2-3 uplinks, nat and failover...is it possible?

aristo7514 aristo7514 <aristo7514@xxxxxxxxx> · Sun, 5 Jun 2005 02:56:35 +0300

Hello,

I am trying something crazy here. I have gone through the old
archives, lartc.org and lot's of documentation, but still something is
wrong.

Here is the situation;

The server is Fedora core 2 running kernel 2.6.5

I have 2 uplinks to two different ISP's. (It will be 3-4 in the future).
These ISP's should serve the bandwith to local clients with multiple subnets.

The eth0 of linux server is connected to my internal network and also
have some aliases.
I have a public IP block

81.8.124.1-81.8.124.63

and also some private IP blocks on the eth0 as aliases.

The diagram of my network is : http://www.asigiz.biz/mynetwork.gif

Here is the list for my ip addresses.

eth0 has ip 172.16.55.1/255.255.255.0
eth0:1 has ip 172.17.56.1/255.255.255.0
eth0:2 has ip 172.17.57.1/255.255.255.0
eth0:3 has ip 172.17.58.1/255.255.255.0
eth0:4 has ip 81.8.124.1/255.255.255.192

eth1 has ip 81.8.120.18/255.255.255.252
eth3 has ip 172.18.10.30/255.255.255.0

One of my internet connection is 81.8.120.18/255.255.255.252 with
gateway of 81.8.120.17 (Public)

The other one is 172.18.10.30/255.255.255.0 with gateway of
172.18.10.2 (Behind an ADSL router)

I would like 172.16.55.0/24 to be natted to 81.8.120.18
172.16.56.0/24 to 172.18.10.30
172.16.57.0/24 to 172.18.10.30
172.16.58.0/24 to 81.8.120.18

and 81.8.124.0/24 to go directly. (will be natted to 172.18.10.30 when
the link fails)

My nat config is very simple;

INT=eth0 # DSLAM
EXT=eth1 # ISP
EXT2=eth3 # ISP-ADSL

MASQ_NET=172.16.55.0/255.255.255.0 # DSLAM 1
MASQ_NET2=172.16.56.0/255.255.255.0 # DSLAM 2
MASQ_NET3=172.16.57.0/255.255.255.0 # DSLAM 3
MASQ_NET4=172.16.58.0/255.255.255.0 # DSLAM 4

iptables -t nat -F

iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET2 -o $EXT2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET3 -o $EXT2 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $MASQ_NET4 -o $EXT -j MASQUERADE

... So, up to now most of the things work with only one gateway. Also
if one of the link fails, the other one automatically takes over with
another script

The problem here is the default gw;

route add default gw 81.8.120.17 # now only the certain networks work

if I want to switch over to the other one;
route del default gw 81.8.120.17
route add default gw 172.18.10.30

Then the other one starts working (with some nat modifications)

So, how can I make this work all the time (I mean split access/policy
based routing) Currently, I can have only one gateway working at a
time.

This is what I have tried so far.

ip route add 81.8.120.16/30 dev eth1 src 81.8.120.18 table 1
ip route add default via 81.8.120.17 table 1

ip route add 172.18.10.0/24 dev eth3 src 172.18.10.30 table 2
ip route add default via 172.18.10.2 table 1

ip rule add from 81.8.120.16/30 lookup 1
ip rule add from 172.18.10.0/24 lookup 2

ip route add default scope global nexthop via 172.18.10.30 dev eth3
weight 1 nexthop via 81.8.124.17 dev eth1 weight 1

Well, any help will be greatly appreciated. I will try some more
modifications but just going crazy...

I know that I can use both gateways at the same time, but, there
should be something I am doing wrong.

Thanks in advance,

Aristo

Here are some more details;

[root@iltekrouter root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff
    inet 172.16.55.1/24 brd 172.16.55.255 scope global eth0
    inet 172.16.56.1/24 brd 172.16.255.255 scope global eth0:1
    inet 172.16.57.1/24 brd 172.16.255.255 scope global eth0:2
    inet 172.16.58.1/24 brd 172.16.255.255 scope global eth0:3
    inet 81.8.124.1/26 brd 81.255.255.255 scope global eth0:4
    inet6 fe80::220:edff:fe56:bbd/64 scope link
       valid_lft forever preferred_lft forever
7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff
    inet 81.8.120.18/30 brd 81.8.120.19 scope global eth1
    inet6 fe80::201:2ff:fea7:e4b6/64 scope link
       valid_lft forever preferred_lft forever
8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff
    inet 172.18.10.30/24 brd 172.18.10.255 scope global eth3
    inet6 fe80::208:a1ff:fe80:3b02/64 scope link
       valid_lft forever preferred_lft forever
9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::208:a1ff:fe80:517e/64 scope link
       valid_lft forever preferred_lft forever
10: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

[root@iltekrouter root]# ip link list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
6: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:20:ed:56:0b:bd brd ff:ff:ff:ff:ff:ff
7: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:01:02:a7:e4:b6 brd ff:ff:ff:ff:ff:ff
8: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:80:3b:02 brd ff:ff:ff:ff:ff:ff
9: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:08:a1:80:51:7e brd ff:ff:ff:ff:ff:ff
10: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0

[root@iltekrouter root]# ip route show
81.8.120.16/30 dev eth1  scope link
81.8.124.0/26 dev eth0  proto kernel  scope link  src 81.8.124.1
172.16.55.0/24 dev eth0  scope link
172.18.10.0/24 dev eth3  scope link
172.16.58.0/24 dev eth0  proto kernel  scope link  src 172.16.58.1
172.16.57.0/24 dev eth0  proto kernel  scope link  src 172.16.57.1
172.16.56.0/24 dev eth0  proto kernel  scope link  src 172.16.56.1
169.254.0.0/16 dev eth3  scope link
127.0.0.0/8 dev lo  scope link
default via 81.8.120.17 dev eth1

[root@iltekrouter root]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
81.8.120.16     *               255.255.255.252 U         0 0          0 eth1
81.8.124.0      *               255.255.255.192 U         0 0          0 eth0
172.16.55.0     *               255.255.255.0   U         0 0          0 eth0
172.18.10.0     *               255.255.255.0   U         0 0          0 eth3
172.16.58.0     *               255.255.255.0   U         0 0          0 eth0
172.16.57.0     *               255.255.255.0   U         0 0          0 eth0
172.16.56.0     *               255.255.255.0   U         0 0          0 eth0
169.254.0.0     *               255.255.0.0     U         0 0          0 eth3
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         81.8.120.17     0.0.0.0         UG        0 0          0 eth1

[root@iltekrouter root]# uname -a
Linux iltekrouter.iltek.net 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004
i686 i686 i386 GNU/Linux
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

2-3 uplinks, nat and failover...is it possible?

Linux Advanced Routing and Traffic Control