[LARTC] possible packet forwarding or routing problem
Hi. I have a system with two network cards -- eth0 is a public ip address and eth1 is on an internal network. Now I have all the packet forwards enabled, and there is a route from eth1 to the internal network, but if a computer on the internal network sets his gateway to the box, he can't traceroute past the box to the internet. There are no iptable rules yet. Here is the routing table as produced by route. Destination Gateway Genmask Flags Metric RefUse Iface 64.183.125.208 * 255.255.255.248 U 0 00 eth0 192.168.1.0 * 255.255.255.0 U 0 00 eth1 169.254.0.0 * 255.255.0.0 U 0 00 eth0 default rrcs-64-183-125 0.0.0.0 UG0 00 eth0 What am I doing wrong here? Any assistance would be appreciated. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici [EMAIL PROTECTED] ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] two internet providers
This would be really easy to do with one box. Have an interface for the cable modem, and an interface for the dsl. Have your default route go to the dsl modem (ip route add/change default table main dev eth via xxx.xxx.xxx.xxx . Then you can configure whatever proxy you are going to use to use the other interface. I have done similar setups using squid as the proxy with transparent redirection as well as using the Dante SOCKS server, both have configuration options to use a specific interface for their traffic. Let me know if you have any questions, id be happy to provide further detail. -- Charlie Meyer University of Illinois at Urbana-Champaign College of Engineering - Department of Computer Science Phi Kappa Psi - Property Manager [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manish Kathuria Sent: Saturday, January 27, 2007 9:11 AM To: Danut Chereches Cc: lartc@mailman.ds9a.nl Subject: Re: [LARTC] two internet providers On 1/23/07, Danut Chereches <[EMAIL PROTECTED]> wrote: > hello > > i have slackware installed and i have two internet connections , > ADSL(2,5mbps) + CableModem(1mbps) > i want to share the connections in a small network > NAT for the ADSL connection, and a proxy server for the cablemodem > connection > i searched all over the internet (probably not where i was supposed to) > but i could'n find a solution > if someone could give me a tip i would really appreciate it > The simplest solution would be to use two systems, one connected to the Cable Modem and running proxy server on it and the other one connected to ADSL connection and with packet forwarding enabled and iptables rules for the NAT and forwarding the traffic. The first system can be specified in the proxy server settings and the IP of the second system can be specified as the gateway for the clients. You can also configure the squid proxy server to act as a transparent proxy and redirect the outgoing port 80 traffic through it using iptables rules on the gateway. If you want to use a single system as the gateway and proxy server, you can configure it to use multiple gateways and divide the outgoing traffic where the web traffic (and ftp, if desired) is routed through the Cable Modem and the rest through the ADSL connection. You can also specify the outgoing tcp address in squid proxy server configuration. Please also see the LARTC How To and the documentation for ip tool. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DGD patch not detecting dead gateway
On 1/27/07, Geoff Dornan <[EMAIL PROTECTED]> wrote: Hi Can you post your script please? Cheers geoff On 1/20/07, Grant Taylor <[EMAIL PROTECTED]> wrote: > On 01/19/07 12:45, Manish Kathuria wrote: > > My experience has been mixed. The patch worked very well in many cases > > but in some it worked only if the first hop gateway was down and not > > any of the subsequent hops. So as you mentioned its happening since it > > can ping the switch / modem, it thinks the link is good. You can make > > a script which will keep on running in the background and check it the > > links are up or not and if any of the links is down, it can change the > > default route and provide a failover. > > I have been tasked with writing such a script. In my scenario, I'm > taking it a bit further though. I am planing on having my script test > the actual service that I'm trying to connect to. I.e. connect to port > 80 and request a page. I'm having to go this route because I've had > sporadic MTU issues in one of our (primary) paths. The provider is > suppose to be repairing the problem, however I need a solution before > that can happen. The method I have adopted is to use a shell script which pings a popular remote site 's IP (for example www.yahoo.com or www.google.com) through each of the interfaces every 10 seconds. The default multipath route is replaced by a single default gateway if reply is not received for 4 consecutive tries from one of the links. This is to avoid very frequent failovers. However, the link is treated as live as soon as a ping reply is received and the multipath route is activated. The script is appended. It assumes that you have followed the steps as described in nano.txt with or without applying the patches. Though it appears to be very simplistic, its working great at a number of locations. #!/bin/bash -x TESTIP=www.yahoo.com CHECK=0 ISPA=1 ISPB=1 LINKSTATUS=1 COUNTA=0 COUNTB=0 EXTIF1=eth1 EXTIF2=eth2 GW1=172.16.1.1 GW2=192.168.1.1 W1=1 W2=1 while : ; do ping -I $EXTIF1 -c 1 $TESTIP > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ]; then COUNTA=`expr $COUNTA + 1` else COUNTA=0 fi if [ $COUNTA -ge 4 ]; then ISPA=0 else ISPA=1 fi ping -I $EXTIF2 -c 1 $TESTIP > /dev/null 2>&1 RETVAL=$? if [ $RETVAL -ne 0 ]; then COUNTB=`expr $COUNTB + 1` else COUNTB=0 fi if [ $COUNTB -ge 4 ]; then ISPB=0 else ISPB=1 fi if [ $ISPA -eq 1 ]; then if [ $ISPB -eq 1 ]; then NEWSTATUS=1 elif [ $ISPB -eq 0 ]; then NEWSTATUS=2 fi elif [ $ISPA -eq 0 ]; then if [ $ISPB -eq 1 ]; then NEWSTATUS=3 fi fi case $LINKSTATUS in 1) if [ $NEWSTATUS -eq 2 ]; then ip route replace default via $GW1 dev $EXTIF1 elif [ $NEWSTATUS -eq 3 ]; then ip route replace default via $GW2 dev $EXTIF2 fi;; 2) if [ $NEWSTATUS -eq 1 ]; then ip route del default ip route replace default table 222 proto static \ nexthop via $GW1 dev $EXTIF1 weight $W1\ nexthop via $GW2 dev $EXTIF2 weight $W2 elif [ $NEWSTATUS -eq 3 ]; then ip route replace default via $GW2 dev $EXTIF2 fi;; 3) if [ $NEWSTATUS -eq 1 ]; then ip route del default ip route replace default table 222 proto static \ nexthop via $GW1 dev $EXTIF1 weight $W1\ nexthop via $GW2 dev $EXTIF2 weight $W2 elif [ $NEWSTATUS -eq 2 ]; then ip route replace default via $GW1 dev $EXTIF1 fi;; *) echo;; esac LINKSTATUS=$NEWSTATUS sleep 10 done Let me know if you can think of any improvements or modifications. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] two internet providers
On 1/23/07, Danut Chereches <[EMAIL PROTECTED]> wrote: hello i have slackware installed and i have two internet connections , ADSL(2,5mbps) + CableModem(1mbps) i want to share the connections in a small network NAT for the ADSL connection, and a proxy server for the cablemodem connection i searched all over the internet (probably not where i was supposed to) but i could'n find a solution if someone could give me a tip i would really appreciate it The simplest solution would be to use two systems, one connected to the Cable Modem and running proxy server on it and the other one connected to ADSL connection and with packet forwarding enabled and iptables rules for the NAT and forwarding the traffic. The first system can be specified in the proxy server settings and the IP of the second system can be specified as the gateway for the clients. You can also configure the squid proxy server to act as a transparent proxy and redirect the outgoing port 80 traffic through it using iptables rules on the gateway. If you want to use a single system as the gateway and proxy server, you can configure it to use multiple gateways and divide the outgoing traffic where the web traffic (and ftp, if desired) is routed through the Cable Modem and the rest through the ADSL connection. You can also specify the outgoing tcp address in squid proxy server configuration. Please also see the LARTC How To and the documentation for ip tool. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] DGD patch not detecting dead gateway
On 1/20/07, Grant Taylor <[EMAIL PROTECTED]> wrote: On 01/19/07 12:45, Manish Kathuria wrote: > My experience has been mixed. The patch worked very well in many cases > but in some it worked only if the first hop gateway was down and not > any of the subsequent hops. So as you mentioned its happening since it > can ping the switch / modem, it thinks the link is good. You can make > a script which will keep on running in the background and check it the > links are up or not and if any of the links is down, it can change the > default route and provide a failover. I have been tasked with writing such a script. In my scenario, I'm taking it a bit further though. I am planing on having my script test the actual service that I'm trying to connect to. I.e. connect to port 80 and request a page. I'm having to go this route because I've had sporadic MTU issues in one of our (primary) paths. The provider is suppose to be repairing the problem, however I need a solution before that can happen. The method I have adopted is to use a shell script which pings a popular remote site 's IP (for example www.yahoo.com or www.google.com) through each of the interfaces every 10 seconds. The default multipath route is replaced by a single default gateway if reply is not received for 4 consecutive tries from one of the links. This is to avoid very frequent failovers. However, the link is treated as live as soon as a ping reply is received and the multipath route is activated. -- Manish Kathuria Tux Technologies http://www.tuxtechnologies.co.in/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc