[CentOS] Configuring source-specific routing

Wed May 1 20:05:51 UTC 2013
Michael Mol <mikemol at gmail.com>

I'm attempting to configure source-specific routing so that my servers
can exist on multiple subnets from multiple upstream providers.

A rough diagram of the network layout:


ISP1 router (blackbox, routes subnet A, address on subnet A)
  \
   -----------eth0(firewall)eth1---((servers))
  /
ISP2 router (blackbox, routes subnet B, address on subnet B)

The aim is to allow the servers to use both subnet A and subnet B. To
allow this, any machine on both subnets must have source-specific
routing configured, else packets originating from one ISP's AS will be
directed at the other's router, and neither ISP cares for that.

At the moment, I'm focusing on getting the second ISP properly added to
the firewall box. The firewall box is using CentOS 6.4, and normally
passes traffic back and forth via proxy_arp. None of my interfaces are
NM_CONTROLLED, and NetworkManager is not installed, much less started.

I've created a route-eth0:1 file that looks roughly like this:

10.0.0.1 dev eth0:1 \
  src 10.0.0.2 \
  from 10.0.0.0/29

default via 10.0.0.1 dev eth0:1 \
  src 10.0.0.2 \
  from 10.0.0.0/29

(Treat indented lines as continuations of the previous line)
(No, the ISPs aren't giving me RFC1918 addresses; these are redacted.)

If I run "ifup eth0:1", "ip route show" includes the lines:

10.0.0.1 dev eth0  scope link  src 10.0.0.2
10.0.0.0/29 dev eth0  proto kernel  scope link  src 10.0.0.2
default via 10.0.0.1 dev eth0


Note that the "from 10.0.0.0/29" clause is missing. With the addition of
a second default route on my firewall/gateway without any restriction on
which traffic should go that way, my whole network, of course, tanks.

I'm surprised it's been such a pain; I would have expected it to be a
relatively common configuration. What's the proper way of doing
source-specific routing on CentOS?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130501/dbf0329d/attachment-0004.sig>