Re: [LARTC] Solved: Using more than 1 Internet Line

[Arthur van Leeuwen <arthurvl@sci.kun.nl>]

On Tue, 4 Dec 2001, Julian Anastasov wrote:

>
> 	Hello,
>
> On Mon, 3 Dec 2001, Whit Blauvelt wrote:
>
> > On Mon, Dec 03, 2001 at 11:04:20PM +0100, Arthur van Leeuwen wrote:
> >
> > > > - What weirdness should I look out for?
> > >
> > > OpenSSH sets up the TOS fields *after* authenticating. This breaks the
> > > entries in the route-cache, as they are keyed on source, destination and TOS
> > > field.
> >
> > Hmm, I use OpenSSH all the time. Does this fully break it, or just add some
> > flakiness?
>
> 	It breaks only the plain kernel. The patches use the
> multipath routes only for the first packet.

Okay, I've read both the nanohowto and the docs on Julian's patches by now.
A few things to note: the nanohowto's information is good even without
Julian's patches, although things will become trickier. One has to do ones
own link-probing and rerouting from userland. That is very doable however,
provided you have machines somewhere at the ISP's site that will answer to
either pings ore traceroutes or somesuch, as you will need answers.

The patches Julian provided fix a bunch of nastiness. For one, dead gateway
detection is done on the ARP level in kernelspace. Very neat when you have
ARP, thus on ethernet, but not very useful without. Furthermore, they
provide true alternative routes, not only multipath default routes. This is
once more extremely neat, but not directly necessary for the usual case.

Thirdly, Julian's patches add gateways as a routing key. This will not help
pure routing boxes, such as would be standard issue in an office full of
Windows toasters, as the gateway will be determined at the routing stage, so
it cannot be used as a key.

The *main* reason to use Julian's patches is the masquerading connection
rerouting. This will fix the big bugs in your setup by just redirecting a
masqueraded connection out to a different interface when the old one is
dead. This is *very* cool on UDP, and will make UDP failover to another
route fully transparent.  However, it will not fix stateful protocols in
which the server on the other side keeps state on the IP address it was
talking to, such as SSH. It will fix the TOS nastiness OpenSSH brings to the
fore, as it will *reroute* after masquerading. Bit of a hack, that. I
simply nixed the TOS bits in the firewalling code. :)

Summarizing: Yes, you can do equal cost multipath. Yes it is cool. Yes it
can be made nicer and friendlier to set up using Julian's patches. However,
it will not be an ideal solution. Things *will* break. Load will just be
approximately balanced. Failover is in most cases definitely not transparent
to the user: new connections have to be set up. If the links stay up though,
equal cost multipath is a *good* thing.

Oh, and it does work on >2 uplinks. I've set up a system for a client using
1 ISDN line, 2 ADSL links (with the Dutch MXStream cruftiness, but I
digress) and 1 cable modem using masquerading only on the last three, using
the standard kernel (Julian's patches didn't exist a year ago, when I did
this). Worked splendidly (and still does, I'm told). Needed some manual
supervision though, as link failover and especially failback is *not*
trivial.

Doei, Arthur.

-- 
  /\    / |      arthurvl@sci.kun.nl      | Work like you don't need the money
 /__\  /  | A friend is someone with whom | Love like you have never been hurt
/    \/__ | you can dare to be yourself   | Dance like there's nobody watching


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/