On Tue, 4 Dec 2001, Julian Anastasov wrote: > > Hello, > > On Mon, 3 Dec 2001, Whit Blauvelt wrote: > > > On Mon, Dec 03, 2001 at 11:04:20PM +0100, Arthur van Leeuwen wrote: > > > > > > - What weirdness should I look out for? > > > > > > OpenSSH sets up the TOS fields *after* authenticating. This breaks the > > > entries in the route-cache, as they are keyed on source, destination and TOS > > > field. > > > > Hmm, I use OpenSSH all the time. Does this fully break it, or just add some > > flakiness? > > It breaks only the plain kernel. The patches use the > multipath routes only for the first packet. Okay, I've read both the nanohowto and the docs on Julian's patches by now. A few things to note: the nanohowto's information is good even without Julian's patches, although things will become trickier. One has to do ones own link-probing and rerouting from userland. That is very doable however, provided you have machines somewhere at the ISP's site that will answer to either pings ore traceroutes or somesuch, as you will need answers. The patches Julian provided fix a bunch of nastiness. For one, dead gateway detection is done on the ARP level in kernelspace. Very neat when you have ARP, thus on ethernet, but not very useful without. Furthermore, they provide true alternative routes, not only multipath default routes. This is once more extremely neat, but not directly necessary for the usual case. Thirdly, Julian's patches add gateways as a routing key. This will not help pure routing boxes, such as would be standard issue in an office full of Windows toasters, as the gateway will be determined at the routing stage, so it cannot be used as a key. The *main* reason to use Julian's patches is the masquerading connection rerouting. This will fix the big bugs in your setup by just redirecting a masqueraded connection out to a different interface when the old one is dead. This is *very* cool on UDP, and will make UDP failover to another route fully transparent. However, it will not fix stateful protocols in which the server on the other side keeps state on the IP address it was talking to, such as SSH. It will fix the TOS nastiness OpenSSH brings to the fore, as it will *reroute* after masquerading. Bit of a hack, that. I simply nixed the TOS bits in the firewalling code. :) Summarizing: Yes, you can do equal cost multipath. Yes it is cool. Yes it can be made nicer and friendlier to set up using Julian's patches. However, it will not be an ideal solution. Things *will* break. Load will just be approximately balanced. Failover is in most cases definitely not transparent to the user: new connections have to be set up. If the links stay up though, equal cost multipath is a *good* thing. Oh, and it does work on >2 uplinks. I've set up a system for a client using 1 ISDN line, 2 ADSL links (with the Dutch MXStream cruftiness, but I digress) and 1 cable modem using masquerading only on the last three, using the standard kernel (Julian's patches didn't exist a year ago, when I did this). Worked splendidly (and still does, I'm told). Needed some manual supervision though, as link failover and especially failback is *not* trivial. Doei, Arthur. -- /\ / | arthurvl@xxxxxxxxxx | Work like you don't need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there's nobody watching
