开发者

How to make iproute2 multiple uplinks work with masquerading

I've the following problem with routing + NAT: If I've two ISP and I'm u开发者_如何学编程sing two nexthop in default route with MASQUERADE on both ISP links, I see routing cache regenerated, but sometimes packets sent to a new link (after cache regeneration) uses wrong source address for masquerading.

Here is the config.

I've two links to outside via two different providers: eth1 and eth2 eth0 is the LAN

$ ip a (part of output, since we have 3 more interfaces disabled)

2: eth1: mtu 1500 qdisc pfifo_fast qlen 1000

inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1

3: eth2: mtu 1500 qdisc pfifo_fast qlen 1000

inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2

6: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

inet 192.168.5.1/24 brd 192.168.5.255 scope global eth0

Roting tables:

$ ip r 192.168.5.0/24 dev eth0 proto kernel scope link src 192.168.5.1

192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254

192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254

default nexthop via 192.168.1.1 dev eth1 weight 1

nexthop via 192.168.2.1 dev eth2 weight 1

$ ip r s t eth1

default via 192.168.1.1 dev eth1

$ ip r s t eth2

default via 192.168.2.1 dev eth2

Rules:

$ ip ru

0: from all lookup local

32450: from 192.168.2.254 lookup eth2

32717: from 192.168.5.124 lookup eth1

32766: from all lookup main

32767: from all lookup default

Q1: if I do pings from two PC in LAN: 5.137 and 5.147, to the same IP (195.60.1.1) how can they go via different links (ping 195.60.1.1 is run on both computers)?

$ ip r g 195.60.1.1 from 192.168.5.137 iif eth0

195.60.169.6 from 192.168.5.137 via 192.168.1.1 dev eth1 src 192.168.5.1

cache mtu 1500 advmss 1460 hoplimit 128 iif eth0

$ ip r g 195.60.1.1 from 192.168.5.147 iif eth0

195.60.169.6 from 192.168.5.147 via 192.168.2.1 dev eth2 src 192.168.5.1

cache mtu 1500 advmss 1460 hoplimit 128 iif eth0

The routing in my case should be the same for all users. it should send packets to the same destination via the same link always (even if the source IP is different). isn't it?

Q2: Sometimes I see in tcpdump on external interfaces that the routing cache was regenerated. This can be forced by ip r f t cache. This sometimes results in change of the link for my pings. But one of two machines suddenly looses connection. From tcpdump I found that this happens because the routing has decided to use another link, but the MASQUERADE was not updated according:

$ tcpdump -i eth1

IP 192.168.2.254 > 195.60.1.1: ICMP echo request, id 10677, seq 242, length 64

IP 192.168.1.254 > 195.60.1.1: ICMP echo request, id 37387, seq 244, length 64 IP 195.60.1.1 > 192.168.1.254: ICMP echo reply, id 37387, seq 244, length 64

The second and third packets are request-reply from/to 5.137

The first packet is the request from .5.147 with wrong source address on that interface due to MASQUERADE not updated after the routing cache purge - hence, no reply, since the source address of the MASQUERADEd packet is wrong.

Here is my MASQUERADE setting

$ iptables -L -t nat

Chain POSTROUTING (policy ACCEPT 752K packets, 48M bytes)

pkts bytes target prot opt in out source destination

2840K 256M MASQUERADE all -- any eth1 192.168.5.0/24 anywhere

2491K 229M MASQUERADE all -- any eth2 192.168.5.0/24 anywhere

I understand that I can use conntrack to mark packets, but it is a little bit more complicated. I would prefer to use destination IP as the key for routing. What is wrong in this scenario? why routing cache purges do not notify NAT-engine about changes in routing?


Ok, the answer was finally found using search engines.

This particular behaviour is a bug in the Linux kernel known at least since 2005. Julian Anastasov has written a patch to workaround this error (see http://www.ssi.bg/~ja/#routes)

Anyway, it was found that the chosen scenario with load balancing and NAT is not good, since it may break authorization on some sites and makes Jabber and Skype flicker due to recache of routes resulting in changes of routes for each destination (since we use NAT, the external IP changes too and Skype and other services sees you as logged in from another computer).

Much better way to share multiple links over a big office is to split users by channels. So, we assigned a preferred channel for each computer in our network and if that channel is not up we choose any other channel for the computer. This strategy keeps the same external IP (after NATing) for every computer in our network. Setting up preferred channel allows us to send critical employee via faster channels, while employee dealing with big files over low cos wide but slow channels. We use 4 channels, since all ISP in our region goes down at least 2 times a week for several hours.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜