* Re: [LARTC] DNAT and Load Balancing [attached compresed file]
@ 2007-03-02 8:43 ArcosCom Linux User
2007-03-02 11:13 ` Tom Lobato
2007-03-02 11:45 ` ArcosCom Linux User
0 siblings, 2 replies; 3+ messages in thread
From: ArcosCom Linux User @ 2007-03-02 8:43 UTC (permalink / raw)
To: lartc
In the file "comandos.log" you can see how I implement the "load balancing".
The explanation is:
1) Add more filters to routing decisions that depending on fwmark value
of packets use one or another link to send the packet.
2) In PREROUTING mark the connection to know the "incoming" iface and
keep that into conntrack table.
3) In POSTROUTING the same, to allow outgoing packages select the same
interface.
In my configuration wan0 is a bridge (without STP) that links all the WAN
interfaces and I make aliases for all, that is why you can see the
"physdev" match used, but if you don't use a bridge, you can replace the
wan0 and bridge selection by only your wan ifaces.
With this configuration, I expect these:
1) Allow UPnP work fine (appears to be working for now).
2) Allow the correct incoming DNAT work fine.
3) Allow the correct outgoing conections tracks fine.
4) Allow only 1 iptables rules if I need DNAT to one machine from any
wan iface (very usefull for p2p programs).
You can see, too, that I use masks with marks, that is because I use
another marks to allow traffic control (with other marks).
I'm testing this configuration for two days now, and appears to be working
fine.
Last note: This file is not my real script, my real script parse one
config file where I define all my wan ifaces, my real script generates
this files to allow me debug the command execution results, order, output,
etc...
Regards
El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribió:
> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>>
>>
>> Hi all!
>>
>>
>> After that good thread "DGD patch not detecting dead gateway" I was
>> able to set up a Load Balancing with ping based DGD (without Julian
>> Anastasov patch). But now I'm facing a new problem and tried some
>> options, with only partial solutions.
>>
>> I made a script based on
>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
>> you Manish Kathuria), without Julian A. patch, and with routes/rules as
>> described in nano.txt. It works fine, but...
>>
>> The problem: I do DNAT for internet located people to access my LAN
>> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
>> It appears that the connection from outside can enter, but when reply
>> packets try to get back across nat machine, it falls into the round
>> robin default route selection to define its gateway. Well, of course,
>> this reply must leave the router via the same interface whose initial
>> packets entered.
>>
>>
>> vnc initial
>> request packet reply that got
>> \ wrong route
>> \ ^
>> \ /
>> V /
>> isp1 isp2 isp3
>> _|____|____|__
>> | |
>> | dnat |
>> |_____________|
>> ^
>> |
>> |
>> V
>> LAN estation, the
>> vnc server
>>
>>
>>
>> What I need is a way to force packets leave the router via the same
>> interface whose its request entered this.
>> I'd like to hear opinions about the problem (and also solution =).
>> Remember, I can't apply the DGD patch from J.A. because it only checks
>> the first hop for dead detection.
>> I will apreciate any help.
>>
>> Thank you,
>>
>>
>>
>> Tom Lobato
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
> I had overlooked this. I had also faced a similar problem. There are
> two possible solutions, one is to apply Julian's patches because even
> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
>
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>
> --
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] DNAT and Load Balancing [attached compresed file]
2007-03-02 8:43 [LARTC] DNAT and Load Balancing [attached compresed file] ArcosCom Linux User
@ 2007-03-02 11:13 ` Tom Lobato
2007-03-02 11:45 ` ArcosCom Linux User
1 sibling, 0 replies; 3+ messages in thread
From: Tom Lobato @ 2007-03-02 11:13 UTC (permalink / raw)
To: lartc
Hi! Thank you!
The mail arrived to me without attached file. Can you send again, please?
Tom Lobato
ArcosCom Linux User escreveu:
> Last note: This file is not my real script, my real script parse one
> config file where I define all my wan ifaces, my real script generates
> this files to allow me debug the command execution results, order, output,
> etc...
>
Fine. I'm using something like this (set of conf/scripts files). Mainly
for get dynamic IPs (dhcp, pppoe) and set all routes/rules.
Soon I'll make my script set available, so we could to learn each other.
Tom Lobato
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] DNAT and Load Balancing [attached compresed file]
2007-03-02 8:43 [LARTC] DNAT and Load Balancing [attached compresed file] ArcosCom Linux User
2007-03-02 11:13 ` Tom Lobato
@ 2007-03-02 11:45 ` ArcosCom Linux User
1 sibling, 0 replies; 3+ messages in thread
From: ArcosCom Linux User @ 2007-03-02 11:45 UTC (permalink / raw)
To: lartc
Sorry, appears that lists manager cut off the attached file.
Here is the comands:
=¾GIN=/sbin/ip rule del prio 50 table main
/sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150
/sbin/ip rule del prio 150 from a1.b1.c1.d1/26 table 150
/sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151
/sbin/ip rule del prio 151 from a2.b2.c2.d2/24 table 151
/sbin/ip rule del prio 200 table 200
/sbin/ip route flush table 150
/sbin/ip route flush table 151
/sbin/ip route flush table 200
/sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE
/sbin/iptables -t mangle -F MARCAR_IFACE
/sbin/iptables -t mangle -X MARCAR_IFACE
/sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT
/sbin/iptables -t mangle -F MARCAR_IFACE_OUT
/sbin/iptables -t mangle -X MARCAR_IFACE_OUT
/sbin/iptables -t mangle -N MARCAR_IFACE
/sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j
RETURN
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j
MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -N MARCAR_IFACE_OUT
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark
0x0000/0xf000 -j RETURN
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i
wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark
0x8000
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000
-o wan0 -m physdev --physdev-out eth1 -m state --state NEW -j MARK
--or-mark 0x8000
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i
wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark
0x4000
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000
-o wan0 -m physdev --physdev-out eth3 -m state --state NEW -j MARK
--or-mark 0x4000
/sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark
/sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN
/sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN
/sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT
/sbin/ip rule add prio 50 table main
/sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150
/sbin/ip rule add prio 150 from a1.b1.c1.d1/26 table 150
/sbin/ip route add default via ga1.gb1.gc1.gd1 dev wan0 src a1.b1.c1.d1
proto static table 150
/sbin/ip route append prohibit default table 150 metric 1 proto static
/sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151
/sbin/ip rule add prio 151 from a2.b2.c2.d2/24 table 151
/sbin/ip route add default via ga2.gb2.gc2.gd2 dev wan0 src a2.b2.c2.d2
proto static table 151
/sbin/ip route append prohibit default table 151 metric 1 proto static
/sbin/ip rule add prio 200 table 200
/sbin/ip route add default table 200 proto static nexthop via
ga1.gb1.gc1.gd1 dev wan0 weight 1 nexthop via ga2.gb2.gc2.gd2 dev wan0
weight 1
/sbin/ip route flush cache
==END=
Regards
El Vie, 2 de Marzo de 2007, 9:43, ArcosCom Linux User escribió:
> In the file "comandos.log" you can see how I implement the "load
> balancing".
>
> The explanation is:
> 1) Add more filters to routing decisions that depending on fwmark value
> of packets use one or another link to send the packet.
> 2) In PREROUTING mark the connection to know the "incoming" iface and
> keep that into conntrack table.
> 3) In POSTROUTING the same, to allow outgoing packages select the same
> interface.
>
> In my configuration wan0 is a bridge (without STP) that links all the WAN
> interfaces and I make aliases for all, that is why you can see the
> "physdev" match used, but if you don't use a bridge, you can replace the
> wan0 and bridge selection by only your wan ifaces.
>
> With this configuration, I expect these:
> 1) Allow UPnP work fine (appears to be working for now).
> 2) Allow the correct incoming DNAT work fine.
> 3) Allow the correct outgoing conections tracks fine.
> 4) Allow only 1 iptables rules if I need DNAT to one machine from any
> wan iface (very usefull for p2p programs).
>
> You can see, too, that I use masks with marks, that is because I use
> another marks to allow traffic control (with other marks).
>
> I'm testing this configuration for two days now, and appears to be working
> fine.
>
> Last note: This file is not my real script, my real script parse one
> config file where I define all my wan ifaces, my real script generates
> this files to allow me debug the command execution results, order, output,
> etc...
>
> Regards
>
> El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribió:
>> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>>>
>>>
>>> Hi all!
>>>
>>>
>>> After that good thread "DGD patch not detecting dead gateway" I was
>>> able to set up a Load Balancing with ping based DGD (without Julian
>>> Anastasov patch). But now I'm facing a new problem and tried some
>>> options, with only partial solutions.
>>>
>>> I made a script based on
>>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
>>> you Manish Kathuria), without Julian A. patch, and with routes/rules as
>>> described in nano.txt. It works fine, but...
>>>
>>> The problem: I do DNAT for internet located people to access my LAN
>>> machines (VNC, RDP, etc...). It sometimes works, sometimes don't work.
>>> It appears that the connection from outside can enter, but when reply
>>> packets try to get back across nat machine, it falls into the round
>>> robin default route selection to define its gateway. Well, of course,
>>> this reply must leave the router via the same interface whose initial
>>> packets entered.
>>>
>>>
>>> vnc initial
>>> request packet reply that got
>>> \ wrong route
>>> \ ^
>>> \ /
>>> V /
>>> isp1 isp2 isp3
>>> _|____|____|__
>>> | |
>>> | dnat |
>>> |_____________|
>>> ^
>>> |
>>> |
>>> V
>>> LAN estation, the
>>> vnc server
>>>
>>>
>>>
>>> What I need is a way to force packets leave the router via the same
>>> interface whose its request entered this.
>>> I'd like to hear opinions about the problem (and also solution =).
>>> Remember, I can't apply the DGD patch from J.A. because it only checks
>>> the first hop for dead detection.
>>> I will apreciate any help.
>>>
>>> Thank you,
>>>
>>>
>>>
>>> Tom Lobato
>>>
>>>
>>> _______________________________________________
>>> LARTC mailing list
>>> LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>
>>
>> I had overlooked this. I had also faced a similar problem. There are
>> two possible solutions, one is to apply Julian's patches because even
>> though you are not using the patches for DGD, they do help in making
>> NAT processing with multiple gateways work properly. The other option
>> is to mark the packets using CONNTRACK. There was a good discussion on
>> this topic some days back. You can check the thread using the
>> following links to the archives:
>>
>> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
>> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>>
>> --
>> Manish Kathuria
>> Tux Technologies
>> http://www.tuxtechnologies.co.in/
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-03-02 11:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-02 8:43 [LARTC] DNAT and Load Balancing [attached compresed file] ArcosCom Linux User
2007-03-02 11:13 ` Tom Lobato
2007-03-02 11:45 ` ArcosCom Linux User
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.