multiple uplinks
Petr Bartel
bartel na irix.cz
Sobota Červen 28 08:56:33 CEST 2008
Hlavne mi prijde ze se paket nevraci pres stejne rozhrani kudy prisel.
(nebo kudy by mel) Musi napr. openvpn mit svuj vlastni SNAT pokud
klienti maji pouze jednu z tech verejnych adres? Zkousel jsem to
sledovat tcpdumpem. Chapu ze se opakuji, ale vazne by mi
nejake popostrceni pomohlo.
predem dekuji
S pozdravem
Petr Bartel
--
**************************************************
* ICQ 74097173 tel. 312 244 018 *
* Irix a.s. Petr Bartel servis *
* Fingerprint klíče *
8DB8 3AB2 6865 45F4 3E84 4980 CCED 20B1 CC6B B649
**************************************************
Fri, Jun 27, 2008 at 03:38:01PM CEST, bartel na irix.cz napsal(a):
> Dobry den,
> uz se s tim peru skoro cely den a bohuzel se mi to porad nedari
> zprovoznit aby fungovalo vse
>
> situace je nasledujici
>
>
> internet
> -----------------------------
> || Bezdrat || ADSL
> || 212.24.137.41 || 10.0.0.254
> ---------------------------------
> | eth2 eth3 |
> | 212.24.137.42/30 10.0.0.1/24 |
> | |
> | 10.8.8.1/24 VPN tun0 |
> | |
> | eth0 eth1 |
> | 192.168.99.1/24 82.113.44.1/27|
> | 192.168.1.0/24|
> ---------------------------------
> || ||
> lokalni sit DMZ + lokalni sit jednoho zakaznika
>
> takhle vypadala smerovaci tabulka pred zmenami
>
> 10.8.8.2 dev tun0 proto kernel scope link src 10.8.8.1
> 212.24.137.40/30 dev eth2 proto kernel scope link src 212.24.137.42
> 82.113.44.0/27 dev eth1 proto kernel scope link src 82.113.44.1
> 10.0.0.0/24 dev eth3 proto kernel scope link src 10.0.0.1
> 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
> 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.1
> 10.8.8.0/24 via 10.8.8.2 dev tun0
> default via 212.24.137.41 dev eth2
>
>
> snazim se zprovoznit zalozni spoj (failover) a load balancing
> postupoval jsem podle
>
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> http://linux-ip.net/html/adv-multi-internet.html
> http://www.debian-administration.org/articles/377
>
> nasledovne
>
> vytvoril jsem zaznam pro 2 nove tabulky v /etc/iproute2/rt_tables
>
> 201 uplink1
> 202 uplink2
>
> nasledne
>
> P1_NET=212.24.137.40/30
> IF1=eth2
> IP1=212.24.137.42
> P1=212.24.137.41
>
> P2_NET=10.0.0.0/24
> IF2=eth3
> IP2=10.0.0.1
> P2=10.0.0.254
>
> ip route del default via 212.24.137.41 dev eth2
>
> ip route flush table uplink1
> ip route flush table uplink2
>
> ip route show table main | grep -Ev ^default | while read ROUTE ; do ip
> route add table uplink1 $ROUTE; done
> ip route add default via $P1 table uplink1
> ip route show table main | grep -Ev ^default | while read ROUTE ; do ip
> route add table uplink2 $ROUTE; done
> ip route add default via $P2 table uplink2
>
> ip rule del from $IP1 table uplink1
> ip rule del from $IP2 table uplink2
> ip rule add from $IP1 table uplink1
> ip rule add from $IP2 table uplink2
>
> ip route del proto static default scope global nexthop via $P1 dev $IF1
> weight 1 nexthop via $P2 dev $IF2 weight 1
> ip route add proto static default scope global nexthop via $P1 dev $IF1
> weight 1 nexthop via $P2 dev $IF2 weight 1
>
> potom tam mam stavovy firewall s iptables
>
> kde delam mimo jine SNAT pro ty dve lokalni site
>
> iptables -t nat -A POSTROUTING -s 192.168.99.0/255.255.255.0 -o \
> eth2 -j SNAT --to-source 212.24.137.42
> iptables -t nat -A POSTROUTING -s 192.168.99.0/255.255.255.0 -o \
> eth3 -j SNAT --to-source 10.0.0.1
> ...
>
> snad jsou to dostacujici informace
>
> problemy :
>
> neustale se rozpojuji a spojuje openvpn s klienty (asi spatne routovani?)
> nektere ze severu v DMZ nejsou obcas z internetu viditelne (zcela
> zvlastne napr. jeden ze dve nebo pouze pokud bezi vpn...)
>
> takze pokud tam vidite nejakou chyby nebo mate nejakou radu jak to
> roztlacit spravnym smerem, budu moc rad
>
> dekuji
>
> Petr Bartel
>
> --
> **************************************************
> * ICQ 74097173 tel. 312 244 018 *
> * Irix a.s. Petr Bartel servis *
> * Fingerprint klíče *
> 8DB8 3AB2 6865 45F4 3E84 4980 CCED 20B1 CC6B B649
> **************************************************
>
> _______________________________________________
> Linux mailing list
> Linux na linux.cz
> http://www.linux.cz/mailman/listinfo/linux
Další informace o konferenci Linux