Solved

Linux - advance routing

Posted on 2007-04-09
7
387 Views
Last Modified: 2013-12-16
Dears
How r u all ?

I need to make t topology


                                    ------------------- eth1
internet GW (10.1.1.1)  ------------------ eth2  LINUX (2.6.20.6) with multipath ---eth0 , eth0:1eth 0:2
                                    --------------------eth3
 I need to make 1:1 nat from eth0 ---- eth1 and go out to internet from eth1 and eth0:1 ---- eth2 and go out to internet from eth2 and eth0:2 to eth3 and go out to internet from eth2

ie
10.10.10.10 ---------- 192.168.1.2   - ------ go out from eth1
10.10.10.11 ---------- 192.168.2.2   - ------ go out from eth1
10.10.10.12 ---------- 192.168.3.2   - ------ go out from eth1

I need ever nat had own Ethernet mac and IP

many thanks
0
Comment
Question by:majedalanni
  • 3
  • 2
7 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 18881791
Suppose
eth0:0 = 192.168.1.2 (LAN)
eth0:1 = 192.168.2.2 (LAN)
eth0:2 = 192.168.3.2 (LAN)
eth1 = 10.10.10.10 (WAN)
eth2 = 10.10.10.11 (WAN)
eth3 = 10.10.10.12 (WAN)

You like to configure all traffic that goes from LAN to WAN via eth0:0 to be nated as eth1 and go from eth1?
I guess that's impossible with Linux iptables and IP aliases,
because physical interface eth0 is the only one in a LAN side. So if we have a non-local packet appeared on interface eth0 from LAN we don't know to what ip alias it was send, for Linux all these packets are the same (since aliased IP address of the router can't be found in IP packet frame, only source and destination addresses).

Your problem has a solution, if you use tagged VLANs on eth0, then you will have 3 different interfaces, not only aliases on the same interface. If you can use VLANs, we will continue.
0
 
LVL 1

Author Comment

by:majedalanni
ID: 18887665
Dear
Sorry for confuse you
eth0:0 = 192.168.1.1/24 (LAN)
eth0:1 = 192.168.2.1/24 (LAN)
eth0:2 = 192.168.3.1/24 (LAN)
eth1 = 10.10.10.10/8 (WAN)
eth2 = 10.10.10.11/8 (WAN)
eth3 = 10.10.10.12/8 (WAN)
this the right configuration

and I do
iptables -A postrouting -t nat -s 192.168.2.2/32  -j srcnat --to 10.10.10.10
.
.
.

IP rule add from 192.168.1.2/32 table 22
IP rule add from 192.168.2.2/32 table 32
IP rule add from 192.168.3.2/32 table 32

ip route add default via 10.1.1.1 dev eth1 table 22
ip route add default via 10.1.1.1 dev eth2 table 32
ip route add default via 10.1.1.1 dev eth3 table 42
ip route flush cache

and its work
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18887703
So you meant you need a split access by source IP address ('-s 192.168.2.2/32'), not by source interface name. That was really confusing and is not the same... For example I may have a LAN host 192.168.1.12/22 (yes, with a longer network mask).  with default route to 192.168.2.1, packet will be routed via eth0:1, but goes out via eth1 that is incorrect according to original post...

If now everything works, you may close question (as self answered) and refund points in community support area.
0
 
LVL 1

Author Comment

by:majedalanni
ID: 18907190
thanks alot
ok

can I make it from one LAN 192.168.2.0/24 (eth0) make load balance go out to eth1 and eth2 and eth3?
 I need if client from LAN have to download something it use the whole bandwidth from the the three NIC

I make these but its not work

iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth1  -j srcnat --to 10.10.10.10
iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth2  -j srcnat --to 10.10.10.11
iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth3  -j srcnat --to 10.10.10.12

ip route add default equalize  nexthop via 10.1.1.1 dev eth1 nexthop via 10.1.1.1 dev eth2 nexthop via 10.1.1.1 dev eth3

but its not work
and I try

ip route add default equalize  mpath rr scope global nexthop via 10.1.1.1 dev eth1 nexthop via 10.1.1.1 dev eth2 nexthop via 10.1.1.1 dev eth3

and I just write the device and remove 10.1.1.1 but it also not work


any idea ?

regards
0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18909757
majedalanni, hi again.
> can I make it from one LAN 192.168.2.0/24 (eth0) make load balance go out to eth1 and eth2 and eth3?
Yes, you can. BUT load balancing here is not a 'spreading' of 1 connection among 3 interfaces. One outgoing connection - one interface, it's possible. One connection - multiple interfaces, see below.
Also it's possible to use full bandwith of all 3 links if you change L2 protocol. Suppose that your Router (10.1.1.1) has 3x100Mbit LAN NICs  and Linux has 3x100Mbit NICs. Then it's possible to turn of 801.Q VLAN tagging and create one VLAN trunk device on Linux and on GW (if it supports VLAN trunk ports). For doing that your router and Linux should understand 801.Q trunking.

Now why your configuration doesn't work:

iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth1  -j srcnat --to 10.10.10.10
iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth2  -j srcnat --to 10.10.10.11
iptables -A POSTROUTING -t nat -s 192.168.2.0/24 -o eth3  -j srcnat --to 10.10.10.12
ip route add default equalize  nexthop via 10.1.1.1 dev eth1 nexthop via 10.1.1.1 dev eth2 nexthop via 10.1.1.1 dev eth3

This not work because you try to split 1 connection among 3 interfaces, so each outgoing packet will go from Linux to GW with 3 different source IP addresses, as you understand it breaks TCP connection (or leads to data loss, many retransmissions and unpredictable TCP connection state).
'ip route equalize' will work correctly  only if you have no NAT.

This rule also doesn't solve a problem:
ip route add default equalize  mpath rr scope global nexthop via 10.1.1.1 dev eth1 nexthop via 10.1.1.1 dev eth2 nexthop via 10.1.1.1 dev eth3

If you like to load balance as I said one connection - one outgoing interface (randomly choosen), we will continue.


0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I am a long time windows user and for me it is normal to have spaces in directory and file names. Changing to Linux I found myself frustrated when I moved my windows data over to my new Linux computer. The problem occurs when at the command line.…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now