[LARTC] Routing for multiple uplinks/providers problem.

Nelson Castillo nelsoneci at gmail.com
Thu Jul 28 18:32:17 CEST 2005 

I think I said something wrong in my last message.
You DNAT incoming packets and then SNAT them when
they come back if your Linux router has some server behind it.
I don't know if this is your case (having servers behind the router).

(I needed to top-post here --- maybe not).

On 7/28/05, Nelson Castillo <nelsoneci at gmail.com> wrote:
> Hi John.
> 
> On 7/28/05, John McMonagle <johnm at advocap.org> wrote:
> 
> > Find that if I ping the same site from 2 computers it may work on one
> > and fail on the other.
> > Also was surprised that some time they are going out different
> > interfaces at the same time.
> 
> Same symptoms I had.
> 
> > Have  snat on both interfaces
> 
> When you SNAT incoming packets, you need to do something different
> from what is in the HOWTO ([4]) because SNAT is done before the
> routing desition (check the Kernel Packet Traveling Diagram[5]).
> 
> I had the same problem [1]. The solution is to use conntrack and mark
> packets on arrival, and then route them back using the fwmark[2].
> 
> There's no need to tell you I had a hard time with this. There should
> be a warning about this in the HOWTO (in this page [4]).
> 
>   The proposed solution I quote in [2] worked for me for the
>   multiple uplink providers + SNAT problem.
> 
>   It is (Using the same variables that are in the HOWTO [4]):
> 
>   1) Mark packages on arrival:
> 
>  iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j
> MARK --set-mark=1
>  iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j
> MARK --set-mark=2
> 
>   And then use the mark to route the outgoing packages correctly.
> 
>  ip rule add fwmark 1 table T1
>  ip rule add fwmark 2 table T2
> 
> Regards,
> Nelson.-
> 
> PD : I solved my problem with IPVS and multiple uplink providers (see [3]).
> 
> [1] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016171.html
> [2] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016441.html
> [3] http://arhuaco.blogspot.com/2005/07/ipvs-and-conntrack.html
> [4] http://lartc.org/howto/lartc.rpdb.multiple-links.html
> [5] http://www.docum.org/docum.org/kptd/
> 
> --
> Homepage : http://geocities.com/arhuaco
> 
> The first principle is that you must not fool yourself
> and you are the easiest person to fool.
>      -- Richard Feynman.

More information about the LARTC mailing list