From: Ed W <lists@wildgooses.com>
To: Lloyd Standish <lloyd@crnatural.net>
Cc: netfilter@vger.kernel.org
Subject: Re: Routing for multiple uplinks/providers
Date: Mon, 02 Jan 2012 12:43:37 +0000 [thread overview]
Message-ID: <4F01A679.8090103@wildgooses.com> (raw)
In-Reply-To: <op.v7eyssd3x1lyi3@debiandesk2.net>
On 01/01/2012 16:30, Lloyd Standish wrote:
> On Thu, 29 Dec 2011 11:21:52 -0600, Lloyd Standish
> <lloyd@crnatural.net> wrote:
>
>> Suppose a router has 2 outward-facing interfaces (uplinks) and a LAN
>> (3 interfaces). The LAN addresses are SNAT'd over the 2 outward
>> interface addresses (WANs).
>>
>
> <snip>
>> How to ensure that answers to incoming requests are routed out over
>> the correct interface?
>> This lartc page
>> (http://lartc.org/howto/lartc.rpdb.multiple-links.html) appears to
>> indicate that all that is necessary are rules like these (there is a
>> diagram in that page):
>> ip rule add from $IP1 table T1
>> ip rule add from $IP2 table T2
>> where $IP1 and $IP2 are the WAN addresses of each of 2 outward-facing
>> interfaces. The page says, "It will work for all processes running
>> on the router itself, and for the local network, if it is masqueraded."
>> I don't understand this. In the first place, how does SNAT know
>> about what interface the packet we are replying to came from? That
>> was a *previous* packet.
>
> I think I can answer my own question, "for the record."
>
> It turns out that SNAT *is* stateful, according to the following
> tutorial (http://bec.at/support/iptables-tutorial/x4679.html):
>
> "Only the first packet in a connection is mangled by SNAT, and after
> that all future packets using the same connection will also be
> SNATted. Furthermore, the initial rules in the POSTROUTING chain will
> be applied to all the packets in the same stream."
>
> So SNAT keeps connection-level state information, allowing it to write
> in the correct source address for all ESTABLISHED,RELATED packets
> belonging to a connection. That explains why a rule like
>
> ip rule add from $IP1 table T1 (where $IP1 is our interface address)
>
> would be routed via the right table, in a situation where there are
> multiple uplinks (multiple routing tables).
>
I believe also routes are cached per IP, so I guess it might
accidentally persist beyond even individual streams (assuming to/from
same IPs)
I think this is why for "perfect" load balancing and routing robustness
it's considered "best" to mark connections and use some randomness to
route connections to outbound interfaces? I'm out of my depth here
though so ask a grown-up to confirm that...
Ed W
next prev parent reply other threads:[~2012-01-02 12:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-29 17:21 Routing for multiple uplinks/providers Lloyd Standish
2012-01-01 16:30 ` Lloyd Standish
2012-01-02 12:43 ` Ed W [this message]
2012-01-02 16:09 ` Lloyd Standish
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F01A679.8090103@wildgooses.com \
--to=lists@wildgooses.com \
--cc=lloyd@crnatural.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.