[CentOS] routing with 2 public ips

Mon Dec 28 21:08:02 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 12/28/2015 04:50 AM, Eliezer Croitoru wrote:
> Which means he has 1 server with two gateway devices which each has 
> it's own broadcast space\network.
> It's not clear to me if there are two gateways in the same 
> broadcast\network or not.

I think it's safe to assume that the two addresses and, necessarily, the 
gateways, are in separate broadcast domains.  However, even if that 
weren't the case, it is still sufficient to create two routing tables 
and use "ip rule" to select the appropriate table (and the gateway it 
specifies) based on the source address of the packet being routed.

Just to walk you through it, assume his server has two addresses in 
separate broadcast domains.  The first interface has 1.2.3.4/24 with 
gateway 1.2.3.1.  The second interface has 2.3.4.5/24 with gateway 2.3.4.1.

Now, a host at 192.0.2.2 initiates a connection.  It sends a TCP SYN 
packet to 1.2.3.4.  The server receives that packet and sends a TCP 
SYN/ACK to 192.0.2.2.  The source address of that packet is 1.2.3.4.  A 
rule exits that matches packets from 1.2.3.4 and selects the first 
routing table, where the default gateway is 1.2.3.1.

Later, a host at 198.51.100.3 initiates a connection.  It sends a TCP 
SYN packet to 2.3.4.5.  The server receives that packet and sends a TCP 
SYN/ACK to 198.51.100.3.  The source address of that packet is 2.3.4.5, 
since that is the address that the SYN was sent to.  A rule exists on 
the server that matches packets from 2.3.4.5 and selects the second 
routing table, where the default gateway is 2.3.4.1.

> if it's on the same network then he must have some routing rules and 
> the issue is not about a specific src address but about a connection..

You wouldn't normally have two addresses on two interfaces in the same 
broadcast domain.  You'd probably bond the interfaces instead. But if 
you did, it wouldn't change the process.  Reply packets will still have 
their source address set to the same address that received the request, 
and you'd still be able to specify the routing table based on that address.

So, again, you *can* mark connections and select a route that way, but 
it's slower and more complex than using information that's already 
available.  There's simply no reason to do that in a standard 
multi-homed setup.