[LARTC] Loadbalancing and failover using TC and Iptables

[LARTC] Loadbalancing and failover using TC and Iptables

[hareram]

Hi all

iam trying to deploy loadbalance and failover

My setup description
--Fedora Core 4
--Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386 
GNU/Linux
--tc utility, iproute2-ss050314
--ip utility, iproute2-ss050314
--iptables v1.3.0

And i had deployed Following configuration

#table main with priority 50, the highest one
ip rule add prio 50 table main
#table 201
ip rule add prio 201 from x.x.x.234 table 201
ip route add default via x.x.x..233 dev eth1 src x.x.x.234 proto static 
table 201
ip route append prohibit default table 201 metric 1 proto static
#table 202
ip rule add prio 202 from y.y.y.10 table 202
ip route add default via y.y.y.9 dev eth0 src y.y.y.10 proto static table 
202
ip route append prohibit default table 202 metric 1 proto static
#table 222
ip rule add prio 222 table 222
ip route add default equalize table 222 proto static nexthop via x.x.x.233 
dev eth1 nexthop via y.y.y.9 dev eth0
#essential masquerade option
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE


Above is my setup

when try to traceroute to yahoo.com
iam able to see the trafffic going to both interfaces.. till now works fine

when i connected to eth2 ( eth2 of linux box configured IP 192.168.3.2) with 
my Laptop
using ip 192.168.3.1 gateway 192.168.3.2( linux box eth2)

when try to traceroute its always going to y.y.y.9
when i go and check whatismyip.com and findmyip.com
its shows only y.y.y.10 IP, why my traffic is not balancing using both the 
routes ??

when i change the my rule like following

ip route replace default equalize table 222 proto static nexthop via 
x.x.x.233 dev eth1

when try to traceroute its always going to y.y.y.233
when i go and check whatismyip.com and findmyip.com
its shows only y.y.y.234 IP,

could some one help me to resolve this issue

and suggest me what is need to be done if i want nat and other IP's to be 
loadbalance

may be i call it per packet loadbalance

thanks in advance

hare




_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Loadbalancing and failover using TC and Iptables

[gypsy]

hareram wrote:
> 
> Hi all
> 
> iam trying to deploy loadbalance and failover
> 
> My setup description
> --Fedora Core 4
> --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386
> GNU/Linux
> --tc utility, iproute2-ss050314
> --ip utility, iproute2-ss050314
> --iptables v1.3.0

You say nothing about Julian's patch, so I assume you did not patch your
kernel.  You must do that.
http://www.ssi.bg/~ja/

http://www.geocities.com/mctiew/ffw/dual.htm

I'm not sure this is still a good link
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
so here is an old copy
http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
--
gypsy
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Loadbalancing and failover using TC and Iptables

[hareram]

Hi

sorry i was not mentioned that

yes i did with the patch patch-2.6.12-ja1.diff

yes iam also seen the document of Dual

and try to see how can make that kind of setup

any help will be apprciate

hare
----- Original Message ----- 
From: "gypsy" <gypsy@iswest.com>
To: <lartc@mailman.ds9a.nl>
Cc: "hareram" <hareram@sol.net.in>
Sent: Monday, August 08, 2005 7:16 PM
Subject: Re: [LARTC] Loadbalancing and failover using TC and Iptables


> hareram wrote:
>> 
>> Hi all
>> 
>> iam trying to deploy loadbalance and failover
>> 
>> My setup description
>> --Fedora Core 4
>> --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386
>> GNU/Linux
>> --tc utility, iproute2-ss050314
>> --ip utility, iproute2-ss050314
>> --iptables v1.3.0
> 
> You say nothing about Julian's patch, so I assume you did not patch your
> kernel.  You must do that.
> http://www.ssi.bg/~ja/
> 
> http://www.geocities.com/mctiew/ffw/dual.htm
> 
> I'm not sure this is still a good link
> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
> so here is an old copy
> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
> --
> gypsy
> 
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Loadbalancing and failover using TC and Iptables

[:: L i n u XK i D ::]

I've read next link:

-> I'm not sure this is still a good link
-> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking


is really neccessary mark pakets on this way ?


[... snip ...]

# iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
-m state --state NEW -o ppp0
# iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
-m state --state NEW -o ppp1
# iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
-m state --state NEW

[... snip ...]


# iptables -A POSTROUTING -t nat -m mark --mark 1 \
-j SNAT --to-source 11.1.1.1
# iptables -A POSTROUTING -t nat -m mark --mark 2 \
-j SNAT --to-source 22.2.2.2







-> hareram wrote:
-> > 
-> > Hi all
-> > 
-> > iam trying to deploy loadbalance and failover
-> > 
-> > My setup description
-> > --Fedora Core 4
-> > --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386
-> > GNU/Linux
-> > --tc utility, iproute2-ss050314
-> > --ip utility, iproute2-ss050314
-> > --iptables v1.3.0
-> 
-> You say nothing about Julian's patch, so I assume you did not patch your
-> kernel.  You must do that.
-> http://www.ssi.bg/~ja/
-> 
-> http://www.geocities.com/mctiew/ffw/dual.htm
-> 
-> I'm not sure this is still a good link
-> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
-> so here is an old copy
-> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
-> --
-> gypsy
-> _______________________________________________
-> LARTC mailing list
-> LARTC@mailman.ds9a.nl
-> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Loadbalancing and failover using TC and Iptables

[hareram]

Hi

yes i have tried with the docs

but from the box iam not able to go out


even i configureed on of client and try to access the internet, iam not able 
to ??

any suggestions

hare
----- Original Message ----- 
From: ":: L i n u XK i D ::" <gregoriandres@yahoo.com.ar>
To: "lartc" <lartc@mailman.ds9a.nl>
Sent: Monday, August 08, 2005 11:05 PM
Subject: RE: [LARTC] Loadbalancing and failover using TC and Iptables


>
> I've read next link:
>
> -> I'm not sure this is still a good link
> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
>
>
> is really neccessary mark pakets on this way ?
>
>
> [... snip ...]
>
> # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
> -m state --state NEW -o ppp0
> # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
> -m state --state NEW -o ppp1
> # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
> -m state --state NEW
>
> [... snip ...]
>
>
> # iptables -A POSTROUTING -t nat -m mark --mark 1 \
> -j SNAT --to-source 11.1.1.1
> # iptables -A POSTROUTING -t nat -m mark --mark 2 \
> -j SNAT --to-source 22.2.2.2
>
>
>
>
>
>
>
> -> hareram wrote:
> -> >
> -> > Hi all
> -> >
> -> > iam trying to deploy loadbalance and failover
> -> >
> -> > My setup description
> -> > --Fedora Core 4
> -> > --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386
> -> > GNU/Linux
> -> > --tc utility, iproute2-ss050314
> -> > --ip utility, iproute2-ss050314
> -> > --iptables v1.3.0
> ->
> -> You say nothing about Julian's patch, so I assume you did not patch 
> your
> -> kernel.  You must do that.
> -> http://www.ssi.bg/~ja/
> ->
> -> http://www.geocities.com/mctiew/ffw/dual.htm
> ->
> -> I'm not sure this is still a good link
> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
> -> so here is an old copy
> -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
> -> --
> -> gypsy
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> 


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Loadbalancing and failover using TC and Iptables

[gypsy]

:: L i n u XK i D :: wrote:
> 
> I've read next link:
> 
> -> I'm not sure this is still a good link
> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
> 
> is really neccessary mark pakets on this way ?

From the machine on which the 2 ISPs are connected to two different
NICs, no.  It will send and receive packets without marking.  Where I
have a problem is with NATted users; they are tied to one or the other
ISP (even though I run 'ip route flush cache') unless I mark.

Maybe Julian will give us some hints <grin>?
--
gypsy

> [... snip ...]
> 
> # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
> -m state --state NEW -o ppp0
> # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
> -m state --state NEW -o ppp1
> # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
> -m state --state NEW
> 
> [... snip ...]
> 
> # iptables -A POSTROUTING -t nat -m mark --mark 1 \
> -j SNAT --to-source 11.1.1.1
> # iptables -A POSTROUTING -t nat -m mark --mark 2 \
> -j SNAT --to-source 22.2.2.2
> 
> -> hareram wrote:
> -> >
> -> > Hi all
> -> >
> -> > iam trying to deploy loadbalance and failover
> -> >
> -> > My setup description
> -> > --Fedora Core 4
> -> > --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005 i686 i686 i386
> -> > GNU/Linux
> -> > --tc utility, iproute2-ss050314
> -> > --ip utility, iproute2-ss050314
> -> > --iptables v1.3.0
> ->
> -> You say nothing about Julian's patch, so I assume you did not patch your
> -> kernel.  You must do that.
> -> http://www.ssi.bg/~ja/
> ->
> -> http://www.geocities.com/mctiew/ffw/dual.htm
> ->
> -> I'm not sure this is still a good link
> -> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
> -> so here is an old copy
> -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
> -> --
> -> gypsy
> -> _______________________________________________
> -> LARTC mailing list
> -> LARTC@mailman.ds9a.nl
> -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Loadbalancing and failover using TC and Iptables

[LinuXKiD]

Another question related with this.

I've 4 ADSLs and I already use CONNMARK
to MARK out/in traffic from ADSLs in order
to make a QoS.

# iptables -L -t mangle

[... snip ...]

Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes)
 pkts bytes target     prot opt in     out     source
destination
 989K  299M MYSHAPER-OUT  all  --  *      ppp3    0.0.0.0/0
0.0.0.0/0
 985K  222M MYSHAPER-OUT  all  --  *      ppp2    0.0.0.0/0
0.0.0.0/0
 856K  163M MYSHAPER-OUT  all  --  *      ppp1    0.0.0.0/0
0.0.0.0/0
 841K  164M MYSHAPER-OUT  all  --  *      ppp0    0.0.0.0/0
0.0.0.0/0

[... snip ...]

Chain MYSHAPER-OUT (4 references)
 pkts bytes target     prot opt in     out     source
destination
39254 7491K MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp spts:0:1024 MARK set 0x17
1920K  221M MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpts:0:1024 MARK set 0x17
 1882  153K MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:20 MARK set 0x1a
  174  9457 MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:5190 MARK set 0x17
 142K   19M MARK       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:1863 MARK set 0x17
[... snip ...]


Later, with that MARK I put traffic on a HTB class.
...
$TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX fw flowid
nn:yy
...

MY Question is:
is possible re-mark traffic or put another mark in order
to know which PPP interface going out ?

Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs
to know which PPP interface going out ?

best regards.

andres















->
-> :: L i n u XK i D :: wrote:
-> >

-> > I've read next link:
-> >
-> > -> I'm not sure this is still a good link
-> > ->
-> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
-> >
-> > is really neccessary mark pakets on this way ?
->
-> From the machine on which the 2 ISPs are connected to two different
-> NICs, no.  It will send and receive packets without marking.  Where I
-> have a problem is with NATted users; they are tied to one or the other
-> ISP (even though I run 'ip route flush cache') unless I mark.
->
-> Maybe Julian will give us some hints <grin>?
-> --
-> gypsy
->
-> > [... snip ...]
-> >
-> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
-> > -m state --state NEW -o ppp0
-> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
-> > -m state --state NEW -o ppp1
-> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
-> > -m state --state NEW
-> >
-> > [... snip ...]
-> >
-> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \
-> > -j SNAT --to-source 11.1.1.1
-> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \
-> > -j SNAT --to-source 22.2.2.2
-> >
-> > -> hareram wrote:
-> > -> >
-> > -> > Hi all
-> > -> >
-> > -> > iam trying to deploy loadbalance and failover
-> > -> >
-> > -> > My setup description
-> > -> > --Fedora Core 4
-> > -> > --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005
-> i686 i686 i386
-> > -> > GNU/Linux
-> > -> > --tc utility, iproute2-ss050314
-> > -> > --ip utility, iproute2-ss050314
-> > -> > --iptables v1.3.0
-> > ->
-> > -> You say nothing about Julian's patch, so I assume you did
-> not patch your
-> > -> kernel.  You must do that.
-> > -> http://www.ssi.bg/~ja/
-> > ->
-> > -> http://www.geocities.com/mctiew/ffw/dual.htm
-> > ->
-> > -> I'm not sure this is still a good link
-> > ->
-> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
-> > -> so here is an old copy
-> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
-> > -> --
-> > -> gypsy
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> > _______________________________________________
-> > LARTC mailing list
-> > LARTC@mailman.ds9a.nl
-> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Loadbalancing and failover using TC and Iptables

[LinuXKiD]

I've tried this on my 4 adsl Linux + 10 hosts
lan... but works better without "marks"




->
-> Another question related with this.
->
-> I've 4 ADSLs and I already use CONNMARK
-> to MARK out/in traffic from ADSLs in order
-> to make a QoS.
->
-> # iptables -L -t mangle
->
-> [... snip ...]
->
-> Chain POSTROUTING (policy ACCEPT 15M packets, 5610M bytes)
->  pkts bytes target     prot opt in     out     source
-> destination
->  989K  299M MYSHAPER-OUT  all  --  *      ppp3    0.0.0.0/0
-> 0.0.0.0/0
->  985K  222M MYSHAPER-OUT  all  --  *      ppp2    0.0.0.0/0
-> 0.0.0.0/0
->  856K  163M MYSHAPER-OUT  all  --  *      ppp1    0.0.0.0/0
-> 0.0.0.0/0
->  841K  164M MYSHAPER-OUT  all  --  *      ppp0    0.0.0.0/0
-> 0.0.0.0/0
->
-> [... snip ...]
->
-> Chain MYSHAPER-OUT (4 references)
->  pkts bytes target     prot opt in     out     source
-> destination
-> 39254 7491K MARK       tcp  --  *      *       0.0.0.0/0
-> 0.0.0.0/0           tcp spts:0:1024 MARK set 0x17
-> 1920K  221M MARK       tcp  --  *      *       0.0.0.0/0
-> 0.0.0.0/0           tcp dpts:0:1024 MARK set 0x17
->  1882  153K MARK       tcp  --  *      *       0.0.0.0/0
-> 0.0.0.0/0           tcp dpt:20 MARK set 0x1a
->   174  9457 MARK       tcp  --  *      *       0.0.0.0/0
-> 0.0.0.0/0           tcp dpt:5190 MARK set 0x17
->  142K   19M MARK       tcp  --  *      *       0.0.0.0/0
-> 0.0.0.0/0           tcp dpt:1863 MARK set 0x17
-> [... snip ...]
->
->
-> Later, with that MARK I put traffic on a HTB class.
-> ...
-> $TC filter add dev $DEV parent nn:0 prio 0 protocol ip handle XX
-> fw flowid
-> nn:yy
-> ...
->
-> MY Question is:
-> is possible re-mark traffic or put another mark in order
-> to know which PPP interface going out ?
->
-> Must I use CLASSIFY to shape in/out PPP traffic , and let MARKs
-> to know which PPP interface going out ?
->
-> best regards.
->
-> andres
->
->
->
->
->
->
->
->
->
->
->
->
->
->
->
-> ->
-> -> :: L i n u XK i D :: wrote:
-> -> >
->
-> -> > I've read next link:
-> -> >
-> -> > -> I'm not sure this is still a good link
-> -> > ->
-> ->
-> http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
-> -> >
-> -> > is really neccessary mark pakets on this way ?
-> ->
-> -> From the machine on which the 2 ISPs are connected to two different
-> -> NICs, no.  It will send and receive packets without marking.  Where I
-> -> have a problem is with NATted users; they are tied to one or the other
-> -> ISP (even though I run 'ip route flush cache') unless I mark.
-> ->
-> -> Maybe Julian will give us some hints <grin>?
-> -> --
-> -> gypsy
-> ->
-> -> > [... snip ...]
-> -> >
-> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
-> -> > -m state --state NEW -o ppp0
-> -> > # iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
-> -> > -m state --state NEW -o ppp1
-> -> > # iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
-> -> > -m state --state NEW
-> -> >
-> -> > [... snip ...]
-> -> >
-> -> > # iptables -A POSTROUTING -t nat -m mark --mark 1 \
-> -> > -j SNAT --to-source 11.1.1.1
-> -> > # iptables -A POSTROUTING -t nat -m mark --mark 2 \
-> -> > -j SNAT --to-source 22.2.2.2
-> -> >
-> -> > -> hareram wrote:
-> -> > -> >
-> -> > -> > Hi all
-> -> > -> >
-> -> > -> > iam trying to deploy loadbalance and failover
-> -> > -> >
-> -> > -> > My setup description
-> -> > -> > --Fedora Core 4
-> -> > -> > --Linux  2.6.12.3 #1 SMP Mon Jul 25 22:37:34 IST 2005
-> -> i686 i686 i386
-> -> > -> > GNU/Linux
-> -> > -> > --tc utility, iproute2-ss050314
-> -> > -> > --ip utility, iproute2-ss050314
-> -> > -> > --iptables v1.3.0
-> -> > ->
-> -> > -> You say nothing about Julian's patch, so I assume you did
-> -> not patch your
-> -> > -> kernel.  You must do that.
-> -> > -> http://www.ssi.bg/~ja/
-> -> > ->
-> -> > -> http://www.geocities.com/mctiew/ffw/dual.htm
-> -> > ->
-> -> > -> I'm not sure this is still a good link
-> -> > ->
-> ->
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
-> > -> so here is an old copy
-> > -> http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
-> > -> --
-> > -> gypsy
-> > -> _______________________________________________
-> > -> LARTC mailing list
-> > -> LARTC@mailman.ds9a.nl
-> > -> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
-> > _______________________________________________
-> > LARTC mailing list
-> > LARTC@mailman.ds9a.nl
-> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc