Hello, On Wed, 25 Jun 2003, Tomas Bonnedahl wrote: > im in the process of configurating our network to have two upstream > providers, it will be loadbalanced > under normal operation and a complete failover if one of the lines would > fail. > > internet internet > | | > border border > | | > |- core router - | > | > lan The problem is that the multipath route assumes one packet can go through any of the defined nexthops. This is valid for setups with many ISPs allowing spoofing, you can safely send packet with saddr=IP1 via ISP2 and this works as long as ISP1 is UP to receive the replies from remote hosts. But for your setup there is one requirement: once one connection is routed via Border X all its packets should go via the same border router for NAT purposes. Even the related ICMP traffic. And this works ... for some time until the routing cache is flushed and different Border router is selected from the multipath route. The connection usually dies. > the "problem" im having is that i will not do nat on the core router, but on the border routers. > the multipath default route is on the core router. from what i understand, could be totally wrong, > you have to have nat, at least connection tracking on the core to make the multipath route per > flow and not per packet. I'm not sure the Linux conntracking has such feature. IIRC, the netfilter follows the routing decision, i.e. nobody guarantees that packets from one connection will continue to use same nexthop while it is alive. Considering the fact that all cache entries expire (on user request or on timeout) the current implementation can not guarantee such persistence for the forwarded connections that have multiple possible paths. This works only if the core router performs NAT and when the NAT implementation does not blindly follow the multipath route decision. The problem can be solved in this way: the NAT connection requests route with saddr=the external IP address attached for this connection. As result, the multipath route is avoided and the traffic for one connection is bound to one ISP (usually): http://www.ssi.bg/~ja/#routes > any insight of this? > > > -tomas bonnedahl Regards -- Julian Anastasov <ja@xxxxxx>
