[LARTC] Routing from a box behind two NAT'ing routers

[LARTC] Routing from a box behind two NAT'ing routers

[Henrik Størner]

Greetings,

I hope someone else has come up with a way to do this - so far
I've tried out some of the tricks described in the Advanced
Routing Howto, but haven't gotten it to behave as I would like.

I have a Linux-based (2.4.18 kernel) web server located on a
private network. This network is connected to the Internet via
two ADSL connections using Cisco SOHO77 routers. These routers
do NAT of both outgoing and incoming connections.

The problem is that I would like to have the web server available to
clients on the Internet using both of the connections. Not only 
would it make the connection more reliable, it would also allow
me to utilize the bandwidth of both the connections via a simple
round-robin DNS setup of the Web server address. However, so far
I haven't been able to come up with a routing setup that allows 
me to do this.

The routers have been configured to NAT an incoming request on TCP
port 80 to the internal IP of the web server. This works fine for
connections that come in on one of the routers, if I setup the web
server with a default route to that particular router. But then 
connections arriving on the other router do not work - the router
forwards the initial SYN packet OK to the web server, but since
it tries to route the response out through it's default route,
it goes nowhere - the router that is asked to forward the response
packet never saw the initial SYN-packet, so the response does not
match anything in it's NAT table, and it drops the packet.

I tried giving the web server a second internal IP, and having one
router NAT incoming connections to the first IP, and the other
router NAT the connections to the second IP. Then using one of the
examples in the HOWTO, I tried setting up the routing so that the 
response would go out via the proper router. I could not get that
to work.

Any ideas or suggestions would be appreciated.
-- 
Henrik Storner <henrik@hswn.dk> 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing from a box behind two NAT'ing routers

[William L. Thomson Jr.]

Henrik,
	I am in the same boat as you. I have two SDSL lines I would like to do the same 
with. I have yet to find a working solution and hope I will have time to address 
this tomorrow.

	In the mean time I bought a Nexland ISBPro800, which according to reviews and 
Nexland should do some of what we are looking to do. Unfortunately it does not even 
come close. I was better of just using RIP for redundancy. The Nexland is not doing 
anything for me, and I need to take the time to ship it back and get my money back.

	I have found two other solutions both of which are out of my price range at the 
moment. The first on for the money is not worth it. It's the products from FatPipe, 
Inc. The one I do like and may end up having to purchase is made by SysMaster. 
There pricing is much better, the units scale better, and they just plug into a 
switch. No routing the routers through the unit and then through the switch. You 
just plugin everything into the switch, and use the SysMaster unit as the gateway.

	I spoke with one of the engineers at SysMaster, and if I do not have this problem 
solved by the time I get the cash. I just may by one and call it a day.

	On the Linux front I did get close, but ran into issues with the route caching 
table. I did receive a suggestion from Julian Anastasov, but I have not had time to 
try the cache settings he suggested. It's in the list archive on 4/29/2002

	Bottom line is I would rather have Linux do it. Personally I think it's cooler and 
possibly better? I am willing to work or share info with others to come up with a 
working solution. I know others will be coming down this path as more people get 
multiple broad band connections.

Hell I have an ISP that will provide 1.1mps SDSL lines for $80.00 a month. So in my 
situation it makes more sense than buying a T-1 or T-3.

	Anyway, I will be back at it some day this week. Shooting for tomorrow. I have a 
feeling that there needs to be additional logic in the multipath routing. But not 
knowing C/C++ I am not sure how much help I can provide. Sorry, so far I am a Java 
guy, but C/C++ is next on my list. This may be the motivation I need.

	There needs to be some sort of route aging mechanism or packet marking. So when new 
routes are presented the old ones will be removed.

	Also once the route cache issue has been addressed, I believe a DNS how to is 
crucial. Since depending on how you have your DNS servers set up will dictate how 
well things work. For example in my case for each private IP, I have two public 
IP's, one on each ISP's SDSL line.

	So once the Linux router works the way it should, the DNS servers will also need a 
special config.

At the moment I have DNS server 1 returning IP's from ISP 1
DNS server 2 returns IP's from ISP 2. Basically like the example from
http://www.samag.com/documents/s=1824/sam0201h/0201h.htm

I tried doing something along the lines of having both DNS servers be on the same 
block, and if a request came in on that IP block, they would get IP's from that 
block. If they requested either DNS server via the other block, IP's from that 
block would be returned. That seemed to cause allot of problems.

Anyway, you are not alone. Hopefully there is some one out there who has done this 
successfully and can shed light on were we are going wrong. Or someone out there 
willing to gang up with us to come up with a working solution.

I am in, any one else interested in this?

Henrik Størner wrote:

> Greetings,
> 
> I hope someone else has come up with a way to do this - so far
> I've tried out some of the tricks described in the Advanced
> Routing Howto, but haven't gotten it to behave as I would like.
> 
> I have a Linux-based (2.4.18 kernel) web server located on a
> private network. This network is connected to the Internet via
> two ADSL connections using Cisco SOHO77 routers. These routers
> do NAT of both outgoing and incoming connections.
> 
> The problem is that I would like to have the web server available to
> clients on the Internet using both of the connections. Not only 
> would it make the connection more reliable, it would also allow
> me to utilize the bandwidth of both the connections via a simple
> round-robin DNS setup of the Web server address. However, so far
> I haven't been able to come up with a routing setup that allows 
> me to do this.
> 
> The routers have been configured to NAT an incoming request on TCP
> port 80 to the internal IP of the web server. This works fine for
> connections that come in on one of the routers, if I setup the web
> server with a default route to that particular router. But then 
> connections arriving on the other router do not work - the router
> forwards the initial SYN packet OK to the web server, but since
> it tries to route the response out through it's default route,
> it goes nowhere - the router that is asked to forward the response
> packet never saw the initial SYN-packet, so the response does not
> match anything in it's NAT table, and it drops the packet.
> 
> I tried giving the web server a second internal IP, and having one
> router NAT incoming connections to the first IP, and the other
> router NAT the connections to the second IP. Then using one of the
> examples in the HOWTO, I tried setting up the routing so that the 
> response would go out via the proper router. I could not get that
> to work.
> 
> Any ideas or suggestions would be appreciated.
> 


-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com

-- 
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Routing from a box behind two NAT'ing routers

[Leonardo Balliache]

Hi,

iproute2 has a command that perhaps could help you.

ip route add default scope global equalize nexthop dev ppp0 \
nexthop dev ppp1

(actually if you know peer addresses of ppp* use it instead).

I've never tried with it but it´s a possibility.

You have to have two NIC in your web server; replace ppp0 and ppp1 with 
eth0 and eth1. Also have a look to Alexey iproute2 because he says that 
this command equalize load through the 2 NIC. Connect each NIC to each 
incoming line using 2 different address space.

Give a feedback telling us your experiences.

Best regards,

Leonardo Balliache


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/