route all internet traffic through dummy device?

route all internet traffic through dummy device?

[Andreas Mimz]

Hello there!

I'm trying to route all internet traffic through a dummy network device.
Unfortunately, I wasn't able to do that yet :-(

my setup is:

eth0: 172.20.39.1 (netmask 255.255.255.0)
dummy0: 172.25.79.1 (netmask 255.255.255.0)
ppp0: <dynmic-ip>

currently, all outgoing traffic from the clients (connected to eth0) is
masqueraded and then send via the ppp0 device. what I'm trying to do is
that outgoing data through ppp0 is first routed through dummy0, basically
just adding one hop.

can anybody point me to the right direction?

thanks in advance,

andreas

Re: route all internet traffic through dummy device?

[Mariusz Kruk]

On Fri, Apr 22, 2005 at 09:48:59AM +0200, Andreas Mimz wrote:
> I'm trying to route all internet traffic through a dummy network device.
> Unfortunately, I wasn't able to do that yet :-(

I used a tunnel between dwo different addresses on loopback device (ie.
127.0.0.2 and 127.0.0.3) and policy routing which puts everything from
outside to one end of the tunnel and from the inside into another end
(in my setup it works bi-directionaly - another hop is added for packets
traveling both ways).
If anyone is interested in more detailed description, I will gladly
provide info.

-- 
/\-\/\-\/\-\/\-\/\-\/\-\/\ Bie¿±cy dysk nie jest ju¿ byæ prawid³owy(MS-
\  Kruk@epsilon.eu.org   / DOS7.0)
/ http://epsilon.eu.org/ \ 
\/-/\/-/\/-/\/-/\/-/\/-/\/ 

Re: route all internet traffic through dummy device?

[Taylor Grant]

Mariusz Kruk wrote:
> On Fri, Apr 22, 2005 at 09:48:59AM +0200, Andreas Mimz wrote:
> 
>>I'm trying to route all internet traffic through a dummy network device.
>>Unfortunately, I wasn't able to do that yet :-(
> 
> 
> I used a tunnel between dwo different addresses on loopback device (ie.
> 127.0.0.2 and 127.0.0.3) and policy routing which puts everything from
> outside to one end of the tunnel and from the inside into another end
> (in my setup it works bi-directionaly - another hop is added for packets
> traveling both ways).
> If anyone is interested in more detailed description, I will gladly
> provide info.

I'm curious as to what purpose you would want to do such a thing?  Are you just trying to decrement the TTL by one hop or are you wanting to mess with QoS on inbound / outbound traffic?  If so why not use IMQ?



Grant. . . .

Re: route all internet traffic through dummy device?

[Mariusz Kruk]

On Fri, Apr 22, 2005 at 03:01:46AM -0500, Taylor Grant wrote:
> >>I'm trying to route all internet traffic through a dummy network device.
> >>Unfortunately, I wasn't able to do that yet :-(
> >I used a tunnel between dwo different addresses on loopback device (ie.
> >127.0.0.2 and 127.0.0.3) and policy routing which puts everything from
> >outside to one end of the tunnel and from the inside into another end
> >(in my setup it works bi-directionaly - another hop is added for packets
> >traveling both ways).
> >If anyone is interested in more detailed description, I will gladly
> >provide info.
> I'm curious as to what purpose you would want to do such a thing?  Are you 
> just trying to decrement the TTL by one hop or are you wanting to mess with 
> QoS on inbound / outbound traffic?  If so why not use IMQ?

As I wrote earlier on this list, I have a setup with linux router, three
local interfaces and one outside interface. I do NAT and manage
bandwidth. Therefore I needed the IMQ functionality. Unfortunately, no
distro known by me at that time had kernel with IMQ (I didn't want to
use stock kernel and patch it myself every time I need to upgrade
kernel). Besides, it was also a kind of "proof-of-concept" solution.
Anyway, It works almost flawlessly (except for some strange behaviour
with GRE packets which I described few days ago).

-- 
\.\.\.\.\.\.\.\.\.\.\.\.\.\ Being  vewy, vewy quiet is iweviwent. <hehe-
.\.Kruk@epsilon.eu.org.\.\. hehehe> - Fudd of Borg.
\.http://epsilon.eu.org/\.\ 
.\.\.\.\.\.\.\.\.\.\.\.\.\. 

Re: route all internet traffic through dummy device?

[Fabien Germain]

Hello,

On 4/22/05, Andreas Mimz <Andreas.Mimz@kos2.de> wrote:
> I'm trying to route all internet traffic through a dummy network device.
> Unfortunately, I wasn't able to do that yet :-(

My question is probably stupid, but what is the goal of adding one hop ?

Fabien

Re: route all internet traffic through dummy device?

[Taylor Grant]

Andreas Mimz wrote:
> Hello there!
> 
> I'm trying to route all internet traffic through a dummy network device.
> Unfortunately, I wasn't able to do that yet :-(
> 
> my setup is:
> 
> eth0: 172.20.39.1 (netmask 255.255.255.0)
> dummy0: 172.25.79.1 (netmask 255.255.255.0)
> ppp0: <dynmic-ip>
> 
> currently, all outgoing traffic from the clients (connected to eth0) is
> masqueraded and then send via the ppp0 device. what I'm trying to do is
> that outgoing data through ppp0 is first routed through dummy0, basically
> just adding one hop.
> 
> can anybody point me to the right direction?
> 
> thanks in advance,
> 
> andreas

I'm at a loss as to why you might want to do this but this is all that I can come up with early in the morning (3:00 A.M. here).

You could have all traffic coming in to ppp0 use a routing table other than main (the system's default routing table that knows about just about everything by default).  Likewise you could have all traffic that comes in to eth0 use a routing table other than main.  These two routing tables would only have routes for the network they are configured for and the dummy0 network.  I.e. ppp0 table would only know about ppp0 net and dummy0 net and eth0 table would only know about eth0 net and dummy0 net.  If you did such a thing dummy0 could probably use the main routing table so that it would know that it could go out each interface respectively.  I'd say that both routing tables ppp0 and eth0 would just use the IP of dummy0 as their next hop router and / or default gateway (respectively) for routes to the destination network.

If you need me to I could possibly come up with ip route commands to set this up tomorrow after I have some sleep.



Grant. . . .

Re: route all internet traffic through dummy device?

[Paulo Ricardo Bruck]

[-- Attachment #1: Type: text/plain, Size: 1243 bytes --]

Hi Kruk and list

> As I wrote earlier on this list, I have a setup with linux router, 
> three
> local interfaces and one outside interface. I do NAT and manage
> bandwidth. Therefore I needed the IMQ functionality. Unfortunately, no
> distro known by me at that time had kernel with IMQ (I didn't want to
> use stock kernel and patch it myself every time I need to upgrade
> kernel). Besides, it was also a kind of "proof-of-concept" solution.
> Anyway, It works almost flawlessly (except for some strange behaviour
> with GRE packets which I described few days ago).

I agree w/ you. I'm studyng a lot of QoS and I stopped w/ IMQ x dummy.

From rom gname :http://article.gmane.org/gmane.linux.network/21224 . Jamal
explained differences betwen IMQ x dummy. Like you I prefer not patch
kernel..80)

I know that's not a netfilter stuff but it's RELATED w/ it 8).
Could you give some hints about your solution ? how-to/tutorial or other
place where I can find ?

thanks in advanced

-- 
\.\.\.\.\.\.\.\.\.\.\.\.\.\ Being  vewy, vewy quiet is iweviwent. <hehe-
.\.Kruk@epsilon.eu.org.\.\. hehehe> - Fudd of Borg.
\.http://epsilon.eu.org/\.\ 
.\.\.\.\.\.\.\.\.\.\.\.\.\. 


-- 
Paulo Ricardo Bruck - consultor


[-- Attachment #2: Esta é uma parte de mensagem assinada digitalmente --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: route all internet traffic through dummy device?

[Mariusz Kruk]

On Fri, Apr 22, 2005 at 11:29:52AM -0300, Paulo Ricardo Bruck wrote:
> I agree w/ you. I'm studyng a lot of QoS and I stopped w/ IMQ x dummy.
> 
> From rom gname :http://article.gmane.org/gmane.linux.network/21224 . Jamal
> explained differences betwen IMQ x dummy. Like you I prefer not patch
> kernel..80)
> 
> I know that's not a netfilter stuff but it's RELATED w/ it 8).
> Could you give some hints about your solution ? how-to/tutorial or other
> place where I can find ?
> 
> thanks in advanced

Well, there is no tutorial or howto. I sent a question to LARTC-HOWTO
maintainer if he's interested and didn't get any response whatsoever.
I wrote an article on polish newsgroup pl.comp.os.linux.sieci. You can
google for it. But it's in polish. So I'll write it again.
And, be aware that it's not done using dummy device but using tunnel
between localhost and localhost.

Loop-routing mini-howto ;-)

Let's assume that we have a Linux box with interface eth0 connected to
our ISP and eth1 and eth2 connected to our local subnets.
To do IMQ without IMQ (with exception for locally destined packets) we
need to create a tunnel and route all the traffic into it.

First, we need at least one additional addres on loopback device (you
can't create tunnel with both endpoints having the same address!). For
clearance, I add two of them.

ip addr add 127.0.0.2 dev lo
ip addr add 127.0.0.3 dev lo


Now we have to set up a tunnel between those IPs (i'm not sure which one
will the most efficient one). Let it be a ipip tunnel.

ip tunnel add localend mode ipip remote 127.0.0.2 local 127.0.0.3 
ip tunnel add remoteend mode ipip remote 127.0.0.3 local 127.0.0.2
ip link set remoteend up
ip link set localend up
ip addr add 10.0.0.1 dev localend
ip addr add 10.0.0.2 dev remoteend

(of course, both tunnel endpoints' addresses are arbitrary; you can use
any private addresses)
Next, you have to convince Linux to route the packets to the tunnel.

ip rule add iif eth0 lookup 10 pref 10
ip rule add default dev remoteend table 10
ip rule add iif eth1 lookup 20 pref 20
ip rule add iif eth2 lookup 20 pref 21
ip rule add default dev localend table 20
ip route flush cache

And the tricky part (I spent half a day debugging why the things shown
above don't work):

echo 0 >/proc/sys/net/ipv4/conf/localend/rp_filter
echo 0 >/proc/sys/net/ipv4/conf/remoteend/rp_filter

This is the minimal setup.
If you want the local trafic to run without going into the tunnel (why
should you shape the local traffic, for example?), you have to add some
rules before the rules concerning local interfaces. For example:

ip rule add to 192.168.0.0/8 lookup main pref 13
ip route flush cache

And that's all.
CAVEAT: If you want to NAT the connections, remember that only packet
that starts a connection is consulted with NAT iptable. So inside the
tunnel you'll get already natted packets (at least those going outside;
don't remember how about the inbound packets).

Hope this will be of help.
-- 
d'`'`'`'`'`'`'`'`'`'`'`'`'Yb Error:   unable  to  come up with a good er-
`b  Kruk@epsilon.eu.org   d' ror...
d' http://epsilon.eu.org/ Yb 
`b,-,.,-,.,-,.,-,.,-,.,-,.d'