Re: [LARTC] routing to two interfaces

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] routing to two interfaces
Date: Thu, 21 Nov 2002 03:37:30 +0000	[thread overview]
Message-ID: <marc-lartc-103784992423972@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103783300809624@msgid-missing>

Paco,

Let me summarize what I think you want to do.

 : 	The two public interfaces aren't in the same range (80.37... and
 : 80.59...). The purpose of this Linux box is to provide high availability to
 : several servers, but the two public interfaces of this box may work at the
 : same time. 

 - linux-box has public IPs 80.37.x.x and 80.59.x.x

 : eth1 handles DNS traffic, and eth2 handles SMTP and HTTP traffic.

 - clarification needed.  you are selecting eth1 for outbound DNS?
   you are selecting eth2 for outbound SMTP and HTTP?

 : When one of the link goes down, the other may take all traffic (we
 : detect the link-down and change the DNS to point to the working
 : interface).

So, you have server(s) in your internal network which need to be 
accessible from the outside world on either IP-A or IP-B.  Perhaps the 
same set of services on each public IP, correct?

If I interpret correctly, what you are describing is not high
availability, that's just putting services on two different public IPs.  
Sure, you buy yourself some insurance by having the service available on
two different networks, but it's still not HA.  For reference, check out
the linux high availability project (link below).

 : 	eth0 has the IP 10.10.10.1, and I create an alias eth0:1 with IP
 : 10.10.10.2. With 'ip', I route packets from eth1 to eth0, and packets from
 : eth2 to eth0:1. When these packets returns from the LAN, they go to an
 : especific IP (10.10.10.1 or 10.10.10.2). Then I mark these packets with
 : iptables (maybe in PREROUTING?), i.e., packets to eth0 with mark X, and
 : packets to eth0:1 with mark Y, and route these packets with 'ip route'
 : looking the mark of the packet (mark X -> eth1, mark Y -> eth2). The last
 : action is to MASQUERADE the packets for each interface...

I don't think this will work.  First, it doesn't matter how many IPs you 
configure on your eth0 for transmitting the packets into the internal 
network, nor what you use for default gateways on the internal hosts.  

Imagine:

  - server SOURCE has packet for outside address (DEST), looks up in 
    routing table; selects 10.10.10.1 (or 10.10.10.2) as a default gateway
  - server looks up 10.10.10.1 (or .2) in ARP cache or with ARP request
  - server transmits ethernet frame with IP payload and addresses SOURCE 
    and DEST
  - linux-box gets packet with SOURCE and DEST
  - linux-box now needs to make routing decision

I don't see how multiple IPs bound to an ethernet interface solves any 
problem.  I think it unnecessarily complicates your solution.

So, I'd suggest (again) reading the following:

  http://plorf.net/linux-ip/html/adv-routing.htm#ADV-MULTI-INTERNET-INBOUND

If you don't like the way I wrote it, I'd love to hear what you think is 
missing, but I'll refer you to this:

  http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html

Good luck, Paco.  I'd suggest returning here if you have specific troubles 
after you have digested these, and understand how they can help solve your 
current problem.

-Martin

     linux high availability:  http://linux-ha.org/ 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/