Re: Multiple default routes on multihome host
On Feb 21, 2008, at 9:51 PM, Wes Peters wrote: As much as anything I just object to the semantic dissonance in "multiple" "default". Think about it. I still haven't decided what it means at the packet level to have multiple default routes. Does that mean that, not having found a "better" route, I send the packets out both routes? Choose between them? Doesn't that tend to flap packets in a TCP "connection" back and forth? Does my router have to remember which route it chose for a TCP connection and reuse that one? I know people want to be able to plug in a pair of itty bitty routers and just have their computers be smart enough to use the "best" one, but it's not clear the implementations they are pushing us towards -- Linux and Windows -- actually accomplish that. In fact, what they usually do is screw it up badly and the people only THINK they're getting any enhanced reliability. I know I'm not who you were asking, but I can give you an example of where we've used this successfully. Our branch office has a T1 to our main office. The branch office has a /26 of public IPs routed over the T1. The T1 has extremely low latency, and plenty of bandwidth for the business side of things. The problem is that it didn't have enough bandwidth to handle a bunch of people watching videos on YouTube, downloading OS updates and everything else. I played with QoS and traffic shaping, but the solution for us was more bandwidth. Adding additional T1s was impossible, but we could get a very fast business DSL line to the office. They obviously wouldn't run BGP with us over it, so some trickery was required to make use of both connections at once. On our firewall/router box at the branch office, we've got 3 ethernet interfaces. em0 goes to our LAN(1.2.3.4/26). em1 goes to the T1 router. em2 goes to the DSL line(5.6.7.8/24). The system's default route is through em1 to the T1. I want to send some traffic over the DSL line, em2. This is complicated by the fact that the DSL provider has only given us one IP and won't route our corporate IPs. So, I started up a natd instance: natd -interface em2 -same_ports -dynamic Now, with ipfw I can select which traffic goes through the DSL line: ipfw add 100 divert 8668 ip from 1.2.3.0/26 to any 80 # Send all HTTP traffic through natd, which will go through the DSL line Next, I need to force all traffic sourced on the DSL line's IP to actually go out the DSL interface. Without this, the kernel tries sending packets sourced with the DSL line's IP over the T1. ipfw add 200 fwd $dsl_line_gateway ip from 5.6.7.8 to not 1.2.3.0/26 # If it's not trying to talk to a local IP, force it to go down the DSL line if it's using the DSL source IP. Now, like magic, web traffic goes over the DSL line. Everything else goes over the T1. In reality the configuration is much more complex, but it's easy enough with ipfw rules to specify what I want to go down the DSL line (divert it) and what I want to go down the T1. If I didn't have to deal with the lack of routing cooperation from our DSL provider, I could skip the natd step completely and just fwd traffic as appropriate. This isn't truly multiple default routes, but it's as close as I can get. As-is it adds no redundancy at all, but it was very easy to script something up that checked the liveliness of both interfaces and completely redirect everything to go down one or the other if one goes down. Make sense? -- Kevin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
On 22/02/2008, Wes Peters <[EMAIL PROTECTED]> wrote: > As much as anything I just object to the semantic dissonance in > "multiple" "default". Think about it. > > I still haven't decided what it means at the packet level to have > multiple default routes. Does that mean that, not having found a > "better" route, I send the packets out both routes? Choose between > them? Doesn't that tend to flap packets in a TCP "connection" back > and forth? Does my router have to remember which route it chose for a > TCP connection and reuse that one? For proper connection hijacking, you have to do this. FreeBSD doesn't. For example, take the situation where you have N routers (Cisco) with WCCPv2 redirecting snaffled packets back to a farm of proxies. The chosen proxy is determined by a hash function on the TCP frame. Now, the proxy hijacks that TCP connection (assuming it sees a symmetric flow!) and goes to connect to the original destination. Thing is, the outward packet flow now goes out the hosts default route, not the router which sent it the packet. Now, this mostly isn't a problem, but some Squid users are beginning to notice it being an issue. > I know people want to be able to plug in a pair of itty bitty routers > and just have their computers be smart enough to use the "best" one, > but it's not clear the implementations they are pushing us towards -- > Linux and Windows -- actually accomplish that. In fact, what they > usually do is screw it up badly and the people only THINK they're > getting any enhanced reliability. Thing is, the world isn't "ideal" anymore. End users with PA space wish to do HA type tricks. The old school idea of routing just doesn't apply when you don't "have" an autonomous system with sensible IP allocations and routing policy. I guess the only thing here to add is "tools, not policy." People would like these tools. Adrian -- Adrian Chadd - [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
On Feb 20, 2008, at 1:54 PM, Bruce M. Simpson wrote: Wes Peters wrote: I see a number of people have replied to this message offering solutions of how to accomplish your migration, using a variety of tools available to you in FreeBSD. I've always found this community very supportive in this fashion, and I'm glad they've jumped in to help you in your transition as well. Please note that the variety of solutions presented recognize that your transition period is just that, a temporary situation, and that "multiple default routes" is not the solution. The thing is, in a peer-to-peer or ad-hoc mesh network, not having access to a single next-hop serving as the gateway of last resort has a much higher probability of occurring than in a fully converged network with more deterministic layer 3 behaviour. So we're largely arguing apples vs oranges here. Fact of the matter is, we can't tell people how to run their networks, or which protocols to run. People want IP everywhere and they want it now. (Infinite demand for free goods is another story.) The argument that functionality "should not" be present because people "should not" run their networks that way carries no water -- particularly so when issues of wireless presence and ad-hoc networks blow the old assumptions out of the water. As much as anything I just object to the semantic dissonance in "multiple" "default". Think about it. I still haven't decided what it means at the packet level to have multiple default routes. Does that mean that, not having found a "better" route, I send the packets out both routes? Choose between them? Doesn't that tend to flap packets in a TCP "connection" back and forth? Does my router have to remember which route it chose for a TCP connection and reuse that one? I know people want to be able to plug in a pair of itty bitty routers and just have their computers be smart enough to use the "best" one, but it's not clear the implementations they are pushing us towards -- Linux and Windows -- actually accomplish that. In fact, what they usually do is screw it up badly and the people only THINK they're getting any enhanced reliability. You're one of the few people who could convince me that they're doing better than my experience says, or that we have a way of doing better. Short of being able to somehow collect information about whether these links are working, I just don't how it would work. I can design a daemon that can such thing abusing ICMP, but that is just a poor man's routing daemon, and still doesn't require multiple default routes, just one that is semi-intelligently managed. -- Where am I, and what am I doing in this handbasket? Wes Peters [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Wes Peters wrote: I see a number of people have replied to this message offering solutions of how to accomplish your migration, using a variety of tools available to you in FreeBSD. I've always found this community very supportive in this fashion, and I'm glad they've jumped in to help you in your transition as well. Please note that the variety of solutions presented recognize that your transition period is just that, a temporary situation, and that "multiple default routes" is not the solution. The thing is, in a peer-to-peer or ad-hoc mesh network, not having access to a single next-hop serving as the gateway of last resort has a much higher probability of occurring than in a fully converged network with more deterministic layer 3 behaviour. So we're largely arguing apples vs oranges here. Fact of the matter is, we can't tell people how to run their networks, or which protocols to run. People want IP everywhere and they want it now. (Infinite demand for free goods is another story.) The argument that functionality "should not" be present because people "should not" run their networks that way carries no water -- particularly so when issues of wireless presence and ad-hoc networks blow the old assumptions out of the water. later BMS ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
At 18 Feb 2008 21:55:50 +, Nick Barnes <[EMAIL PROTECTED]> wrote: At 2008-02-18 21:36:18+, Bill Moran writes: In response to Nick Barnes <[EMAIL PROTECTED]>: I have a multi-home host: more than one IP address. The addresses are in separate subnets but run over the same ethernet segment (this is a temporary situation while I switch an office network over from one network provider to another). I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. You can't have multiple default routes. The fact that you want to is an indicator of incorrect network design, although it could be an artifact of the interim setup while you migrate things around. I would suggest you ask yourself (and possibly the list) _why_ you think multiple default routes is necessary ... what is it that you're hoping to accomplish. I'm guessing your looking for some sort of redundancy, in which case something like CARP or RIP is liable to be the correct solution. I agree that this is probably my inexperience showing. Yes. :^) I have an office network which is switching leased line, from provider P1 to provider P2. I have a /25 from P1 and a (different) /24 from P2. I am doing the migration a few machines at a time: move a little, test a little, etc. I am dual-homing each host for a short period while I am switching it over. The dual-homing works just fine, over a shared ethernet segment, except for the fact that I can only have one default route. Repeat after me: "The default route is the route I use when I don't know a better route." If you have two connections to the internet, the usual way of handling this is to have a single router that understands both routes. This single router maintains a routing table that knows which connection is the "best" one to use for each IP destination. It maintains this routing table by exchanging route information with other (nearby) routers, most especially those at the other end of your internet connection(s). If you don't have a single routing instance to do this for you, you have to push the same information all the way down to the devices, so they can make those routing decisions for themselves. The default route is then one that is used when no other match was found in the routing table. It is an interesting philosophical argument to consider what is the meaning of more than one "default" route -- if you have more than one, how can it be a "default"? When you hit these multiple "default" routes, do you send the packet to all of them? Pick one? Which one? Try one, and if that doesn't work, then try another? Who is responsible for remembering which one(s) don't work? There is a dangerous assumption here that because both Microsoft and Linux have done something, it's a good idea. In point of fact, it's not a good idea, it is codifying bad network design. If you think you need two or more default routes, you need to learn a little bit more about networking instead. I see a number of people have replied to this message offering solutions of how to accomplish your migration, using a variety of tools available to you in FreeBSD. I've always found this community very supportive in this fashion, and I'm glad they've jumped in to help you in your transition as well. Please note that the variety of solutions presented recognize that your transition period is just that, a temporary situation, and that "multiple default routes" is not the solution. I'll get down off my soapbox now. This is such an FAQ on this list, you should be required to read and answer this question before being allowed to post to the list. :^) -- Where am I, and what am I doing in this handbasket? Wes Peters [EMAIL PROTECTED] ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Bruce M. Simpson wrote: Tom Judge wrote: However FreeBSD's routing table does not currently support policy routing without some help from the firewall. The only way to achieve your goal is to use one of the firewalls (pf/ipfw/ipf) to do the policy routing for you. If anyone wants to take this on, start looking at inpcb, bind, and ip_output(), and try to bug me for help -- "human resources", tcaahh I'm getting old :-) I have running code I'm going to commit soon (as in "next week"). later BMS ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Tom Judge wrote: However FreeBSD's routing table does not currently support policy routing without some help from the firewall. The only way to achieve your goal is to use one of the firewalls (pf/ipfw/ipf) to do the policy routing for you. If anyone wants to take this on, start looking at inpcb, bind, and ip_output(), and try to bug me for help -- "human resources", tcaahh I'm getting old :-) later BMS ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick Barnes wrote: I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. Others have chimed in saying that having redundant routes constitutes poor network design: it really depends where one draws the distinction between router and host. In ad-hoc and peer-to-peer networks, there is no such distinction. The forwarding code doesn't support multiple routes to the same destination, largely out of development inertia. People are looking at this now. The forwarding code doesn't support load balancing yet, it's being considered for the future. There are problems with load balancing and TCP as it can result in loss of the original packet ordering. Of course this is something which stuff like SACK *begins* to address, it is a scenario more common in satellite networks. However you want next-hop selection based on the "laddr" for a socket which is a different thing. The stack doesn't do this on its own, it needs help from packet filtering code. You should be able to achieve this using "route-to" rules in IPFW or PF, there are tutorials out there on the subject. cheers BMS ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Eygene Ryabinkin <[EMAIL PROTECTED]> wrote: > > Thanks for the education! I have only one question: what it 'Yugo'? > I had not found it in nearby dictionaries ;)) http://en.wikipedia.org/wiki/Yugo -- Bill Moran Collaborative Fusion Inc. [EMAIL PROTECTED] Phone: 412-422-3463x4023 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Bill, Mon, Feb 18, 2008 at 05:54:33PM -0500, Bill Moran wrote: > > > I can be done with CARP > > > if both providers support it and are willing to work together. > > > > Very, very unlikely for me ;)) > > Overall, Eygene, you're trying to haul freight with a Yugo. > > If you truly have a need for highly available system, you need to work > with a provider who has the expertise and is willing to do it. > > Of course, that's going to cost you more money, just like an industrial- > grade tractor-trailer will cost you more than a Yugo. > > Internet connections aren't just about speed like most PHBs think. There > are a lot of other factors, and this is one of them. > > But again, if you have the need for all this network redundancy, shouldn't > you have _2_ Apache servers in a failover (or load-balanced) configuration? > > To me, it sounds like you need to establish the real _business_ requirement > here. If it's true HA, then you're far, far from it at this point. If it's > rapid recovery from failure, you might consider something like heartbeat. > If all you need is to balance bandwidth between two links, there are other > hacks to make that happen. Possibly, you just need to describe the > existing business requirement better in this discussion. > > You're _never_ going to have true HA if you're using two providers that > aren't willing to cooperate. You're talking about industrial-grade connections. Mine were more like the home ones: two small ISPs, one with local Ethernet network and one with DSL. They will never play with each one in my situation, moreover, they should not even notice that my host is dual-homed. So, that was the cheap way to be online most of the time. Thanks for the education! I have only one question: what it 'Yugo'? I had not found it in nearby dictionaries ;)) Thanks again! -- Eygene ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick Barnes wrote: At 2008-02-18 22:12:48+, Julian Elischer writes: Unless you actually want all your machines to be remotely accessible from the outside, you should probably just turn on NAT on the new ISP interface, turn off the old one, and be done with it. The machines I'm interested in for these purposes are all servers of one sort or another, which need to be externally routable. The desktops will indeed Just Work with NAT/DHCP. I'll look at the IPFW fwd rules. Thanks to all for your help. Nick B ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" you can use 'hard wired' nat entries to allow the servers to be accessible from both ISPs at the same time... (along with ipfw to do route swizzling) ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
In response to Eygene Ryabinkin <[EMAIL PROTECTED]>: > Mon, Feb 18, 2008 at 05:06:42PM -0500, Bill Moran wrote: > > > I had faced such situation once: I had multihomed host that was > > > running Apache daemon that was announced via two DNS names that > > > were corresponding to two different IPs, going via two different > > > providers. When the first provider's link goes down, the second > > > provider is still alive, and when both providers are alive, the > > > traffic is balanced via DNS round-robin alias. Do you see some > > > better way to do it via CARP, RIP, something different? I am still > > > interested in other possibilities. > > > > The canonical way to do this is with BGP. > > Yes, thus there will be only one IP, but it will be routed via > either provider, balanced across links and if one link will fail, > AS will be announced via the second one. Right? Correct. > And how would you say to your box: 'OK, this packet originates from > the IP1 that should go to the GW1, and the other originates from > IP2, so it should be forced to go via GW2'. I want symmetric routing > for both of these IPs. Tried to imagine how it can be done via > BGP, but was not able to figure out. Any practical examples? I'm not 100% sure in FreeBSD, as I've never set up BGP on FreeBSD. Our highly-available systems use Cisco routers for this, and the Ciscos have all the capabilities to handle this properly. I _do_ know that FreeBSD _can_ be set up to handle this properly, as I've spoken to people who've done it. Keep in mind that we have _2_ Cisco Routers and _2_ switches and everything is redundant via HSRP within our own data center. It'd be silly to pay for redundant links only to have a switch burn out and the whole thing be for naught. > > I can be done with CARP > > if both providers support it and are willing to work together. > > Very, very unlikely for me ;)) Overall, Eygene, you're trying to haul freight with a Yugo. If you truly have a need for highly available system, you need to work with a provider who has the expertise and is willing to do it. Of course, that's going to cost you more money, just like an industrial- grade tractor-trailer will cost you more than a Yugo. Internet connections aren't just about speed like most PHBs think. There are a lot of other factors, and this is one of them. But again, if you have the need for all this network redundancy, shouldn't you have _2_ Apache servers in a failover (or load-balanced) configuration? To me, it sounds like you need to establish the real _business_ requirement here. If it's true HA, then you're far, far from it at this point. If it's rapid recovery from failure, you might consider something like heartbeat. If all you need is to balance bandwidth between two links, there are other hacks to make that happen. Possibly, you just need to describe the existing business requirement better in this discussion. You're _never_ going to have true HA if you're using two providers that aren't willing to cooperate. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ [EMAIL PROTECTED] Phone: 412-422-3463x4023 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
In response to Tom Judge <[EMAIL PROTECTED]>: > Bill Moran wrote: > > In response to Eygene Ryabinkin <[EMAIL PROTECTED]>: > > > >> Bill, > >> > >> Mon, Feb 18, 2008 at 04:36:18PM -0500, Bill Moran wrote: > >>> I would suggest you ask yourself (and possibly the list) _why_ you think > >>> multiple default routes is necessary ... what is it that you're hoping > >>> to accomplish. I'm guessing your looking for some sort of redundancy, > >>> in which case something like CARP or RIP is liable to be the correct > >>> solution. > >> I had faced such situation once: I had multihomed host that was > >> running Apache daemon that was announced via two DNS names that > >> were corresponding to two different IPs, going via two different > >> providers. When the first provider's link goes down, the second > >> provider is still alive, and when both providers are alive, the > >> traffic is balanced via DNS round-robin alias. Do you see some > >> better way to do it via CARP, RIP, something different? I am still > >> interested in other possibilities. > > > > The canonical way to do this is with BGP. I can be done with CARP > > if both providers support it and are willing to work together. > > Unfortunately businesses tend to get bundled PA address space when > purchasing leased lines off of ISP. This means that a some what simple > transition from provider A to provider B can not be done with BGP. Also > as the OP states one the the address blocks that he has is a /25 which > most ISP's will filter from the BGP address table because it is to small. You're confusing issues. The OP is in the process of a migration, in which case the packet rewriting via pf/ipfw/etc is probably the best approach. Eygene is describing a different scenario with a permanent multihomed system, in which case BGP is probably the best option, but CARP _may_ be an option. > I think the cost of learning BGP, getting an AS number and a suitable > large block of PI address space, getting 2 routers that can do BGP, > coupled with the consultancy costs charged by the ISP to setup the BGP > feed totally out way the cost of just multihoming a box for a few > days/weeks while the required changes take affect.. Ok so this is not > ideal but hey it works and its simpler.. Agreed. In fact, if you read the prior messages, I never disagreed. Personally, I prefer to do this type of migration as a "flag day" where everything just gets switched over all at once ... but that's not always possible. The OP seems to have a number of systems with public IPs, and it's harder to do a flag day with a lot of systems. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ [EMAIL PROTECTED] Phone: 412-422-3463x4023 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Mon, Feb 18, 2008 at 05:06:42PM -0500, Bill Moran wrote: > > I had faced such situation once: I had multihomed host that was > > running Apache daemon that was announced via two DNS names that > > were corresponding to two different IPs, going via two different > > providers. When the first provider's link goes down, the second > > provider is still alive, and when both providers are alive, the > > traffic is balanced via DNS round-robin alias. Do you see some > > better way to do it via CARP, RIP, something different? I am still > > interested in other possibilities. > > The canonical way to do this is with BGP. Yes, thus there will be only one IP, but it will be routed via either provider, balanced across links and if one link will fail, AS will be announced via the second one. Right? And how would you say to your box: 'OK, this packet originates from the IP1 that should go to the GW1, and the other originates from IP2, so it should be forced to go via GW2'. I want symmetric routing for both of these IPs. Tried to imagine how it can be done via BGP, but was not able to figure out. Any practical examples? > I can be done with CARP > if both providers support it and are willing to work together. Very, very unlikely for me ;)) Thank you. -- Eygene ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
At 2008-02-18 22:12:48+, Julian Elischer writes: > Unless you actually want all your machines to be remotely > accessible from the outside, you should probably just turn on > NAT on the new ISP interface, turn off the old one, and be > done with it. The machines I'm interested in for these purposes are all servers of one sort or another, which need to be externally routable. The desktops will indeed Just Work with NAT/DHCP. I'll look at the IPFW fwd rules. Thanks to all for your help. Nick B ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Bill Moran wrote: In response to Eygene Ryabinkin <[EMAIL PROTECTED]>: Bill, Mon, Feb 18, 2008 at 04:36:18PM -0500, Bill Moran wrote: I would suggest you ask yourself (and possibly the list) _why_ you think multiple default routes is necessary ... what is it that you're hoping to accomplish. I'm guessing your looking for some sort of redundancy, in which case something like CARP or RIP is liable to be the correct solution. I had faced such situation once: I had multihomed host that was running Apache daemon that was announced via two DNS names that were corresponding to two different IPs, going via two different providers. When the first provider's link goes down, the second provider is still alive, and when both providers are alive, the traffic is balanced via DNS round-robin alias. Do you see some better way to do it via CARP, RIP, something different? I am still interested in other possibilities. The canonical way to do this is with BGP. I can be done with CARP if both providers support it and are willing to work together. Unfortunately businesses tend to get bundled PA address space when purchasing leased lines off of ISP. This means that a some what simple transition from provider A to provider B can not be done with BGP. Also as the OP states one the the address blocks that he has is a /25 which most ISP's will filter from the BGP address table because it is to small. I think the cost of learning BGP, getting an AS number and a suitable large block of PI address space, getting 2 routers that can do BGP, coupled with the consultancy costs charged by the ISP to setup the BGP feed totally out way the cost of just multihoming a box for a few days/weeks while the required changes take affect.. Ok so this is not ideal but hey it works and its simpler.. Just my 2c Tom ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick Barnes wrote: At 2008-02-18 21:36:18+, Bill Moran writes: In response to Nick Barnes <[EMAIL PROTECTED]>: I have a multi-home host: more than one IP address. The addresses are in separate subnets but run over the same ethernet segment (this is a temporary situation while I switch an office network over from one network provider to another). I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. You can't have multiple default routes. The fact that you want to is an indicator of incorrect network design, although it could be an artifact of the interim setup while you migrate things around. I would suggest you ask yourself (and possibly the list) _why_ you think multiple default routes is necessary ... what is it that you're hoping to accomplish. I'm guessing your looking for some sort of redundancy, in which case something like CARP or RIP is liable to be the correct solution. I agree that this is probably my inexperience showing. I have an office network which is switching leased line, from provider P1 to provider P2. I have a /25 from P1 and a (different) /24 from P2. I am doing the migration a few machines at a time: move a little, test a little, etc. I am dual-homing each host for a short period while I am switching it over. The dual-homing works just fine, over a shared ethernet segment, except for the fact that I can only have one default route. This means that I am sending packets from an address given to me by P2 to P1's router (my existing default route). As an experimental matter, today, this does in fact work - these packets are getting to their destinations, via P1 - but it looks a heck of a lot like spoofing and I am half-expecting the wrath of P1 to descend on me. Either that or for them to silently stop routing the packets. I would rather send packets from the P2 subnet addresses to the P2 router, while the packets from the P1 subnet addresses keep going to the P1 router. Apparently I can do this with some IPFW cunning, but that seems like overkill for what seems like it ought to be a common problem. If I were in the office, I would gird my loins for a single hard session on all the consoles, to do all the config changes at once, abandoning the P1 addresses. As it is, doing it remotely, I'm being a little more tentative. Unless you actually want all your machines to be remotely accessible from the outside, you should probably just turn on NAT on the new ISP interface, turn off the old one, and be done with it. Then your internal addresses are of no interest at all. You could move the one or two machines that need to be remotely accessible to the new addresses and leave the others as they are, or move them over at your leasure over the next year or so. (or move them to rfc1918 addresss and save yourself the cost of the /24) Nick B ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
In response to Eygene Ryabinkin <[EMAIL PROTECTED]>: > Bill, > > Mon, Feb 18, 2008 at 04:36:18PM -0500, Bill Moran wrote: > > I would suggest you ask yourself (and possibly the list) _why_ you think > > multiple default routes is necessary ... what is it that you're hoping > > to accomplish. I'm guessing your looking for some sort of redundancy, > > in which case something like CARP or RIP is liable to be the correct > > solution. > > I had faced such situation once: I had multihomed host that was > running Apache daemon that was announced via two DNS names that > were corresponding to two different IPs, going via two different > providers. When the first provider's link goes down, the second > provider is still alive, and when both providers are alive, the > traffic is balanced via DNS round-robin alias. Do you see some > better way to do it via CARP, RIP, something different? I am still > interested in other possibilities. The canonical way to do this is with BGP. I can be done with CARP if both providers support it and are willing to work together. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ [EMAIL PROTECTED] Phone: 412-422-3463x4023 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick Barnes wrote: I have a multi-home host: more than one IP address. The addresses are in separate subnets but run over the same ethernet segment (this is a temporary situation while I switch an office network over from one network provider to another). I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. I'm working on this, but in the meanwhile you can do the following: ipfw add 100 fwd G1 ip from A1 to any out xmit xx0(outgoing interface) ipfw add 101 fwd G2 ip from A2 to any out xmit xx0 How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. Thanks in advance, Nick Barnes ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick Barnes wrote: At 2008-02-18 21:36:18+, Bill Moran writes: I would rather send packets from the P2 subnet addresses to the P2 router, while the packets from the P1 subnet addresses keep going to the P1 router. Apparently I can do this with some IPFW cunning, but that seems like overkill for what seems like it ought to be a common problem. This is indeed a common problem, a question such as this gets asked every month or so on at least one the lists I am subscribed to. In fact we do something along these lines at each of our offices to provide fault tolerant VPN connections to our data center and other offices. However FreeBSD's routing table does not currently support policy routing without some help from the firewall. The only way to achieve your goal is to use one of the firewalls (pf/ipfw/ipf) to do the policy routing for you. The suggestions that you have received already seem to be exactly what you are looking for. Tom J ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
At 2008-02-18 21:36:18+, Bill Moran writes: > In response to Nick Barnes <[EMAIL PROTECTED]>: > > > I have a multi-home host: more than one IP address. The addresses are > > in separate subnets but run over the same ethernet segment (this is a > > temporary situation while I switch an office network over from one > > network provider to another). > > > > I want packets from address A1 to be sent via gateway G1, but packets > > from address A2 to be sent via gateway G2. > > > > How do I do this? Can I just have more than one default route? I'm > > remote from the machine in question, so I don't want to tinker with > > the default route until I'm sure of the answer. > > You can't have multiple default routes. The fact that you want to is > an indicator of incorrect network design, although it could be an > artifact of the interim setup while you migrate things around. > > I would suggest you ask yourself (and possibly the list) _why_ you think > multiple default routes is necessary ... what is it that you're hoping > to accomplish. I'm guessing your looking for some sort of redundancy, > in which case something like CARP or RIP is liable to be the correct > solution. I agree that this is probably my inexperience showing. I have an office network which is switching leased line, from provider P1 to provider P2. I have a /25 from P1 and a (different) /24 from P2. I am doing the migration a few machines at a time: move a little, test a little, etc. I am dual-homing each host for a short period while I am switching it over. The dual-homing works just fine, over a shared ethernet segment, except for the fact that I can only have one default route. This means that I am sending packets from an address given to me by P2 to P1's router (my existing default route). As an experimental matter, today, this does in fact work - these packets are getting to their destinations, via P1 - but it looks a heck of a lot like spoofing and I am half-expecting the wrath of P1 to descend on me. Either that or for them to silently stop routing the packets. I would rather send packets from the P2 subnet addresses to the P2 router, while the packets from the P1 subnet addresses keep going to the P1 router. Apparently I can do this with some IPFW cunning, but that seems like overkill for what seems like it ought to be a common problem. If I were in the office, I would gird my loins for a single hard session on all the consoles, to do all the config changes at once, abandoning the P1 addresses. As it is, doing it remotely, I'm being a little more tentative. Nick B ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Bill, Mon, Feb 18, 2008 at 04:36:18PM -0500, Bill Moran wrote: > I would suggest you ask yourself (and possibly the list) _why_ you think > multiple default routes is necessary ... what is it that you're hoping > to accomplish. I'm guessing your looking for some sort of redundancy, > in which case something like CARP or RIP is liable to be the correct > solution. I had faced such situation once: I had multihomed host that was running Apache daemon that was announced via two DNS names that were corresponding to two different IPs, going via two different providers. When the first provider's link goes down, the second provider is still alive, and when both providers are alive, the traffic is balanced via DNS round-robin alias. Do you see some better way to do it via CARP, RIP, something different? I am still interested in other possibilities. Thank you! -- Eygene ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
On Feb 18, 2008, at 3:00 PM, Nick Barnes wrote: I have a multi-home host: more than one IP address. The addresses are in separate subnets but run over the same ethernet segment (this is a temporary situation while I switch an office network over from one network provider to another). I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. This isn't perfect, but if you have ipfw and IPFIREWALL_FORWARD in your kernel config (you also might need IPFIREWALL_FORWARD_EXTENDED depending on how old your OS is) you can do this: route add default G1 ipfw add fwd G2 IP from A2 to any The normal kernel routing kicks in for packets from A1 going to G1, but then ipfw overrides this for anything being sourced from A2 and forces it to go to G2. -- Kevin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
Nick, good day. Mon, Feb 18, 2008 at 09:00:54PM +, Nick Barnes wrote: > I have a multi-home host: more than one IP address. The addresses are > in separate subnets but run over the same ethernet segment (this is a > temporary situation while I switch an office network over from one > network provider to another). > > I want packets from address A1 to be sent via gateway G1, but packets > from address A2 to be sent via gateway G2. > > How do I do this? Can I just have more than one default route? I'm > remote from the machine in question, so I don't want to tinker with > the default route until I'm sure of the answer. pf's "route-to"/"reply-to" statements can do the trick for you. Use "route-to" if the packet is originating from your host and use "reply-to" for packets destined for some service at your host. You should use stateful rules with these modifiers. But if you have no pf on your remote machine, maybe you will decide not to install and enable it remotely, unless you are very sure about what you're doing. -- Eygene ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Multiple default routes on multihome host
In response to Nick Barnes <[EMAIL PROTECTED]>: > I have a multi-home host: more than one IP address. The addresses are > in separate subnets but run over the same ethernet segment (this is a > temporary situation while I switch an office network over from one > network provider to another). > > I want packets from address A1 to be sent via gateway G1, but packets > from address A2 to be sent via gateway G2. > > How do I do this? Can I just have more than one default route? I'm > remote from the machine in question, so I don't want to tinker with > the default route until I'm sure of the answer. You can't have multiple default routes. The fact that you want to is an indicator of incorrect network design, although it could be an artifact of the interim setup while you migrate things around. I would suggest you ask yourself (and possibly the list) _why_ you think multiple default routes is necessary ... what is it that you're hoping to accomplish. I'm guessing your looking for some sort of redundancy, in which case something like CARP or RIP is liable to be the correct solution. -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ [EMAIL PROTECTED] Phone: 412-422-3463x4023 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Multiple default routes on multihome host
I have a multi-home host: more than one IP address. The addresses are in separate subnets but run over the same ethernet segment (this is a temporary situation while I switch an office network over from one network provider to another). I want packets from address A1 to be sent via gateway G1, but packets from address A2 to be sent via gateway G2. How do I do this? Can I just have more than one default route? I'm remote from the machine in question, so I don't want to tinker with the default route until I'm sure of the answer. Thanks in advance, Nick Barnes ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
