RE: [LARTC] Serious Routing problem

[Julian Anastasov <ja@ssi.bg>]

	Hello,

On Sat, 6 Jul 2002, Segree, Gareth wrote:

>              [128.187.1.1] gw none          [128.187.2.1] gw none
>       __________________[eth1--  Server  -- eth2]__________________
>      /                                                             \
> 24-port Hub 1                                                 24 port Hub 2
> +-----------+                                                 +-----------+
> +-----------+                                                 +-----------+
>     /\______________[eth1-- Linux Firewall --eth2]__________________/\
>    /              [128.187.3.1]        [128.187.4.1]                  \
> [clients1]                                                        [clients2]
> 128.187.3.0/24 gw eth1                              128.187.4.0/24 gw eth2

	Hey, your setup is rather complex.

	OK, where do you think is the problem? Did you really tried
to set /proc/sys/net/ipv4/conf/*/rp_filter to 0, both on Server
and Firewall? Tests with tcpdump can show what does not work.
If rp_filter=1 is the problem and you still require rp_filter=1
then you need some patching:

http://www.linuxvirtualserver.org/~julian/#rp_filter_mask
http://www.linuxvirtualserver.org/~julian/#medium_id

	In short, Server and Firewall should allow traffic from
the clients to come via the both interfaces. rp_filter=1 allows
the traffic to come only from one interface. rp_filter_mask
extends the allowed devices according to the medium_id values and
routes. Note that rp_filter constrols both ARP and IP.

	If you decide using the above features then you have to
mark each hub with specific medium_id value and then to set
medium_id value and rp_filter_mask for each interface to allow
traffic from the both mediums.

> I want clients1 to be able to reach eth2 on server [128.187.2.1] if eth1 on
> Server goes down and visa versa.

	If you need failover then we come to other features:

http://www.linuxvirtualserver.org/~julian/#routes

	You need to use alternative routes for the local networks,
IMO both on Server and Firewall. In short, these 2 boxes will
have two routes for the remote subnet, one for each devices. The
patches will do passive failover by inspecting the ARP state
for all neighbours. If one NIC fails it will be noticed and the
alternative route will be used. There are so many variations for
the settings so I only can recommend you to read the docs provided
on the above URLs. You are just starting ... :)

> Does this explain better.

	Better - yes, enough - no :) Welcome to the world of
advanced routing :) There are no many ways to build working setup
but there are huge number of settings that can break it :)

Regards

--
Julian Anastasov <ja@ssi.bg>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/