aren't giving me RFC1918 addresses; these are redacted.)
> 
> If I run "ifup eth0:1", "ip route show" includes the lines:
> 
> 10.0.0.1 dev eth0  scope link  src 10.0.0.2
> 10.0.0.0/29 dev eth0  proto kernel  scope link  src 10.0.0.2
> default via 10.0.0.1 dev eth0
> 
> 
> Note that the "from 10.0.0.0/29" clause is missing. With the addition of
> a second default route on my firewall/gateway without any restriction on
> which traffic should go that way, my whole network, of course, tanks.
> 
> I'm surprised it's been such a pain; I would have expected it to be a
> relatively common configuration. What's the proper way of doing
> source-specific routing on CentOS?
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20130501/3a240ea9/attachment-0005.sig>