[LARTC] Simplest method for 2 external lines?

[LARTC] Simplest method for 2 external lines?

[Whit Blauvelt]

Apologies for asking this from naive perspective.

For a system with two external DSL connections (different providers) I'm
trying to work up a solution that combines dynamic DNS round robin
(described by Leghart in the Nov. Sys Admin) with ip route on a 2.2.19
kernel with ipchains. The system runs DNS, Apache, and masqs an internal
network. Since the DNS round robin should take care of bringing, for
instance, http requests in on whichever line is up - or both if both lines
are - what I want ip route to do is send the response back out on the same
interface the request came in on. What's the easiest way to do that?

Also, port forwarding is being used to an internal NT mail server. I'd like
to handle redundancy to that by having a secondary MX on the second public
interface, and also forwarding that to the server. Again, when the server
comes back through the masq in negotiations I'd like it to connect out
through whichever interface/IP it was connected to from.

I've looked at the Linux 2.4 Advanced Routing HOWTO and Alexey's docs, and
am having trouble identifying which capabilities I need to wrap my mind
around - there's obviously a whole lot of stuff I don't need to learn, if I
could only sort it out without learning it all first! The solution might be
easier with 2.4 iptables, but I've got a complex set of ipchains rules and
would prefer not having to translate it.

Thanks for any advice. Some things in computing come easily to me - routing
isn't one of them. But it seems like this might be reasonably simple: mark
incoming traffic according to the interface it comes in on, route it out
according to the mark.

(Once this setup is working, I'll be working to add heartbeat so a backup
server is ready to step in. If this all seems like a generically useful
setup, I'd be happy to try to document it after it comes together - the hope
is for reasonably good redundancy on the cheap.)

Whit
@transpect.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Simplest method for 2 external lines?

[Adrian Chung]

On Mon, Oct 29, 2001 at 08:59:12PM -0500, Whit Blauvelt wrote:

[...]

> network. Since the DNS round robin should take care of bringing, for
> instance, http requests in on whichever line is up - or both if both lines

Will it?  My understanding is that it will (fairly) equally distribute
the load between both incoming lines, regardless of whether or not
they're up.  DNS doesn't check to see if the line is up before sending
a response back...

> are - what I want ip route to do is send the response back out on the same
> interface the request came in on. What's the easiest way to do that?

I've been thinking about this for a while too, and haven't been able
to come up with any bulletproof.

If the requests are for the box that both external lines run into,
then policy routing should be able to do what you want.

Take a look at:

http://ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing-4.html

Since requests come in to a specific interface, policy routing could
send all packets originating from that specific interface back out the
same one.

Things get hairy when you try to use policy routing, and the packets
don't terminate at the router, but are portforwarded further inbound,
like this case:

> Also, port forwarding is being used to an internal NT mail server. I'd like
> to handle redundancy to that by having a secondary MX on the second public
> interface, and also forwarding that to the server. Again, when the server
> comes back through the masq in negotiations I'd like it to connect out
> through whichever interface/IP it was connected to from.

It's easy enough to forward both incoming SMTP MX addresses on both
external lines to the same internal host, but I don't know how to get
the responses from the internal host to go back out whichever
interface they originally came in from.  If anyone's got any ideas,
I'm all ears. :)

Marking doesn't work, since the packets don't have their respective
marks anymore by the time they get back from the internal host to the
router, and policy based routing doesn't work, because it's a static
set of rules.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 89 days, 4:56, 6 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Simplest method for 2 external lines?

[Whit Blauvelt]

On Tue, Oct 30, 2001 at 01:05:56PM -0500, Adrian Chung wrote:

> > network. Since the DNS round robin should take care of bringing, for
> > instance, http requests in on whichever line is up - or both if both lines
> 
> Will it?  My understanding is that it will (fairly) equally distribute
> the load between both incoming lines, regardless of whether or not
> they're up.  DNS doesn't check to see if the line is up before sending
> a response back...

The trick in Leghart's article is using dynamic DNS zones (which was a new
feature in Bind 8) along with a script he provides that adds and removes IPs
from the round robin according to whether the lines are up, using a short
TTL setting and frequent checks so that adjustment, while not instant,
should be within a few minutes, at most, and not run into problems with
downstream caching servers. I don't mind a Website not working half the time
for a minute or two - people are used to that much fussiness from the Web.

> > are - what I want ip route to do is send the response back out on the same
> > interface the request came in on. What's the easiest way to do that?
> 
> I've been thinking about this for a while too, and haven't been able
> to come up with any bulletproof.
> 
> If the requests are for the box that both external lines run into,
> then policy routing should be able to do what you want.
> 
> Take a look at:
> 
> http://ds9a.nl/2.4Routing/HOWTO/cvs/2.4routing/output/2.4routing-4.html

Thanks. I've been looking at that. I wish it were more fleshed out with
examples - but am certainly glad to have that much.

> Things get hairy when you try to use policy routing, and the packets
> don't terminate at the router, but are portforwarded further inbound,
> like this case:
> 
> > Also, port forwarding is being used to an internal NT mail server. I'd like
> > to handle redundancy to that by having a secondary MX on the second public
> > interface, and also forwarding that to the server. Again, when the server
> > comes back through the masq in negotiations I'd like it to connect out
> > through whichever interface/IP it was connected to from.
> 
> It's easy enough to forward both incoming SMTP MX addresses on both
> external lines to the same internal host, but I don't know how to get
> the responses from the internal host to go back out whichever
> interface they originally came in from.  If anyone's got any ideas,
> I'm all ears. :)

Hmm. Considering that the secondary MX won't be used when the first is
working, guess it would mostly work even if the remote mail daemon is fussy
about having the response come back the same way - have to confess I don't
know the degree of fussiness on this - sure would like the avoid the issue
entirely, but may well be you're right and the hooks just aren't there to
control this yet. Thanks for helping me think at it!

Whit
@transpect.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] Simplest method for 2 external lines?

[Adrian Chung]

On Wed, Oct 31, 2001 at 07:33:45PM -0500, Whit Blauvelt wrote:
> On Tue, Oct 30, 2001 at 01:05:56PM -0500, Adrian Chung wrote:
> > they're up.  DNS doesn't check to see if the line is up before sending
> > a response back...
> 
> The trick in Leghart's article is using dynamic DNS zones (which was a new
> feature in Bind 8) along with a script he provides that adds and removes IPs
> from the round robin according to whether the lines are up, using a short
> TTL setting and frequent checks so that adjustment, while not instant,
> should be within a few minutes, at most, and not run into problems with
> downstream caching servers. I don't mind a Website not working half the time
> for a minute or two - people are used to that much fussiness from the Web.

That's a great idea!  I had thought about doing this at one point, but
it seemed like such a hack...  But, given the circumstances, it seems
to be the best option.  After all, it's only a couple of minutes of
downtime, rather than an undeterminate amount of downtime.

> > It's easy enough to forward both incoming SMTP MX addresses on both
> > external lines to the same internal host, but I don't know how to get
> > the responses from the internal host to go back out whichever
> > interface they originally came in from.  If anyone's got any ideas,
> > I'm all ears. :)
> 
> Hmm. Considering that the secondary MX won't be used when the first is
> working, guess it would mostly work even if the remote mail daemon is fussy
> about having the response come back the same way - have to confess I don't
> know the degree of fussiness on this - sure would like the avoid the issue
> entirely, but may well be you're right and the hooks just aren't there to
> control this yet. Thanks for helping me think at it!

What I've done as a hack is:

- portforward the inbound connections to the internal box by using
  DNAT
- SNAT (change the source address) inbound packets to the address of
  the interface they came in on.  That way, the portforwarded box will
  return it's packets to a specific interface on the gateway
- Set up policy based routes to route all packets from internal host
  on respective interfaces out the same interface.

This works, but has the effect that all packets reaching the internal
host appear to have come from the gateway. :(

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[rogue.enfusion-group.com] up 92 days, 3:48, 9 users


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/