Multihomed Linux router
-
Upload
marian-marinov -
Category
Engineering
-
view
732 -
download
2
description
Transcript of Multihomed Linux router
Company LOGO
www.getclouder.com
Run Two ISPs in Your Home (Multihomed Router)
Marian (HackMan) MarinovCEO of 1H Ltd.CTO of GetClouder Ltd.
www.getclouder.com
What is a multi-homed router?
Chapter 1
Multihoming
www.getclouder.com
Why multihoming?
• Failover
• More capacity
• Faster connections
• Cheaper connections
• Why not both?
Chapter 1
Multihoming
www.getclouder.com
Assumptions
• You already know how routing is done on the Internet
• You know what are the iptables tables• filter
• mangle
• nat
• You already know what NAT is and how it works
• Forwarding is enabled and allowed in the router
Chapter 1
Multihoming
www.getclouder.com
Usual setup
main routing table10.0.0.0/24 dev eth2 src 10.0.0.177.70.33.0/24 dev eth0 src 77.70.33.12default via 77.70.33.1 dev eth0
iptables -t nat -A POSTROUTING -j SNAT \ -s 10.0.0.0/24 -o eth0 --to 77.70.33.12
Chapter 2
Setup
www.getclouder.com
Multiple routing tables
ISP1: 10.0.0.0/24 dev eth2 src 10.0.0.1 77.70.33.0/24 dev eth0 src 77.70.33.12 default via 77.70.33.1 dev eth0ISP2: 10.0.0.0/24 dev eth2 src 10.0.0.1 83.12.21.0/24 dev eth1 src 83.15.21.65 default via 83.15.21.254 dev eth1
Chapter 2
Setup
www.getclouder.com
Multiple routing tables
Chapter 2
Setup
routing table
www.getclouder.com
Multiple routing tables
Chapter 2
Setup
routing table ISP1
routing table ISP2
www.getclouder.com
How to create iproute2 routing tables
Chapter 2
Setup
$ cat /etc/iproute2/rt_tables# reserved values255 local254 main253 default10 isp120 isp20 unspec
www.getclouder.com
How to add routes into the new routing tables
Chapter 2
Setup
ip r a 10.0.0.0/24 dev eth2 t isp1ip r a 10.0.0.0/24 dev eth2 t isp2
ip r a 77.70.33.0/24 dev eth0 t isp1ip r a 0/0 via 77.70.33.1 t isp1
ip r a 83.12.21.0/24 dev eth0 t isp2ip r a 0/0 via 83.15.21.254 t isp2
ip r a == ip route add t == table
www.getclouder.com
How to guide the traffic to enter these tables
Chapter 2
Setup
ip ru a from 77.70.33.12 t isp1 ip ru a from 83.15.21.65 t isp2
ip ru a == ip rule add t == table
www.getclouder.com
Separating the clients from the home network
Chapter 2
Separation
• Manually• based on source IP
• based on destination IP
• based on protocols
• Automatic• statistic (random,nth)
• recent
• time based
• Route based
www.getclouder.com
Manually separating clients
Chapter 2
Separation
• based on source IPip rule add from 10.0.0.x table isp1
• based on destination IPip rule add to 192.168.0.x table isp1
• based on protocolsiptables marking per protocol
www.getclouder.com
CONNMARK
Chapter 2
Separation
iptables -A POSTROUTING -t mangle -j CONNMARK --restore-markiptables -A POSTROUTING -t mangle -m mark ! --mark 0 -j ACCEPTiptables -A POSTROUTING -p tcp --dport 21 -t mangle -j MARK --set-mark 1iptables -A POSTROUTING -p tcp --dport 80 -t mangle -j MARK --set-mark 2iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark
Automatically separate clients between uplinks
● Statistic
iptables -t mangle -A PREROUTING -j MARK --set-mark 2 -o dev_ips2 -m statistic --mode random --probability 0.2
iptables -t mangle -A PREROUTING -j MARK --set-mark 1 -o dev_ips1 -m statistic --mode nth --every 2 --packet 0
iptables -t mangle -A PREROUTING -j MARK --set-mark 2 -o dev_ips2 -m statistic --mode nth --every 2 --packet 1
Automatically separate clients between uplinks
● Statistic
-j MARK --set-mark 1 -o dev_ips1 -m statistic --mode nth --every 4 --packet 0
-j MARK --set-mark 1 -o dev_ips1 -m statistic --mode nth --every 4 --packet 1
-j MARK --set-mark 1 -o dev_ips1 -m statistic --mode nth --every 4 --packet 2
-j MARK --set-mark 2 -o dev_ips2 -m statistic --mode nth --every 4 --packet 3
Automatically separate clients between uplinks
● recent
-m recent --name ballanced --rcheck --seconds 300 -j MARK --set-mark 2
-m recent --name ballanced --set -j MARK --set-mark 1● time based
-m time --timestart 09:30 --timestop 17:30 --days Mon,Tue,Wed,Thu,Fri
Automatically separate clients between uplinks
● route based
ip route add default scope global \
nexthop via $gw_isp1 dev $dev_isp1 weight 1 \
nexthop via $gw_isp2 dev $dev_isp2 weight 1
www.getclouder.com
Source NAT - Set the outgoing IPs
iptables -t nat -A POSTROUTING \ -o $dev_isp1 -j SNAT --to $ip_isp1iptables -t nat -A POSTROUTING \ -o $dev_isp2 -j SNAT --to $ip_isp2
SNAT
Chapter 3
www.getclouder.com
Additional documentation
http://lartc.org/howto/lartc.rpdb.multiple-links.htmlLink Status Monitor http://lsm.foobar.fi/If you are interested... Julian Anastasov's patches: http://www.ssi.bg/~ja/#routes
Chapter 4
Conclusion
www.getclouder.com
Q & A
Marian (HackMan) Marinovmm <> 1h.com
Jabber: [email protected] HackMan #iseca #softuni
Chapter 5
Questions