[CentOS] Configuring source-specific routing

Thu May 2 17:31:24 UTC 2013
Michael Mol <mikemol at gmail.com>

On 05/02/2013 01:05 PM, Les Mikesell wrote:
> On Thu, May 2, 2013 at 8:14 AM, Michael Mol <mikemol at gmail.com> 
> wrote:
>> Ultimately, for this to work cleanly, anything which requires a 
>> public IP (be it a raw authoritative DNS server or a load balancer)
>> will require an IP on both public subnets.
> No it doesn't, as long as you don't mind losing the source IP for 
> logging or configure your http proxy to pass it.  You can use 
> separate front end proxies or load balancers on each public range,

No, I really can't. And not for reasons I can change until this summer,
at the earliest, nor can I discuss them without breach of NDA.

> with its default gateway pointing toward the ISP handling it.   DNS 
> service is simple enough to have standalone servers for each instance
> you need.

This would also require either resources or underlying authorizations I
don't have.

> Web browsers are actually very good at handling multiple IPs in DNS 
> responses and doing their own failover if some of the IPs don't 
> respond.

It varies greatly by client software. And given the explosion of
unreliable network connections (wifi, mobile), some of that failover
logic's margin is already lost in dropped packets between the client and
their local network gateway.

> SMTP will retry following your MX priorities.

Yup. MX is a no-brainer, as are NS and SIP/SRV.

> For other services you might need to actively change DNS to drop IPs 
> if you know they have become unreachable, though.

Yup. That's what I was planning on doing, more or less. Start with
ordering IPs by route preference, drop IPs by link state. I just wish I
could drive it by snooping OSPF...

>> The only blocker right now is getting CentOS to do source-policy 
>> routing properly.
> It's a black art

Once you've read the docs and tried a few commands, it's pretty easy to
wrap your head around it. My problem is that what I was able to get
working by hand gets mangled by the processing logic for

> - I'd give up the source IP logging first and rely on the back end
> servers sending back to the proxy that received the request and only
> has the default route to that one ISP.

I'm not doing any special logging. That one firewall/routing device sits
between the ISP routers and _all_ my internal machines. Everything sits
behind it. There are reasons for this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130502/25c9e2a6/attachment-0005.sig>