multiple uplinks

Petr Bartel bartel na irix.cz
Sobota Červen 28 08:56:33 CEST 2008


Hlavne mi prijde ze se paket nevraci pres stejne rozhrani kudy prisel.
(nebo kudy by mel) Musi napr. openvpn mit svuj vlastni SNAT pokud
klienti maji pouze jednu z tech verejnych adres? Zkousel jsem to 
sledovat tcpdumpem. Chapu ze se opakuji, ale vazne by mi
nejake popostrceni pomohlo. 

predem dekuji

S pozdravem
    Petr Bartel
-- 
**************************************************
* ICQ 74097173                  tel. 312 244 018 *
* Irix a.s.        Petr Bartel            servis *
*               Fingerprint klíče                *
8DB8 3AB2 6865 45F4 3E84  4980 CCED 20B1 CC6B B649
**************************************************

Fri, Jun 27, 2008 at 03:38:01PM CEST, bartel na irix.cz napsal(a):
> Dobry den,
> uz se s tim peru skoro cely den a bohuzel se mi to porad nedari
> zprovoznit aby fungovalo vse
> 
> situace je nasledujici
> 
> 
>              internet
>      -----------------------------
>       || Bezdrat        || ADSL
>       || 212.24.137.41  || 10.0.0.254
>    ---------------------------------
>    |  eth2              eth3       |
>    | 212.24.137.42/30 10.0.0.1/24  |                              
>    |                               |
>    |    10.8.8.1/24 VPN tun0       |
>    |				   |
>    |  eth0              eth1       |
>    | 192.168.99.1/24 82.113.44.1/27|
>    |                 192.168.1.0/24|
>    ---------------------------------
>       ||                  ||
>      lokalni sit     DMZ + lokalni sit jednoho zakaznika
> 
> takhle vypadala smerovaci tabulka pred zmenami
> 
> 10.8.8.2 dev tun0  proto kernel  scope link  src 10.8.8.1 
> 212.24.137.40/30 dev eth2  proto kernel  scope link  src 212.24.137.42 
> 82.113.44.0/27 dev eth1  proto kernel  scope link  src 82.113.44.1 
> 10.0.0.0/24 dev eth3  proto kernel  scope link  src 10.0.0.1 
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1 
> 192.168.99.0/24 dev eth0  proto kernel  scope link  src 192.168.99.1 
> 10.8.8.0/24 via 10.8.8.2 dev tun0 
> default via 212.24.137.41 dev eth2 
> 
> 
> snazim se zprovoznit zalozni spoj (failover) a load balancing
> postupoval jsem podle 
> 
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> http://linux-ip.net/html/adv-multi-internet.html
> http://www.debian-administration.org/articles/377
> 
> nasledovne
> 
> vytvoril jsem zaznam pro 2 nove tabulky v /etc/iproute2/rt_tables
> 
> 201     uplink1
> 202     uplink2
> 
> nasledne 
> 
> P1_NET=212.24.137.40/30
> IF1=eth2
> IP1=212.24.137.42
> P1=212.24.137.41
> 
> P2_NET=10.0.0.0/24
> IF2=eth3
> IP2=10.0.0.1
> P2=10.0.0.254
> 
> ip route del default via 212.24.137.41 dev eth2
> 
> ip route flush table uplink1
> ip route flush table uplink2
> 
> ip route show table main | grep -Ev ^default | while read ROUTE ; do ip
> route add table uplink1 $ROUTE; done
> ip route add default via $P1 table uplink1
> ip route show table main | grep -Ev ^default | while read ROUTE ; do ip
> route add table uplink2 $ROUTE; done
> ip route add default via $P2 table uplink2
> 
> ip rule del from $IP1 table uplink1
> ip rule del from $IP2 table uplink2
> ip rule add from $IP1 table uplink1
> ip rule add from $IP2 table uplink2
> 
> ip route del proto static default scope global nexthop via $P1 dev $IF1
> weight 1 nexthop via $P2 dev $IF2 weight 1
> ip route add proto static default scope global nexthop via $P1 dev $IF1
> weight 1 nexthop via $P2 dev $IF2 weight 1 
> 
> potom tam mam stavovy firewall s iptables
> 
> kde delam mimo jine SNAT pro ty dve lokalni site
> 
> iptables -t nat -A POSTROUTING -s 192.168.99.0/255.255.255.0 -o \
> eth2 -j SNAT --to-source 212.24.137.42
> iptables -t nat -A POSTROUTING -s 192.168.99.0/255.255.255.0 -o \
> eth3 -j SNAT --to-source 10.0.0.1
> ...
> 
> snad jsou to dostacujici informace
> 
> problemy :
> 
> neustale se rozpojuji a spojuje openvpn s klienty (asi spatne routovani?)
> nektere ze severu v DMZ nejsou obcas z internetu viditelne (zcela
> zvlastne napr. jeden ze dve nebo pouze pokud bezi vpn...)
> 
> takze pokud tam vidite nejakou chyby nebo mate nejakou radu jak to
> roztlacit spravnym smerem, budu moc rad
> 
> dekuji
> 
>    Petr Bartel
> 
> -- 
> **************************************************
> * ICQ 74097173                  tel. 312 244 018 *
> * Irix a.s.        Petr Bartel            servis *
> *               Fingerprint klíče                *
> 8DB8 3AB2 6865 45F4 3E84  4980 CCED 20B1 CC6B B649
> **************************************************
> 
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux



Další informace o konferenci Linux