[CentOS] routing with 2 public ips
Gordon Messmer
gordon.messmer at gmail.com
Mon Dec 28 21:08:02 UTC 2015
On 12/28/2015 04:50 AM, Eliezer Croitoru wrote:
> Which means he has 1 server with two gateway devices which each has
> it's own broadcast space\network.
> It's not clear to me if there are two gateways in the same
> broadcast\network or not.
I think it's safe to assume that the two addresses and, necessarily, the
gateways, are in separate broadcast domains. However, even if that
weren't the case, it is still sufficient to create two routing tables
and use "ip rule" to select the appropriate table (and the gateway it
specifies) based on the source address of the packet being routed.
Just to walk you through it, assume his server has two addresses in
separate broadcast domains. The first interface has 1.2.3.4/24 with
gateway 1.2.3.1. The second interface has 2.3.4.5/24 with gateway 2.3.4.1.
Now, a host at 192.0.2.2 initiates a connection. It sends a TCP SYN
packet to 1.2.3.4. The server receives that packet and sends a TCP
SYN/ACK to 192.0.2.2. The source address of that packet is 1.2.3.4. A
rule exits that matches packets from 1.2.3.4 and selects the first
routing table, where the default gateway is 1.2.3.1.
Later, a host at 198.51.100.3 initiates a connection. It sends a TCP
SYN packet to 2.3.4.5. The server receives that packet and sends a TCP
SYN/ACK to 198.51.100.3. The source address of that packet is 2.3.4.5,
since that is the address that the SYN was sent to. A rule exists on
the server that matches packets from 2.3.4.5 and selects the second
routing table, where the default gateway is 2.3.4.1.
> if it's on the same network then he must have some routing rules and
> the issue is not about a specific src address but about a connection..
You wouldn't normally have two addresses on two interfaces in the same
broadcast domain. You'd probably bond the interfaces instead. But if
you did, it wouldn't change the process. Reply packets will still have
their source address set to the same address that received the request,
and you'd still be able to specify the routing table based on that address.
So, again, you *can* mark connections and select a route that way, but
it's slower and more complex than using information that's already
available. There's simply no reason to do that in a standard
multi-homed setup.
More information about the CentOS
mailing list