<snip>
I have a private lan that is connected to the world via 3 dsl lines. I put
up a linux box that handles all the dsl lines, lan gateway and all is
working well...until...one of the dsl lines goes down. My routing table is:
x.x.x.x dev ppp0 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp1 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp2 proto kernel scope link src x.x.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
255.255.255.0/24 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default equalize
nexthop via x.x.x.x dev ppp0 weight 1
nexthop via x.x.x.x dev ppp1 weight 1
nexthop via x.x.x.x dev ppp2 weight 1
When one of the dsl lines has trouble (temporarily looses sync, etc), the
kernel takes the entire default route out until the line comes back up.
When the line comes up, it puts a single default route back in instead of
the multipath route. If I can make it so the multipath route is maintained
even when one of the dsl lines goes down, that would be great. Is there a
way to have just one of the hops removed from the default multipath while
the line is down and then reinserted back in as a hop in the multipath
route? Thanks for any input.
-Chris
</snip>
Do you have the stateful firewall settings in your script?
According to nano.txt
http://www.ssi.bg/~ja/nano.txt
"At least for netfilter (not sure for ipfwadm/ipchains), the firewall
must be stateful. This can be done by:
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -A keep_state -j RETURN
and calling this at the beginning of the script:
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
"
I have a private lan that is connected to the world via 3 dsl lines. I put
up a linux box that handles all the dsl lines, lan gateway and all is
working well...until...one of the dsl lines goes down. My routing table is:
x.x.x.x dev ppp0 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp1 proto kernel scope link src x.x.x.x
x.x.x.x dev ppp2 proto kernel scope link src x.x.x.x
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
255.255.255.0/24 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default equalize
nexthop via x.x.x.x dev ppp0 weight 1
nexthop via x.x.x.x dev ppp1 weight 1
nexthop via x.x.x.x dev ppp2 weight 1
When one of the dsl lines has trouble (temporarily looses sync, etc), the
kernel takes the entire default route out until the line comes back up.
When the line comes up, it puts a single default route back in instead of
the multipath route. If I can make it so the multipath route is maintained
even when one of the dsl lines goes down, that would be great. Is there a
way to have just one of the hops removed from the default multipath while
the line is down and then reinserted back in as a hop in the multipath
route? Thanks for any input.
-Chris
</snip>
Do you have the stateful firewall settings in your script?
According to nano.txt
http://www.ssi.bg/~ja/nano.txt
"At least for netfilter (not sure for ipfwadm/ipchains), the firewall
must be stateful. This can be done by:
iptables -t filter -N keep_state
iptables -t filter -A keep_state -m state --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -t filter -A keep_state -j RETURN
iptables -t nat -N keep_state
iptables -t nat -A keep_state -m state --state RELATED,ESTABLISHED \
-j ACCEPT
iptables -t nat -A keep_state -j RETURN
and calling this at the beginning of the script:
iptables -t nat -A PREROUTING -j keep_state
iptables -t nat -A POSTROUTING -j keep_state
iptables -t nat -A OUTPUT -j keep_state
iptables -t filter -A INPUT -j keep_state
iptables -t filter -A FORWARD -j keep_state
iptables -t filter -A OUTPUT -j keep_state
"
/sbin/iptables-save
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00
2004
*nat
:PREROUTING ACCEPT [9983:812849]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:174]
:keep_state - [0:0]
-A PREROUTING -j keep_state
-A POSTROUTING -o ppp+ -j MASQUERADE
-A POSTROUTING -j keep_state
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*filter
:INPUT ACCEPT [1020:161876]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [425:33288]
:keep_state - [0:0]
-A INPUT -i lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -m state --state INVALID -j DROP
-A INPUT -i ppp+ -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -p tcp -j DROP
-A INPUT -i ppp+ -p udp -j DROP
-A INPUT -i ppp+ -p icmp -j DROP
-A INPUT -j keep_state
-A FORWARD -i ppp+ -o eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth+ -o ppp+ -j ACCEPT
-A FORWARD -j keep_state
-A OUTPUT -o lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
*nat
:PREROUTING ACCEPT [9983:812849]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [3:174]
:keep_state - [0:0]
-A PREROUTING -j keep_state
-A POSTROUTING -o ppp+ -j MASQUERADE
-A POSTROUTING -j keep_state
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
# Generated by iptables-save v1.2.7a on Wed Mar 24 15:54:00 2004
*filter
:INPUT ACCEPT [1020:161876]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [425:33288]
:keep_state - [0:0]
-A INPUT -i lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -m state --state INVALID -j DROP
-A INPUT -i ppp+ -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i ppp+ -p tcp -j DROP
-A INPUT -i ppp+ -p udp -j DROP
-A INPUT -i ppp+ -p icmp -j DROP
-A INPUT -j keep_state
-A FORWARD -i ppp+ -o eth+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth+ -o ppp+ -j ACCEPT
-A FORWARD -j keep_state
-A OUTPUT -o lo -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o ppp+ -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -j keep_state
-A keep_state -m state --state RELATED,ESTABLISHED -j ACCEPT
-A keep_state -j RETURN
COMMIT
# Completed on Wed Mar 24 15:54:00 2004
The
link you reference (http://www.ssi.bg/~ja/nano.txt) suggests several patches to be
applied to the kernel for the routing described to be possible. I would
like to do this, but it is a company box and they want a "standard" installation
which basically means no patching for me. The box is running the most up
to date kernel for a RedHat 9.0 install. Thanks for any
input.
-Chris
