[LARTC] Problem with multiple ADSL lines

[LARTC] Problem with multiple ADSL lines

[Kostas Flokos]

[-- Attachment #1.1: Type: text/plain, Size: 1616 bytes --]

Hi all,
I have managed to setup a Fedora 7 box with 3 ethernet cards and two ADSL
modem/routers from different suppliers as LARTC recommends. I am able to
direct traffic for specific internal IPs either to one or the other ADSL
line. However, I am faced with two problems I am struggling for the
solution:

1. I have opened a few ports on the ADSL router/firewalls to talk to
internal hosts; say when someone hits http://myADSL1_IP I would redirect him
to 192.168.0.10; while if someone hits http://myADSL2_IP I would redirect
him to 192.168.0.20. If I have rules such as the following all works well:
   ip rule add from 192.168.0.10 table ADSL1_rules
   ip rule add from 192.168.0.20 table ADSL2_rules
Unfortunately, if I want to do the reverse it does not work. I can't have a
host prefer one ADSL line, but still receive traffic from the other ADSL
line. It may sound weird, but I only want to have one host reply to any of
the two IPs, either from ISP1 or ISP2. With the current configuration I
can't. It works ok the default ISP of the host, but can't make it to work
for the other.

2. I tried using
ip route add equalize default scope global nexthop via myADSL1_IP dev eth2
weight 1 nexthop via myADSL2_IP dev eth1 weight 1
It doesn't seem to perform round robin for every request, more like it
caches the route to use per host. Is it possible to force a real round robin
or (better) weighted routing without resorting to a new kernel - as
suggested in the article? I think I've seen recent threads saying that it is
no longer necessary to create a new kernel.

Thank you in advance for your help

Kostas
--

[-- Attachment #1.2: Type: text/html, Size: 2074 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Problem with multiple ADSL lines

[Mohan Sundaram]

Kostas Flokos wrote:
> Hi all,
> I have managed to setup a Fedora 7 box with 3 ethernet cards and two 
> ADSL modem/routers from different suppliers as LARTC recommends. I am 
> able to direct traffic for specific internal IPs either to one or the 
> other ADSL line. However, I am faced with two problems I am struggling 
> for the solution:
>  
> 1. I have opened a few ports on the ADSL router/firewalls to talk to 
> internal hosts; say when someone hits http://myADSL1_IP I would redirect 
> him to 192.168.0.10 <http://192.168.0.10>; while if someone hits 
> http://myADSL2_IP I would redirect him to 192.168.0.20 
> <http://192.168.0.20>. 
This is your ADSL router(s) config.
> If I have rules such as the following all works well:
>    ip rule add from 192.168.0.10 <http://192.168.0.10> table ADSL1_rules
>    ip rule add from 192.168.0.20 <http://192.168.0.20> table ADSL2_rules
These are rules on your linux machine to send traffic back on the same 
link they came from.
> Unfortunately, if I want to do the reverse it does not work. I can't 
> have a host prefer one ADSL line, but still receive traffic from the 
> other ADSL line. 
This can be done by switching the rule table above. Obviously NAT is 
being used. However, this will break. You cannot initiate a connection 
to one IP and match the reply or ack for that connection from another 
IP. TCP/IP basics. Assymetric routing works when no address translations 
take place.
> It may sound weird, but I only want to have one host 
> reply to any of the two IPs, either from ISP1 or ISP2. With the current 
> configuration I can't. It works ok the default ISP of the host, but 
> can't make it to work for the other.
One way of doing this would be:
1. Set the routers to bridge mode.
2. Assign the ISP IPs to the NICs.
3. Source NAT rules use ISP1_IP and routing rule redirects it to link 
connected to ISP2. Flip similarly for ISP1.

Let us hope your ISP2 does not filter out traffic having source outside 
his subnet when it arrives from within.

Mohan
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Problem with multiple ADSL lines

[Kostas Flokos]

[-- Attachment #1.1: Type: text/plain, Size: 3985 bytes --]

Hi Mohan,

Thanks a lot for your reply. I haven't tried it yet, but I have no doubts it
will work.

However, if you have time, could you please explain to me why a request
received from IP1 by host H1, having as default route IP2, can not be routed
through IP1; I have a routing table saying that the route to IP1 is through
the proper eth card.
I have used tcpdump to check the packets coming/in/out from the systems and
it seems that there is a packet going from ADSL1 to H1, but nothing on the
other way... it seems like H1 doesn't know what to do with it.

Could you please explain (or point me to URLs explaining that) why it will
change if I set the modems to bridge mode? I still want to do NAT, will it
change if I do it from the Linux router now?

I also do not understand what you imply with
"3. Source NAT rules use ISP1_IP and routing rule redirects it to link
connected to ISP2. Flip similarly for ISP1."
Could you be a bit more descriptive?

Forgive me for being a bit ignorant of all that; possibly I'm trying to
understand too much without basic technical background on routing, etc.
.
One more time, thanks a lot for your help.
Regards,
Kostas

On 10/12/07, Mohan Sundaram <mohan.tux@gmail.com> wrote:
>
> Kostas Flokos wrote:
> > Hi all,
> > I have managed to setup a Fedora 7 box with 3 ethernet cards and two
> > ADSL modem/routers from different suppliers as LARTC recommends. I am
> > able to direct traffic for specific internal IPs either to one or the
> > other ADSL line. However, I am faced with two problems I am struggling
> > for the solution:
> >
> > 1. I have opened a few ports on the ADSL router/firewalls to talk to
> > internal hosts; say when someone hits http://myADSL1_IP I would redirect
> > him to 192.168.0.10 <http://192.168.0.10>; while if someone hits
> > http://myADSL2_IP I would redirect him to 192.168.0.20
> > <http://192.168.0.20>.
> This is your ADSL router(s) config.
> > If I have rules such as the following all works well:
> >    ip rule add from 192.168.0.10 <http://192.168.0.10> table ADSL1_rules
> >    ip rule add from 192.168.0.20 <http://192.168.0.20> table ADSL2_rules
> These are rules on your linux machine to send traffic back on the same
> link they came from.
> > Unfortunately, if I want to do the reverse it does not work. I can't
> > have a host prefer one ADSL line, but still receive traffic from the
> > other ADSL line.
> This can be done by switching the rule table above. Obviously NAT is
> being used. However, this will break. You cannot initiate a connection
> to one IP and match the reply or ack for that connection from another
> IP. TCP/IP basics. Assymetric routing works when no address translations
> take place.
> > It may sound weird, but I only want to have one host
> > reply to any of the two IPs, either from ISP1 or ISP2. With the current
> > configuration I can't. It works ok the default ISP of the host, but
> > can't make it to work for the other.
> One way of doing this would be:
> 1. Set the routers to bridge mode.
> 2. Assign the ISP IPs to the NICs.
> 3. Source NAT rules use ISP1_IP and routing rule redirects it to link
> connected to ISP2. Flip similarly for ISP1.
>
> Let us hope your ISP2 does not filter out traffic having source outside
> his subnet when it arrives from within.
>
> Mohan
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>



-- 
bus-email: kflokos@upcom.eu
priv-email: kflokos@gmail.com
web: http://www.upcom.eu
GSM: +30-693-8415038

************************************************************************
This message and all of its attachments should be regarded as
confidential. If you have received this email in error please notify the
sender and destroy it immediately. Statements of intent shall only
become binding when confirmed in hard copy by an authorised signatory.
************************************************************************

[-- Attachment #1.2: Type: text/html, Size: 5149 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Problem with multiple ADSL lines

[Mohan Sundaram]

Kostas Flokos wrote:
> Hi Mohan,
> 
> Thanks a lot for your reply. I haven't tried it yet, but I have no 
> doubts it will work.
> 
> However, if you have time, could you please explain to me why a request 
> received from IP1 by host H1, having as default route IP2, can not be 
> routed through IP1; I have a routing table saying that the route to IP1 
> is through the proper eth card.
> I have used tcpdump to check the packets coming/in/out from the systems 
> and it seems that there is a packet going from ADSL1 to H1, but nothing 
> on the other way... it seems like H1 doesn't know what to do with it.
> 
Does the packet from H1 reach the Linux box? Coming to think of it, you 
must have a route on each of the ADSL routers that shows 192.168.0.0/24 
as reachable thro' the Linux box. Think this is ok else packet will not 
reach H1. Similarly, the host H1 must've the Linux box as default gateway.
> Could you please explain (or point me to URLs explaining that) why it 
> will change if I set the modems to bridge mode? 
Not all ADSL modems support bridging. Please check that out first.
> I still want to do NAT, 
> will it change if I do it from the Linux router now?
> 
Most routers NAT with their external IP and user normally has no 
control. Thus if you receive a request on ADSL1_IP which goes to H1 and 
the reply goes out thro' ISP2, the src of the reply will be ADSL2_IP due 
to natting. The initiator will only accept a reply with src ADSL1_IP.

If you set the modems to bridge mode, you can do the NATting on the 
Linux box where you can NAT with ADSL1_IP and still send the packet out 
thro' ISP2. Linux has a great deal of flexibility here.
> I also do not understand what you imply with
> "3. Source NAT rules use ISP1_IP and routing rule redirects it to link
> connected to ISP2. Flip similarly for ISP1."
> Could you be a bit more descriptive?
Linux Router config:
	Dst NAT http on ADSL1_IP goes to H1
	Dst NAT http on ADSL2_IP goes to H2

	Source NAT src H1 to ADSL1_IP
	Source NAT src H2 to ADSL2_IP

	ip rule add from ADSL1_IP table ADSL2_rules
	ip rule add from ADSL2_IP table ADSL1_rules

	ADSL1_rules default gw is ISP1. ADSL2_rules default gw is ISP2

H1 receives all requests that come on ADSL1_IP. The reply from H1 for 
request arriving on ADSL1 goes out thro' ISP2 as desired but with the 
right source IP i.e. ADSL1_IP.

 From your mail, it seemed like you were wanting to do this. Your 
original config was sending replies out thro' the same i/f it arrived on.
> 
> Forgive me for being a bit ignorant of all that; possibly I'm trying to 
> understand too much without basic technical background on routing, etc.
>
We were all there at a point of time. No need to apologize. It may also 
not be true that you do not know. We may be failing in communication too.
> One more time, thanks a lot for your help.
You are welcome.
> Regards,
> Kostas
> 
> On 10/12/07, *Mohan Sundaram* <mohan.tux@gmail.com 
> <mailto:mohan.tux@gmail.com>> wrote:
> 
>     Kostas Flokos wrote:
>      > Hi all,
>      > I have managed to setup a Fedora 7 box with 3 ethernet cards and two
>      > ADSL modem/routers from different suppliers as LARTC recommends. I am
>      > able to direct traffic for specific internal IPs either to one or the
>      > other ADSL line. However, I am faced with two problems I am
>     struggling
>      > for the solution:
>      >
>      > 1. I have opened a few ports on the ADSL router/firewalls to talk to
>      > internal hosts; say when someone hits http://myADSL1_IP I would
>     redirect
>      > him to 192.168.0.10 <http://192.168.0.10> <http://192.168.0.10>;
>     while if someone hits
>      > http://myADSL2_IP I would redirect him to 192.168.0.20
>     <http://192.168.0.20>
>      > <http://192.168.0.20>.
>     This is your ADSL router(s) config.
>      > If I have rules such as the following all works well:
>      >    ip rule add from 192.168.0.10 <http://192.168.0.10>
>     <http://192.168.0.10> table ADSL1_rules
>      >    ip rule add from 192.168.0.20 <http://192.168.0.20>
>     <http://192.168.0.20> table ADSL2_rules
>     These are rules on your linux machine to send traffic back on the same
>     link they came from.
>      > Unfortunately, if I want to do the reverse it does not work. I can't
>      > have a host prefer one ADSL line, but still receive traffic from the
>      > other ADSL line.
>     This can be done by switching the rule table above. Obviously NAT is
>     being used. However, this will break. You cannot initiate a connection
>     to one IP and match the reply or ack for that connection from another
>     IP. TCP/IP basics. Assymetric routing works when no address translations
>     take place.
>      > It may sound weird, but I only want to have one host
>      > reply to any of the two IPs, either from ISP1 or ISP2. With the
>     current
>      > configuration I can't. It works ok the default ISP of the host, but
>      > can't make it to work for the other.
>     One way of doing this would be:
>     1. Set the routers to bridge mode.
>     2. Assign the ISP IPs to the NICs.
>     3. Source NAT rules use ISP1_IP and routing rule redirects it to link
>     connected to ISP2. Flip similarly for ISP1.
> 
>     Let us hope your ISP2 does not filter out traffic having source outside
>     his subnet when it arrives from within.
> 
>     Mohan
>     _______________________________________________
>     LARTC mailing list
>     LARTC@mailman.ds9a.nl <mailto:LARTC@mailman.ds9a.nl>
>     http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 
> 
> 
> 
> -- 
> bus-email: kflokos@upcom.eu <mailto:kflokos@upcom.eu>
> priv-email: kflokos@gmail.com <mailto:kflokos@gmail.com>
> web: http://www.upcom.eu
> GSM: +30-693-8415038
> 
> ************************************************************************
> This message and all of its attachments should be regarded as
> confidential. If you have received this email in error please notify the
> sender and destroy it immediately. Statements of intent shall only
> become binding when confirmed in hard copy by an authorised signatory.
> ************************************************************************

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc