* DUAL wan issue, destination-based routing
@ 2008-05-27 23:44 jeev
2008-05-27 23:51 ` jeev
0 siblings, 1 reply; 8+ messages in thread
From: jeev @ 2008-05-27 23:44 UTC (permalink / raw)
To: netfilter
Hey guys, i was reading on the netfilter site.
I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
same situation... my only problem is that I dont want to do load
balancing, i've just come from using PFSENSE/freebsd to use
ClarkConnect on CentOS i guess.. i've never used iptables before. i've
tried things like:
"iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
default via 71.x.x.1 dev eth3
so right now i have all traffic go out eth3, i'd love to have the ips
and ipblocks i select and have it go out one of the cable interfaces.
so for the example above, i want www.speedtest.net (because it shows
the ip) to go out eth2 but it's still going out eth3.
thanks in advance, i'm really lost...
^ permalink raw reply [flat|nested] 8+ messages in thread
* DUAL wan issue, destination-based routing
2008-05-27 23:44 DUAL wan issue, destination-based routing jeev
@ 2008-05-27 23:51 ` jeev
2008-05-28 5:03 ` Patrick McHardy
0 siblings, 1 reply; 8+ messages in thread
From: jeev @ 2008-05-27 23:51 UTC (permalink / raw)
To: netfilter
Hey guys, i was reading on the netfilter site.
I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
same situation... my only problem is that I dont want to do load
balancing, i've just come from using PFSENSE/freebsd to use
ClarkConnect on CentOS i guess.. i've never used iptables before. i've
tried things like:
"iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
default via 71.x.x.1 dev eth3
so right now i have all traffic go out eth3, i'd love to have the ips
and ipblocks i select and have it go out one of the cable interfaces.
so for the example above, i want www.speedtest.net (because it shows
the ip) to go out eth2 but it's still going out eth3.
thanks in advance, i'm really lost...
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-27 23:51 ` jeev
@ 2008-05-28 5:03 ` Patrick McHardy
2008-05-28 11:50 ` Jan Engelhardt
0 siblings, 1 reply; 8+ messages in thread
From: Patrick McHardy @ 2008-05-28 5:03 UTC (permalink / raw)
To: jeev; +Cc: netfilter
jeev wrote:
> Hey guys, i was reading on the netfilter site.
>
> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
> same situation... my only problem is that I dont want to do load
> balancing, i've just come from using PFSENSE/freebsd to use
> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
> tried things like:
>
> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>
> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
> default via 71.x.x.1 dev eth3
>
> so right now i have all traffic go out eth3, i'd love to have the ips
> and ipblocks i select and have it go out one of the cable interfaces.
> so for the example above, i want www.speedtest.net (because it shows
> the ip) to go out eth2 but it's still going out eth3.
If you only want to distribute outgoing traffic, thats quite easy:
- set up routing rules and tables for both connections:
ip rule add fwmark 0x1 lookup 100
ip route add default via ... dev <dev1> table 100
ip rule add fwmark 0x2 lookup 200
ip route add default via ... dev <dev2> table 200
- set up distribution, in this case using iptables and equal
shares:
iptables -t mangle -A PREROUTING -m connmark --mark 0x0 \
-m statistic --mode nth --every 2 \
-j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -m connmark --mark 0x0 \
-j CONNMARK --set-mark 0x2
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
^ duplicate these three rules with OUTPUT instead of PREROUTING
for locally generated traffic.
You can use any criteria you like for distribution, the important
thing is to make sure connections stay on one connection when using
NAT (since many providers don't allow spoofed addresses), which is
done by checking whether the connection has already been routed
using "-m connmark --mark 0x0" before marking. You might also want
to check out the RATEEST target and match, they allow to include
the current load in the decision.
Dealing with incoming connections on both internet connections
is trickier because you need to make sure they go out the same
way they came in, so I'll skip this because I'm short on time
right now :)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-28 5:03 ` Patrick McHardy
@ 2008-05-28 11:50 ` Jan Engelhardt
2008-05-28 20:26 ` jeev
0 siblings, 1 reply; 8+ messages in thread
From: Jan Engelhardt @ 2008-05-28 11:50 UTC (permalink / raw)
To: Patrick McHardy; +Cc: jeev, netfilter
On Wednesday 2008-05-28 07:03, Patrick McHardy wrote:
> jeev wrote:
>> Hey guys, i was reading on the netfilter site.
>>
>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
>> same situation... my only problem is that I dont want to do load
>> balancing, i've just come from using PFSENSE/freebsd to use
>> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
>> tried things like:
>>
>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>>
>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
>> default via 71.x.x.1 dev eth3
>>
>> so right now i have all traffic go out eth3, i'd love to have the ips
>> and ipblocks i select and have it go out one of the cable interfaces.
>> so for the example above, i want www.speedtest.net (because it shows
>> the ip) to go out eth2 but it's still going out eth3.
>
>[...]
> You can use any criteria you like for distribution, the important
> thing is to make sure connections stay on one connection when using
> NAT (since many providers don't allow spoofed addresses), [...]
> Dealing with incoming connections on both internet connections
> is trickier because you need to make sure they go out the same
> way they came in, so I'll skip this because I'm short on time
> right now :)
As described in http://dev.medozas.de/NF-Cookbook.txt.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-28 11:50 ` Jan Engelhardt
@ 2008-05-28 20:26 ` jeev
2008-05-28 21:50 ` ArcosCom Linux User
0 siblings, 1 reply; 8+ messages in thread
From: jeev @ 2008-05-28 20:26 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Patrick McHardy, netfilter
ok.
i sort of understand..
i've managed to get it working with the following:
ip route add 69.17.117.0/24 via GATEWAY-OF-ETH2 src IP-OF-ETH2
AND adding this to iptables before the default route.
-A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d 67.17.117.0/24 -j MASQUERADE
i do understand the link you gave me but do not understand where i
input details of the networks in question.
i want to route everything out the default connection which would be
eth3, EXCEPT for what i define in ip blocks like i listed above.
and as far as the commands i ran up there to get them working. i have
2 cable modems, node is running great right now, i should be able to
get 10mbit from each but when i run a speedtest using one ip and then
start the other.. it slows down.. (making me believe that it's still
riding off one ip somehow) so when i get home, i'm going to look at
graphs i guess.
also, i have a viatalk linksys adapter at home and it's set up as following:
ip route add table 10 dev eth2
ip rule add from 192.168.2.5/32 table 10 priority 1
and
0 0 MASQUERADE all -- any eth2 viatalk anywhere
and as i just restarted the adapter
10 563 MASQUERADE all -- any eth2 viatalk anywhere
the adapter does pick the correct external ip now but it's still
having trouble connecting to the login server.
any help would be appreciated.
i really am considering dropping back to PFSENSE on bsd.. i was also
having some minor issues there but it was about something else
although it was rock solid for about 2 months.
thanks everybody.
On Wed, May 28, 2008 at 4:50 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>
> On Wednesday 2008-05-28 07:03, Patrick McHardy wrote:
>
>> jeev wrote:
>>> Hey guys, i was reading on the netfilter site.
>>>
>>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
>>> same situation... my only problem is that I dont want to do load
>>> balancing, i've just come from using PFSENSE/freebsd to use
>>> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
>>> tried things like:
>>>
>>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
>>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>>>
>>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
>>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
>>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
>>> default via 71.x.x.1 dev eth3
>>>
>>> so right now i have all traffic go out eth3, i'd love to have the ips
>>> and ipblocks i select and have it go out one of the cable interfaces.
>>> so for the example above, i want www.speedtest.net (because it shows
>>> the ip) to go out eth2 but it's still going out eth3.
>>
>>[...]
>> You can use any criteria you like for distribution, the important
>> thing is to make sure connections stay on one connection when using
>> NAT (since many providers don't allow spoofed addresses), [...]
>> Dealing with incoming connections on both internet connections
>> is trickier because you need to make sure they go out the same
>> way they came in, so I'll skip this because I'm short on time
>> right now :)
>
> As described in http://dev.medozas.de/NF-Cookbook.txt.
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-28 20:26 ` jeev
@ 2008-05-28 21:50 ` ArcosCom Linux User
2008-05-29 14:48 ` paulobruck1
0 siblings, 1 reply; 8+ messages in thread
From: ArcosCom Linux User @ 2008-05-28 21:50 UTC (permalink / raw)
To: netfilter
Perhaps you can read a bit more about multilinks here:
http://lartc.org.
You can take the example given previously and the info in lartc to make
your own rules.
As an example, I have this output for my linux box that uses 3 lines:
=== REGLAS IPTABLES PARA EL ENRUTADO ===
Chain PREROUTING (policy ACCEPT 18M packets, 14G bytes)
num pkts bytes target prot opt in out source
destination
1 16M 12G M_TRAF_IN all -- * * 0.0.0.0/0
0.0.0.0/0
2 2520K 1867M M_IFACE all -- * * 0.0.0.0/0
0.0.0.0/0
Chain M_IFACE (1 references)
num pkts bytes target prot opt in out source
destination
1 1265K 166M CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
2 1403K 1710M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xf000
3 1117K 158M M_IFACE_TRAF all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000
4 7275 371K MARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
5 9839 514K MARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
6 9164 480K MARK all -- eth3 * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
7 26278 1365K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
8 1117K 158M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
Chain M_IFACE_TRAF (2 references)
num pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 20M packets, 14G bytes)
num pkts bytes target prot opt in out source
destination
1 17M 13G M_TRAF_OUT all -- * * 0.0.0.0/0
0.0.0.0/0
2 2744K 1934M M_IFACE_OUT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain M_IFACE_OUT (1 references)
num pkts bytes target prot opt in out source
destination
1 2572K 1848M CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
2 1079K 135M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xf000
3 1665K 1794M M_IFACE_TRAF all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000
4 6830 410K MARK all -- * eth1 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
5 5559 331K MARK all -- * eth2 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
6 14689 871K MARK all -- * eth3 0.0.0.0/0
0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
7 27078 1612K CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
8 1665K 1794M RETURN all -- * * 0.0.0.0/0
0.0.0.0/0
=== REGLAS DE ENRUTAMIENTO ===
0: from all lookup local
50: from all lookup main
100: from all fwmark 0x4000/0xf000 lookup uno
101: from all fwmark 0x2000/0xf000 lookup dos
102: from all fwmark 0x8000/0xf000 lookup tabla_eth3
150: from 212.170.103.236 lookup uno
151: from 212.170.103.235 lookup dos
152: from 212.59.210.142 lookup tabla_eth3
200: from all lookup defecto
32766: from all lookup main
32767: from all lookup default
=== TABLAS DE RUTAS ===
=== MAIN ===
212.170.103.192/26 dev eth2 proto kernel scope link src 212.170.103.235
212.170.103.192/26 dev eth1 proto kernel scope link src 212.170.103.236
192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247
192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247
192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247
212.59.210.0/24 dev eth3 proto kernel scope link src 212.59.210.142
10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6
169.254.0.0/16 dev eth1 scope link
=== eth1 TABLA 150 ===
default via 212.170.103.193 dev eth1 proto static src 212.170.103.236
prohibit default proto static metric 1
=== eth2 TABLA 151 ===
default via 212.170.103.193 dev eth2 proto static src 212.170.103.235
prohibit default proto static metric 1
=== eth3 TABLA 152 ===
default via 212.59.210.1 dev eth3 proto static src 212.59.210.142
prohibit default proto static metric 1
=== TABLA 200 (defecto) ===
default proto static
nexthop dev eth1 weight 1
nexthop dev eth2 weight 1
nexthop dev eth3 weight 3
You can change it a bit to alow a default route for your 67.17.117.0/24
network and another to everything else.
Regards
El Mie, 28 de Mayo de 2008, 22:26, jeev escribió:
> ok.
>
> i sort of understand..
>
> i've managed to get it working with the following:
> ip route add 69.17.117.0/24 via GATEWAY-OF-ETH2 src IP-OF-ETH2
>
> AND adding this to iptables before the default route.
>
> -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d 67.17.117.0/24 -j
> MASQUERADE
>
> i do understand the link you gave me but do not understand where i
> input details of the networks in question.
>
> i want to route everything out the default connection which would be
> eth3, EXCEPT for what i define in ip blocks like i listed above.
>
> and as far as the commands i ran up there to get them working. i have
> 2 cable modems, node is running great right now, i should be able to
> get 10mbit from each but when i run a speedtest using one ip and then
> start the other.. it slows down.. (making me believe that it's still
> riding off one ip somehow) so when i get home, i'm going to look at
> graphs i guess.
>
> also, i have a viatalk linksys adapter at home and it's set up as
> following:
>
> ip route add table 10 dev eth2
> ip rule add from 192.168.2.5/32 table 10 priority 1
> and
> 0 0 MASQUERADE all -- any eth2 viatalk anywhere
>
> and as i just restarted the adapter
>
> 10 563 MASQUERADE all -- any eth2 viatalk anywhere
>
> the adapter does pick the correct external ip now but it's still
> having trouble connecting to the login server.
>
> any help would be appreciated.
>
> i really am considering dropping back to PFSENSE on bsd.. i was also
> having some minor issues there but it was about something else
> although it was rock solid for about 2 months.
>
> thanks everybody.
>
> On Wed, May 28, 2008 at 4:50 AM, Jan Engelhardt <jengelh@medozas.de>
> wrote:
>>
>> On Wednesday 2008-05-28 07:03, Patrick McHardy wrote:
>>
>>> jeev wrote:
>>>> Hey guys, i was reading on the netfilter site.
>>>>
>>>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
>>>> same situation... my only problem is that I dont want to do load
>>>> balancing, i've just come from using PFSENSE/freebsd to use
>>>> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
>>>> tried things like:
>>>>
>>>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
>>>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>>>>
>>>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
>>>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
>>>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
>>>> default via 71.x.x.1 dev eth3
>>>>
>>>> so right now i have all traffic go out eth3, i'd love to have the ips
>>>> and ipblocks i select and have it go out one of the cable interfaces.
>>>> so for the example above, i want www.speedtest.net (because it shows
>>>> the ip) to go out eth2 but it's still going out eth3.
>>>
>>>[...]
>>> You can use any criteria you like for distribution, the important
>>> thing is to make sure connections stay on one connection when using
>>> NAT (since many providers don't allow spoofed addresses), [...]
>>> Dealing with incoming connections on both internet connections
>>> is trickier because you need to make sure they go out the same
>>> way they came in, so I'll skip this because I'm short on time
>>> right now :)
>>
>> As described in http://dev.medozas.de/NF-Cookbook.txt.
>>
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-28 21:50 ` ArcosCom Linux User
@ 2008-05-29 14:48 ` paulobruck1
2008-05-29 21:23 ` ArcosCom Linux User
0 siblings, 1 reply; 8+ messages in thread
From: paulobruck1 @ 2008-05-29 14:48 UTC (permalink / raw)
To: netfilter
Em Qua, 2008-05-28 às 23:50 +0200, ArcosCom Linux User escreveu:
> Perhaps you can read a bit more about multilinks here:
>
> http://lartc.org.
>
> You can take the example given previously and the info in lartc to make
> your own rules.
>
Hi list
Just to clear my mind about this stuff:
> As an example, I have this output for my linux box that uses 3 lines:
> === REGLAS IPTABLES PARA EL ENRUTADO ===
> Chain PREROUTING (policy ACCEPT 18M packets, 14G bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 16M 12G M_TRAF_IN all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 2 2520K 1867M M_IFACE all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain M_IFACE (1 references)
> num pkts bytes target prot opt in out source
> destination
>
> 1 1265K 166M CONNMARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
this rule tell us: all connections will be restore and mark 0x0, which means that
if at NAT a packet goes out when it returns it will return w/ no mark and will it
receive a mark 0x0 ?
> 2 1403K 1710M RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0/0xf000
this one does tell us to pass without mark any packet w/ mark ! from 0x0 ?
> 3 1117K 158M M_IFACE_TRAF all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000
> 4 7275 371K MARK all -- eth1 * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
this one tell to mark every new conection leaving eth1 w/ mark 0x4000
>
>
> 5 9839 514K MARK all -- eth2 * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
> 6 9164 480K MARK all -- eth3 * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
> 7 26278 1365K CONNMARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
> 8 1117K 158M RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain M_IFACE_TRAF (2 references)
> num pkts bytes target prot opt in out source
> destination
> Chain POSTROUTING (policy ACCEPT 20M packets, 14G bytes)
> num pkts bytes target prot opt in out source
> destination
> 1 17M 13G M_TRAF_OUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 2 2744K 1934M M_IFACE_OUT all -- * * 0.0.0.0/0
> 0.0.0.0/0
> Chain M_IFACE_OUT (1 references)
> num pkts bytes target prot opt in out source
> destination
> 1 2572K 1848M CONNMARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
this one tells to restore connections w/ mark 0x0
>
> 2 1079K 135M RETURN all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0/0xf000
> 3 1665K 1794M M_IFACE_TRAF all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000
> 4 6830 410K MARK all -- * eth1 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
> 5 5559 331K MARK all -- * eth2 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
> 6 14689 871K MARK all -- * eth3 0.0.0.0/0
> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
> 7 27078 1612K CONNMARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
> 8 1665K 1794M RETURN all -- * * 0.0.0.0/0
> 0.0.0.00
summarizing
when you use CONNMARK in mangle PREROUTING and mark a connection ,
when a packet returns it returns w/ no mark, it checks CONNTRACK connections
then it receive it marks again.
Supose a new packet from LAN to internet: lan eth0 --FIREWALL-- eth1 internet
-> eth0 packet ( w/ no mark)
-> mangle prerouting ( restore mark)
-> nat prerouting
-> routing
-> mangle forward
-> forward
-> mangle postrouting ( receive a mark 0x4000)
-> nat postrouting
-> eth1
back
eth1 packet ( w/ no mark)
-> mangle prerouting ( restore mark- receive mark 0x4000)
-> nat prerouting
-> routing
-> mangle forward
-> forward
-> mangle postrouting ( as already has a mark pass)
-> nat postrouting
-> eth1
Is that correct????
thanks in advanced
> === REGLAS DE ENRUTAMIENTO ===
> 0: from all lookup local
> 50: from all lookup main
> 100: from all fwmark 0x4000/0xf000 lookup uno
> 101: from all fwmark 0x2000/0xf000 lookup dos
> 102: from all fwmark 0x8000/0xf000 lookup tabla_eth3
> 150: from 212.170.103.236 lookup uno
> 151: from 212.170.103.235 lookup dos
> 152: from 212.59.210.142 lookup tabla_eth3
> 200: from all lookup defecto
> 32766: from all lookup main
> 32767: from all lookup default
> === TABLAS DE RUTAS ===
> === MAIN ===
> 212.170.103.192/26 dev eth2 proto kernel scope link src 212.170.103.235
> 212.170.103.192/26 dev eth1 proto kernel scope link src 212.170.103.236
> 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247
> 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247
> 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247
> 212.59.210.0/24 dev eth3 proto kernel scope link src 212.59.210.142
> 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6
> 169.254.0.0/16 dev eth1 scope link
> === eth1 TABLA 150 ===
> default via 212.170.103.193 dev eth1 proto static src 212.170.103.236
> prohibit default proto static metric 1
> === eth2 TABLA 151 ===
> default via 212.170.103.193 dev eth2 proto static src 212.170.103.235
> prohibit default proto static metric 1
> === eth3 TABLA 152 ===
> default via 212.59.210.1 dev eth3 proto static src 212.59.210.142
> prohibit default proto static metric 1
> === TABLA 200 (defecto) ===
> default proto static
> nexthop dev eth1 weight 1
> nexthop dev eth2 weight 1
> nexthop dev eth3 weight 3
>
>
> You can change it a bit to alow a default route for your 67.17.117.0/24
> network and another to everything else.
>
> Regards
>
> El Mie, 28 de Mayo de 2008, 22:26, jeev escribió:
> > ok.
> >
> > i sort of understand..
> >
> > i've managed to get it working with the following:
> > ip route add 69.17.117.0/24 via GATEWAY-OF-ETH2 src IP-OF-ETH2
> >
> > AND adding this to iptables before the default route.
> >
> > -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d 67.17.117.0/24 -j
> > MASQUERADE
> >
> > i do understand the link you gave me but do not understand where i
> > input details of the networks in question.
> >
> > i want to route everything out the default connection which would be
> > eth3, EXCEPT for what i define in ip blocks like i listed above.
> >
> > and as far as the commands i ran up there to get them working. i have
> > 2 cable modems, node is running great right now, i should be able to
> > get 10mbit from each but when i run a speedtest using one ip and then
> > start the other.. it slows down.. (making me believe that it's still
> > riding off one ip somehow) so when i get home, i'm going to look at
> > graphs i guess.
> >
> > also, i have a viatalk linksys adapter at home and it's set up as
> > following:
> >
> > ip route add table 10 dev eth2
> > ip rule add from 192.168.2.5/32 table 10 priority 1
> > and
> > 0 0 MASQUERADE all -- any eth2 viatalk anywhere
> >
> > and as i just restarted the adapter
> >
> > 10 563 MASQUERADE all -- any eth2 viatalk anywhere
> >
> > the adapter does pick the correct external ip now but it's still
> > having trouble connecting to the login server.
> >
> > any help would be appreciated.
> >
> > i really am considering dropping back to PFSENSE on bsd.. i was also
> > having some minor issues there but it was about something else
> > although it was rock solid for about 2 months.
> >
> > thanks everybody.
> >
> > On Wed, May 28, 2008 at 4:50 AM, Jan Engelhardt <jengelh@medozas.de>
> > wrote:
> >>
> >> On Wednesday 2008-05-28 07:03, Patrick McHardy wrote:
> >>
> >>> jeev wrote:
> >>>> Hey guys, i was reading on the netfilter site.
> >>>>
> >>>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the
> >>>> same situation... my only problem is that I dont want to do load
> >>>> balancing, i've just come from using PFSENSE/freebsd to use
> >>>> ClarkConnect on CentOS i guess.. i've never used iptables before. i've
> >>>> tried things like:
> >>>>
> >>>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
> >>>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
> >>>>
> >>>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
> >>>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
> >>>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
> >>>> default via 71.x.x.1 dev eth3
> >>>>
> >>>> so right now i have all traffic go out eth3, i'd love to have the ips
> >>>> and ipblocks i select and have it go out one of the cable interfaces.
> >>>> so for the example above, i want www.speedtest.net (because it shows
> >>>> the ip) to go out eth2 but it's still going out eth3.
> >>>
> >>>[...]
> >>> You can use any criteria you like for distribution, the important
> >>> thing is to make sure connections stay on one connection when using
> >>> NAT (since many providers don't allow spoofed addresses), [...]
> >>> Dealing with incoming connections on both internet connections
> >>> is trickier because you need to make sure they go out the same
> >>> way they came in, so I'll skip this because I'm short on time
> >>> right now :)
> >>
> >> As described in http://dev.medozas.de/NF-Cookbook.txt.
> >>
> >>
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: DUAL wan issue, destination-based routing
2008-05-29 14:48 ` paulobruck1
@ 2008-05-29 21:23 ` ArcosCom Linux User
0 siblings, 0 replies; 8+ messages in thread
From: ArcosCom Linux User @ 2008-05-29 21:23 UTC (permalink / raw)
To: netfilter
That is the idea. But I don't know if really it is correct or not.
Appears to be working, but really I don't know exactly; perhaps someone
that knows fine how works CONNMARK/MARK want to clarify us and correct the
mistakes.
Regards
El Jue, 29 de Mayo de 2008, 16:48, paulobruck1 escribió:
> Em Qua, 2008-05-28 Ã s 23:50 +0200, ArcosCom Linux User escreveu:
>> Perhaps you can read a bit more about multilinks here:
>>
>> http://lartc.org.
>>
>> You can take the example given previously and the info in lartc to make
>> your own rules.
>>
>
>
> Hi list
>
> Just to clear my mind about this stuff:
>
>> As an example, I have this output for my linux box that uses 3 lines:
>> === REGLAS IPTABLES PARA EL ENRUTADO ===
>> Chain PREROUTING (policy ACCEPT 18M packets, 14G bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 16M 12G M_TRAF_IN all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> 2 2520K 1867M M_IFACE all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> Chain M_IFACE (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>>
>
>
>> 1 1265K 166M CONNMARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
> this rule tell us: all connections will be restore and mark 0x0, which
> means that
> if at NAT a packet goes out when it returns it will return w/ no mark and
> will it
> receive a mark 0x0 ?
>
>> 2 1403K 1710M RETURN all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match !0x0/0xf000
>
> this one does tell us to pass without mark any packet w/ mark ! from 0x0 ?
>
>
>
>> 3 1117K 158M M_IFACE_TRAF all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000
>> 4 7275 371K MARK all -- eth1 * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
> this one tell to mark every new conection leaving eth1 w/ mark 0x4000
>
>>
>>
>> 5 9839 514K MARK all -- eth2 * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
>> 6 9164 480K MARK all -- eth3 * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
>> 7 26278 1365K CONNMARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
>> 8 1117K 158M RETURN all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> Chain M_IFACE_TRAF (2 references)
>> num pkts bytes target prot opt in out source
>> destination
>> Chain POSTROUTING (policy ACCEPT 20M packets, 14G bytes)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 17M 13G M_TRAF_OUT all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> 2 2744K 1934M M_IFACE_OUT all -- * * 0.0.0.0/0
>> 0.0.0.0/0
>> Chain M_IFACE_OUT (1 references)
>> num pkts bytes target prot opt in out source
>> destination
>> 1 2572K 1848M CONNMARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore
> this one tells to restore connections w/ mark 0x0
>
>>
>> 2 1079K 135M RETURN all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match !0x0/0xf000
>> 3 1665K 1794M M_IFACE_TRAF all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000
>> 4 6830 410K MARK all -- * eth1 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000
>> 5 5559 331K MARK all -- * eth2 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000
>> 6 14689 871K MARK all -- * eth3 0.0.0.0/0
>> 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000
>> 7 27078 1612K CONNMARK all -- * * 0.0.0.0/0
>> 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save
>> 8 1665K 1794M RETURN all -- * * 0.0.0.0/0
>> 0.0.0.00
>
> summarizing
>
> when you use CONNMARK in mangle PREROUTING and mark a connection ,
> when a packet returns it returns w/ no mark, it checks CONNTRACK
> connections
> then it receive it marks again.
>
> Supose a new packet from LAN to internet: lan eth0 --FIREWALL-- eth1
> internet
>
> -> eth0 packet ( w/ no mark)
> -> mangle prerouting ( restore mark)
> -> nat prerouting
> -> routing
> -> mangle forward
> -> forward
> -> mangle postrouting ( receive a mark 0x4000)
> -> nat postrouting
> -> eth1
>
> back
> eth1 packet ( w/ no mark)
> -> mangle prerouting ( restore mark- receive mark 0x4000)
> -> nat prerouting
> -> routing
> -> mangle forward
> -> forward
> -> mangle postrouting ( as already has a mark pass)
> -> nat postrouting
> -> eth1
>
> Is that correct????
>
> thanks in advanced
>
>
>
>> === REGLAS DE ENRUTAMIENTO ===
>> 0: from all lookup local
>> 50: from all lookup main
>> 100: from all fwmark 0x4000/0xf000 lookup uno
>> 101: from all fwmark 0x2000/0xf000 lookup dos
>> 102: from all fwmark 0x8000/0xf000 lookup tabla_eth3
>> 150: from 212.170.103.236 lookup uno
>> 151: from 212.170.103.235 lookup dos
>> 152: from 212.59.210.142 lookup tabla_eth3
>> 200: from all lookup defecto
>> 32766: from all lookup main
>> 32767: from all lookup default
>> === TABLAS DE RUTAS ===
>> === MAIN ===
>> 212.170.103.192/26 dev eth2 proto kernel scope link src
>> 212.170.103.235
>> 212.170.103.192/26 dev eth1 proto kernel scope link src
>> 212.170.103.236
>> 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247
>> 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247
>> 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247
>> 212.59.210.0/24 dev eth3 proto kernel scope link src 212.59.210.142
>> 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6
>> 169.254.0.0/16 dev eth1 scope link
>> === eth1 TABLA 150 ===
>> default via 212.170.103.193 dev eth1 proto static src 212.170.103.236
>> prohibit default proto static metric 1
>> === eth2 TABLA 151 ===
>> default via 212.170.103.193 dev eth2 proto static src 212.170.103.235
>> prohibit default proto static metric 1
>> === eth3 TABLA 152 ===
>> default via 212.59.210.1 dev eth3 proto static src 212.59.210.142
>> prohibit default proto static metric 1
>> === TABLA 200 (defecto) ===
>> default proto static
>> nexthop dev eth1 weight 1
>> nexthop dev eth2 weight 1
>> nexthop dev eth3 weight 3
>>
>>
>> You can change it a bit to alow a default route for your 67.17.117.0/24
>> network and another to everything else.
>>
>> Regards
>>
>> El Mie, 28 de Mayo de 2008, 22:26, jeev escribió:
>> > ok.
>> >
>> > i sort of understand..
>> >
>> > i've managed to get it working with the following:
>> > ip route add 69.17.117.0/24 via GATEWAY-OF-ETH2 src IP-OF-ETH2
>> >
>> > AND adding this to iptables before the default route.
>> >
>> > -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d 67.17.117.0/24 -j
>> > MASQUERADE
>> >
>> > i do understand the link you gave me but do not understand where i
>> > input details of the networks in question.
>> >
>> > i want to route everything out the default connection which would be
>> > eth3, EXCEPT for what i define in ip blocks like i listed above.
>> >
>> > and as far as the commands i ran up there to get them working. i have
>> > 2 cable modems, node is running great right now, i should be able to
>> > get 10mbit from each but when i run a speedtest using one ip and then
>> > start the other.. it slows down.. (making me believe that it's still
>> > riding off one ip somehow) so when i get home, i'm going to look at
>> > graphs i guess.
>> >
>> > also, i have a viatalk linksys adapter at home and it's set up as
>> > following:
>> >
>> > ip route add table 10 dev eth2
>> > ip rule add from 192.168.2.5/32 table 10 priority 1
>> > and
>> > 0 0 MASQUERADE all -- any eth2 viatalk anywhere
>> >
>> > and as i just restarted the adapter
>> >
>> > 10 563 MASQUERADE all -- any eth2 viatalk anywhere
>> >
>> > the adapter does pick the correct external ip now but it's still
>> > having trouble connecting to the login server.
>> >
>> > any help would be appreciated.
>> >
>> > i really am considering dropping back to PFSENSE on bsd.. i was also
>> > having some minor issues there but it was about something else
>> > although it was rock solid for about 2 months.
>> >
>> > thanks everybody.
>> >
>> > On Wed, May 28, 2008 at 4:50 AM, Jan Engelhardt <jengelh@medozas.de>
>> > wrote:
>> >>
>> >> On Wednesday 2008-05-28 07:03, Patrick McHardy wrote:
>> >>
>> >>> jeev wrote:
>> >>>> Hey guys, i was reading on the netfilter site.
>> >>>>
>> >>>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in
>> the
>> >>>> same situation... my only problem is that I dont want to do load
>> >>>> balancing, i've just come from using PFSENSE/freebsd to use
>> >>>> ClarkConnect on CentOS i guess.. i've never used iptables before.
>> i've
>> >>>> tried things like:
>> >>>>
>> >>>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d
>> >>>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work.
>> >>>>
>> >>>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
>> >>>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23
>> >>>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6
>> >>>> default via 71.x.x.1 dev eth3
>> >>>>
>> >>>> so right now i have all traffic go out eth3, i'd love to have the
>> ips
>> >>>> and ipblocks i select and have it go out one of the cable
>> interfaces.
>> >>>> so for the example above, i want www.speedtest.net (because it
>> shows
>> >>>> the ip) to go out eth2 but it's still going out eth3.
>> >>>
>> >>>[...]
>> >>> You can use any criteria you like for distribution, the important
>> >>> thing is to make sure connections stay on one connection when using
>> >>> NAT (since many providers don't allow spoofed addresses), [...]
>> >>> Dealing with incoming connections on both internet connections
>> >>> is trickier because you need to make sure they go out the same
>> >>> way they came in, so I'll skip this because I'm short on time
>> >>> right now :)
>> >>
>> >> As described in http://dev.medozas.de/NF-Cookbook.txt.
>> >>
>> >>
>> > --
>> > To unsubscribe from this list: send the line "unsubscribe netfilter"
>> in
>> > the body of a message to majordomo@vger.kernel.org
>> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>> >
>>
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2008-05-29 21:23 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-27 23:44 DUAL wan issue, destination-based routing jeev
2008-05-27 23:51 ` jeev
2008-05-28 5:03 ` Patrick McHardy
2008-05-28 11:50 ` Jan Engelhardt
2008-05-28 20:26 ` jeev
2008-05-28 21:50 ` ArcosCom Linux User
2008-05-29 14:48 ` paulobruck1
2008-05-29 21:23 ` ArcosCom Linux User
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox