* [LARTC] Multipath routing + traffic separation problem.
@ 2005-04-06 10:09 Laurent LAVAUD
2005-04-07 0:54 ` Nguyen Dinh Nam
2005-04-07 7:47 ` RE : " Laurent LAVAUD
0 siblings, 2 replies; 3+ messages in thread
From: Laurent LAVAUD @ 2005-04-06 10:09 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1746 bytes --]
Hello,
I have set up a multipath gateway.
System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.
here is the setup:
firewall:/# ip rule
0: from all lookup local
100: from all lookup main
152: from all fwmark 10 lookup wan1
153: from all fwmark 20 lookup wan2
201: from 213.223.96.121 lookup wan1
202: from 82.236.230.217 lookup wan2
1000: from all lookup away
Fw-cgarp:/etc/firegate# ip route ls table wan1
default via 213.223.96.122 dev eth0 src 213.223.96.121
prohibit default metric 1
Fw-cgarp:/etc/firegate# ip route ls table wan2
default via 82.236.230.254 dev eth3 src 82.236.230.217
prohibit default metric 1
Fw-cgarp:/etc/firegate# ip route ls table away
default
nexthop via 82.236.230.254 dev eth3 weight 1
nexthop via 213.223.96.122 dev eth0 weight 1
Fw-cgarp:/etc/firegate# iptables-save -t mangle
# Generated by iptables-save v1.2.11 on Wed Apr 6 11:57:06 2005
*mangle
:PREROUTING ACCEPT [3281:1066576]
:INPUT ACCEPT [411:32992]
:FORWARD ACCEPT [2870:1033584]
:OUTPUT ACCEPT [339:63745]
:POSTROUTING ACCEPT [3195:1096657]
-A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa
-A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14
COMMIT
# Completed on Wed Apr 6 11:57:06 2005
So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to be balanced between the two connections...
If someone see the problem ?
Thx in advance.
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Multipath routing + traffic separation problem.
2005-04-06 10:09 [LARTC] Multipath routing + traffic separation problem Laurent LAVAUD
@ 2005-04-07 0:54 ` Nguyen Dinh Nam
2005-04-07 7:47 ` RE : " Laurent LAVAUD
1 sibling, 0 replies; 3+ messages in thread
From: Nguyen Dinh Nam @ 2005-04-07 0:54 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 2386 bytes --]
Your settings seem to be correct, I just don't know why you don't want
to balance http, https and ftp traffic between both connections?
About the bug, I haven't used linux 2.4 for a long time, for 2.6, fwmark
is in hexa, so be careful with 10 vs. 0xa, you'd better use values less
than 0xa to avoid confusing.
Also make sure that no default route is added to your main table.
On Wed, 2005-04-06 at 12:09 +0200, Laurent LAVAUD wrote:
> Hello,
>
> I have set up a multipath gateway.
> System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.
>
> here is the setup:
>
>
> firewall:/# ip rule
> 0: from all lookup local
> 100: from all lookup main
> 152: from all fwmark 10 lookup wan1
> 153: from all fwmark 20 lookup wan2
> 201: from 213.223.96.121 lookup wan1
> 202: from 82.236.230.217 lookup wan2
> 1000: from all lookup away
>
> Fw-cgarp:/etc/firegate# ip route ls table wan1
> default via 213.223.96.122 dev eth0 src 213.223.96.121
> prohibit default metric 1
>
> Fw-cgarp:/etc/firegate# ip route ls table wan2
> default via 82.236.230.254 dev eth3 src 82.236.230.217
> prohibit default metric 1
>
> Fw-cgarp:/etc/firegate# ip route ls table away
> default
> nexthop via 82.236.230.254 dev eth3 weight 1
> nexthop via 213.223.96.122 dev eth0 weight 1
>
> Fw-cgarp:/etc/firegate# iptables-save -t mangle
> # Generated by iptables-save v1.2.11 on Wed Apr 6 11:57:06 2005
> *mangle
> :PREROUTING ACCEPT [3281:1066576]
> :INPUT ACCEPT [411:32992]
> :FORWARD ACCEPT [2870:1033584]
> :OUTPUT ACCEPT [339:63745]
> :POSTROUTING ACCEPT [3195:1096657]
> -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa
> -A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14
> COMMIT
> # Completed on Wed Apr 6 11:57:06 2005
>
>
>
> So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
> I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to be balanced between the two connections...
>
> If someone see the problem ?
> Thx in advance.
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[-- Attachment #1.2: Type: text/html, Size: 3922 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE : [LARTC] Multipath routing + traffic separation problem.
2005-04-06 10:09 [LARTC] Multipath routing + traffic separation problem Laurent LAVAUD
2005-04-07 0:54 ` Nguyen Dinh Nam
@ 2005-04-07 7:47 ` Laurent LAVAUD
1 sibling, 0 replies; 3+ messages in thread
From: Laurent LAVAUD @ 2005-04-07 7:47 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 3662 bytes --]
hello,
first thx for your answer.
i have also tried with others marks under 10 to avoid confusion between decimal and hexa => same result.
i confirm that no default route are present in my main table, only routes for the LAN and DMZ networks.
and the reason why i want the http(s) and ftp traffic not to be balanced is for "political reason", i install several firewall for differents client and each one have their proper wish ;)
i really dont understand where the problem is.
if i use the ip filter capabilities (from, to, iif), the traffic is correctly routed, but with the netfilter mark it dont works...
i checked packets stats with iptables to see if traffic going through the mangle rules and it seems to be ok, and with the realms mark i check if the routing rule is read and it seems to be ok too...
> -----Message d'origine-----
> De : Nguyen Dinh Nam [mailto:64vn@cardvn.net]
> Envoyé : jeudi 7 avril 2005 02:55
> À : Laurent LAVAUD
> Cc : lartc@mailman.ds9a.nl
> Objet : Re: [LARTC] Multipath routing + traffic separation problem.
>
>
> Your settings seem to be correct, I just don't know why you don't want to balance http, https and ftp > traffic between both connections?
>
> About the bug, I haven't used linux 2.4 for a long time, for 2.6, fwmark is in hexa, so be careful with 10 vs. 0xa, you'd better use values less than 0xa to avoid confusing.
>
> Also make sure that no default route is added to your main table.
>
>
>> On Wed, 2005-04-06 at 12:09 +0200, Laurent LAVAUD wrote:
>> Hello,
>>
>> I have set up a multipath gateway.
>> System is a linux 2.4.29 kernel, iproute 20010824, iptables 1.2.11.
>>
>> here is the setup:
>>
>>
>> firewall:/# ip rule
>> 0: from all lookup local
>> 100: from all lookup main
>> 152: from all fwmark 10 lookup wan1
>> 153: from all fwmark 20 lookup wan2
>> 201: from 213.223.96.121 lookup wan1
>> 202: from 82.236.230.217 lookup wan2
>> 1000: from all lookup away
>>
>> Fw-cgarp:/etc/firegate# ip route ls table wan1
>> default via 213.223.96.122 dev eth0 src 213.223.96.121
>> prohibit default metric 1
>>
>> Fw-cgarp:/etc/firegate# ip route ls table wan2
>> default via 82.236.230.254 dev eth3 src 82.236.230.217
>> prohibit default metric 1
>>
>> Fw-cgarp:/etc/firegate# ip route ls table away
>> default
>> nexthop via 82.236.230.254 dev eth3 weight 1
>> nexthop via 213.223.96.122 dev eth0 weight 1
>>
>> Fw-cgarp:/etc/firegate# iptables-save -t mangle
>> # Generated by iptables-save v1.2.11 on Wed Apr 6 11:57:06 2005
>> *mangle
>> :PREROUTING ACCEPT [3281:1066576]
>> :INPUT ACCEPT [411:32992]
>> :FORWARD ACCEPT [2870:1033584]
>> :OUTPUT ACCEPT [339:63745]
>> :POSTROUTING ACCEPT [3195:1096657]
>> -A PREROUTING -p tcp -m tcp --dport 25 -j MARK --set-mark 0xa
>> -A PREROUTING -p tcp -m mport --dports 80,443,21 -j MARK --set-mark 0x14
>> COMMIT
>> # Completed on Wed Apr 6 11:57:06 2005
>>
>>
>>
>> So with this configuration all the http,https and ftp traffic must be routed by the 'wan2' connection.
>> I have done severals tests and it dont work, i have also had a realms mark to my routing rule and with > the "rtacct" command i saw that traffic going through the correct rule, but http traffic continues to > be balanced between the two connections...
>>
>> If someone see the problem ?
>> Thx in advance.
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-04-07 7:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-06 10:09 [LARTC] Multipath routing + traffic separation problem Laurent LAVAUD
2005-04-07 0:54 ` Nguyen Dinh Nam
2005-04-07 7:47 ` RE : " Laurent LAVAUD
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.