[LARTC] DNAT and Load Balancing

All of lore.kernel.org
 help / color / mirror / Atom feed

* [LARTC] DNAT and Load Balancing
@ 2007-03-02  0:21 Tom Lobato
  2007-03-02  1:53 ` Manish Kathuria
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: Tom Lobato @ 2007-03-02  0:21 UTC (permalink / raw)
  To: lartc



    Hi all!


    After that good thread "DGD patch not detecting dead gateway" I was 
able to set up a Load Balancing with ping based DGD (without Julian 
Anastasov patch). But now I'm facing a new problem and tried some 
options, with only partial solutions.

    I made a script based on 
http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank 
you Manish Kathuria), without Julian A. patch, and with routes/rules as 
described in nano.txt. It works fine, but...

    The problem: I do DNAT for internet located people to access my LAN 
machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. 
It appears that the connection from outside can enter, but when reply 
packets try to get back across nat machine, it falls into the round 
robin default route selection to define its gateway. Well, of course, 
this reply must leave the router via the same interface whose initial 
packets entered.


    vnc initial
request packet      reply that got
            \                   wrong route
             \                       ^
              \                     /
              V                  /
              isp1 isp2 isp3
               _|____|____|__
              |                    |
              |      dnat      |
              |_____________|
                        ^
                         |
                         |
                        V
              LAN estation, the
                  vnc server



    What I need is a way to force packets leave the router via the same 
interface whose its request entered this.
    I'd like to hear opinions about the problem (and also solution =). 
Remember, I can't apply the DGD patch from J.A. because it only checks 
the first hop for dead detection.
    I will apreciate any help.

    Thank you,



    Tom Lobato


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LARTC] DNAT and Load Balancing
  2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
@ 2007-03-02  1:53 ` Manish Kathuria
  2007-03-02 18:30 ` Alex Samad
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Manish Kathuria @ 2007-03-02  1:53 UTC (permalink / raw)
  To: lartc

On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>
>
>     Hi all!
>
>
>     After that good thread "DGD patch not detecting dead gateway" I was
> able to set up a Load Balancing with ping based DGD (without Julian
> Anastasov patch). But now I'm facing a new problem and tried some
> options, with only partial solutions.
>
>     I made a script based on
> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> you Manish Kathuria), without Julian A. patch, and with routes/rules as
> described in nano.txt. It works fine, but...
>
>     The problem: I do DNAT for internet located people to access my LAN
> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> It appears that the connection from outside can enter, but when reply
> packets try to get back across nat machine, it falls into the round
> robin default route selection to define its gateway. Well, of course,
> this reply must leave the router via the same interface whose initial
> packets entered.
>
>
>     vnc initial
> request packet      reply that got
>             \                   wrong route
>              \                       ^
>               \                     /
>               V                  /
>               isp1 isp2 isp3
>                _|____|____|__
>               |                    |
>               |      dnat      |
>               |_____________|
>                         ^
>                          |
>                          |
>                         V
>               LAN estation, the
>                   vnc server
>
>
>
>     What I need is a way to force packets leave the router via the same
> interface whose its request entered this.
>     I'd like to hear opinions about the problem (and also solution =).
> Remember, I can't apply the DGD patch from J.A. because it only checks
> the first hop for dead detection.
>     I will apreciate any help.
>
>     Thank you,
>
>
>
>     Tom Lobato
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

I had overlooked this. I had also faced a similar problem.  There are
two possible solutions, one is to apply Julian's patches because even
though you are not using the patches for DGD, they do help in making
NAT processing with multiple gateways work properly. The other option
is to mark the packets using CONNTRACK. There was a good discussion on
this topic some days back. You can check the thread using the
following links to the archives:

http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html

-- 
Manish Kathuria
Tux Technologies
http://www.tuxtechnologies.co.in/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LARTC] DNAT and Load Balancing
  2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
  2007-03-02  1:53 ` Manish Kathuria
@ 2007-03-02 18:30 ` Alex Samad
  2007-03-02 18:34 ` francesco messineo
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Alex Samad @ 2007-03-02 18:30 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 3279 bytes --]

On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
> >
> >
> >    Hi all!
> >
> >
> >    After that good thread "DGD patch not detecting dead gateway" I was
> >able to set up a Load Balancing with ping based DGD (without Julian
> >Anastasov patch). But now I'm facing a new problem and tried some
> >options, with only partial solutions.
> >
> >    I made a script based on
> >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> >described in nano.txt. It works fine, but...
> >
> >    The problem: I do DNAT for internet located people to access my LAN
> >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> >It appears that the connection from outside can enter, but when reply
> >packets try to get back across nat machine, it falls into the round
> >robin default route selection to define its gateway. Well, of course,
> >this reply must leave the router via the same interface whose initial
> >packets entered.
> >
> >
> >    vnc initial
> >request packet      reply that got
> >            \                   wrong route
> >             \                       ^
> >              \                     /
> >              V                  /
> >              isp1 isp2 isp3
> >               _|____|____|__
> >              |                    |
> >              |      dnat      |
> >              |_____________|
> >                        ^
> >                         |
> >                         |
> >                        V
> >              LAN estation, the
> >                  vnc server
> >
> >
> >
> >    What I need is a way to force packets leave the router via the same
> >interface whose its request entered this.
> >    I'd like to hear opinions about the problem (and also solution =).
> >Remember, I can't apply the DGD patch from J.A. because it only checks
> >the first hop for dead detection.
> >    I will apreciate any help.
> >
> >    Thank you,
> >
> >
> >
> >    Tom Lobato
> >
> >
> >_______________________________________________
> >LARTC mailing list
> >LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> 
> I had overlooked this. I had also faced a similar problem.  There are
> two possible solutions, one is to apply Julian's patches because even

This sounds exactly like my problem, until I appplied julian's patch, I would
suggest giving it  a try

> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
> 
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> 
> -- 
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LARTC] DNAT and Load Balancing
  2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
  2007-03-02  1:53 ` Manish Kathuria
  2007-03-02 18:30 ` Alex Samad
@ 2007-03-02 18:34 ` francesco messineo
  2007-03-02 18:39 ` Alex Samad
  2007-03-02 19:10 ` Tom Lobato
  4 siblings, 0 replies; 6+ messages in thread
From: francesco messineo @ 2007-03-02 18:34 UTC (permalink / raw)
  To: lartc

I solved this exact problem (with incoming connections on three
different adsl) markin packets on PREROUTING chain. Obviously with
three different routing tables.

# incoming connections for DNAT to DMZ need to be marked here in PREROUTING
iptables -t mangle -N mymark
iptables -t mangle -F mymark
# first of all RETURN for "local" interfaces
iptables -t mangle -A mymark -i $E0_IF -j RETURN
iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
iptables -t mangle -A mymark -i $VPN_IF -j RETURN
# then mark and save incoming connections from the external universe
iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
iptables -t mangle -A mymark -j CONNMARK --save-mark

#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# non marked incoming connections need to be marked (DNAT to DMZ only)
iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark



On 3/2/07, Alex Samad <alex@samad.com.au> wrote:
> On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> > On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
> > >
> > >
> > >    Hi all!
> > >
> > >
> > >    After that good thread "DGD patch not detecting dead gateway" I was
> > >able to set up a Load Balancing with ping based DGD (without Julian
> > >Anastasov patch). But now I'm facing a new problem and tried some
> > >options, with only partial solutions.
> > >
> > >    I made a script based on
> > >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> > >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> > >described in nano.txt. It works fine, but...
> > >
> > >    The problem: I do DNAT for internet located people to access my LAN
> > >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
> > >It appears that the connection from outside can enter, but when reply
> > >packets try to get back across nat machine, it falls into the round
> > >robin default route selection to define its gateway. Well, of course,
> > >this reply must leave the router via the same interface whose initial
> > >packets entered.
> > >
> > >
> > >    vnc initial
> > >request packet      reply that got
> > >            \                   wrong route
> > >             \                       ^
> > >              \                     /
> > >              V                  /
> > >              isp1 isp2 isp3
> > >               _|____|____|__
> > >              |                    |
> > >              |      dnat      |
> > >              |_____________|
> > >                        ^
> > >                         |
> > >                         |
> > >                        V
> > >              LAN estation, the
> > >                  vnc server
> > >
> > >
> > >
> > >    What I need is a way to force packets leave the router via the same
> > >interface whose its request entered this.
> > >    I'd like to hear opinions about the problem (and also solution =).
> > >Remember, I can't apply the DGD patch from J.A. because it only checks
> > >the first hop for dead detection.
> > >    I will apreciate any help.
> > >
> > >    Thank you,
> > >
> > >
> > >
> > >    Tom Lobato
> > >
> > >
> > >_______________________________________________
> > >LARTC mailing list
> > >LARTC@mailman.ds9a.nl
> > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> >
> > I had overlooked this. I had also faced a similar problem.  There are
> > two possible solutions, one is to apply Julian's patches because even
>
> This sounds exactly like my problem, until I appplied julian's patch, I would
> suggest giving it  a try
>
> > though you are not using the patches for DGD, they do help in making
> > NAT processing with multiple gateways work properly. The other option
> > is to mark the packets using CONNTRACK. There was a good discussion on
> > this topic some days back. You can check the thread using the
> > following links to the archives:
> >
> > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> >
> > --
> > Manish Kathuria
> > Tux Technologies
> > http://www.tuxtechnologies.co.in/
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM
> 3HkDStEOSQErTD2RarWObXs> =/G6Y
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LARTC] DNAT and Load Balancing
  2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
                   ` (2 preceding siblings ...)
  2007-03-02 18:34 ` francesco messineo
@ 2007-03-02 18:39 ` Alex Samad
  2007-03-02 19:10 ` Tom Lobato
  4 siblings, 0 replies; 6+ messages in thread
From: Alex Samad @ 2007-03-02 18:39 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 1301 bytes --]

On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote:
> I solved this exact problem (with incoming connections on three
> different adsl) markin packets on PREROUTING chain. Obviously with
> three different routing tables.
> 
> # incoming connections for DNAT to DMZ need to be marked here in PREROUTING
> iptables -t mangle -N mymark
> iptables -t mangle -F mymark
> # first of all RETURN for "local" interfaces
> iptables -t mangle -A mymark -i $E0_IF -j RETURN
> iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
> iptables -t mangle -A mymark -i $VPN_IF -j RETURN
> # then mark and save incoming connections from the external universe
> iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
> iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
> iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
> iptables -t mangle -A mymark -j CONNMARK --save-mark
> 
> #restore mark before ROUTING decision
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> 
> # non marked incoming connections need to be marked (DNAT to DMZ only)
> iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark
> 

Hi

i know there was a thread on this methiod earlier, but has somebody put up a
howto, or a wiki page on it ?

alex

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [LARTC] DNAT and Load Balancing
  2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
                   ` (3 preceding siblings ...)
  2007-03-02 18:39 ` Alex Samad
@ 2007-03-02 19:10 ` Tom Lobato
  4 siblings, 0 replies; 6+ messages in thread
From: Tom Lobato @ 2007-03-02 19:10 UTC (permalink / raw)
  To: lartc

  Thank you all! Solved.

  I used the Julian A. patch. I already had applied/used it, but with
new scripts I changed the kernel. So only rebooted with this patched
kernel again and all works fine.

  For now it's good, but I liked the CONNMARK way to do the things
that you told me. Likely in the future I`ll abandon the patch and only
use iptables and scripts for the job.

  Thank you for all suggestions. Even with things working, I will test
all ideas/scripts. I think would be fine to publish a repository with
such scripts, mini-howtos and solutions, or of course, add all it to
LARTC howto. If it already exists please tell me, else, lets begin!?

  Tom Lobato
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2007-03-02 19:10 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-02  0:21 [LARTC] DNAT and Load Balancing Tom Lobato
2007-03-02  1:53 ` Manish Kathuria
2007-03-02 18:30 ` Alex Samad
2007-03-02 18:34 ` francesco messineo
2007-03-02 18:39 ` Alex Samad
2007-03-02 19:10 ` Tom Lobato

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.