On Wed, 22 Feb 2012 01:22:02 -0600, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
I think the LB setup was suffering more from NAT than from routing issues. It is perfectly reasonable to expect that load balancer to work. Just as it would be perfectly reasonable to expect a router with an intermittent primary uplink to work with the same output style. Only NAT on the LBs outbound interface or at the ISP level would cause the broken behaviour you describe. AYJ
I would certainly like to understand WHY I had to use connmarks to keep the packets belonging to a connection on the right interface. However, I don't believe the problem was NAT, because the only changes I had to make to get this load-balancing router to work (that is, to stop breaking connections) were the ones I mentioned in a previous post. I did not add or change any NAT rules. The router is doing NAT the way it was before, set up with a command like this for each interface: iptables -t nat -A POSTROUTING -o ${interface} -j SNAT --to-source ${!wan} Furthermore, on this router I was already using connmark to mark and route packets for those destinations and origin IP for which we did not want to have load-balancing. This by the way worked fine (connections were not broken). The only thing I added to fix the connection-breaking was marking of NEW packets after netfilter had made the routing decision (based on either the routing cache or round-robin distribution). I would like to know whether or not anyone has succeeded in doing load-balancing with "nexthop via..." over interfaces with *private* IPs. -- Lloyd -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html