Comments on: Multi gateway routing with iptables and iproute2 http://blog.khax.net/2009/11/28/multi-gateway-routing-with-iptables-and-iproute2/ Adventures in Ubuntu systems administration Tue, 26 Jan 2010 19:27:39 +0000 http://wordpress.com/ hourly 1 By: Randy Wallace http://blog.khax.net/2009/11/28/multi-gateway-routing-with-iptables-and-iproute2/#comment-123 Randy Wallace Mon, 30 Nov 2009 07:38:26 +0000 http://blog.khax.net/?p=160#comment-123 Yes, you're correct; I found that a true 'multi-home' gateway for one subscriber turned into a housekeeping nightmare. The problem gets worse, though: without a single IP for traffic to 'relate' to, HTTPS and other secured technologies would wreak havoc. Subsequently, there was not way possible to determine which satellite deserved which port(s) traffic, etc... (i.e. 'fair' load balancing across dishes was nearly impossible) Thus, we assigned a set number of subscribers to each satellite. This also helped to mitigate problems concerning outage(s). Upon testing multiple different scenario(s) using multi-homing, I found that they were all to unreliable, especially when handling the loads of traffic we were passing (and frequent outages). Thus, in the end, I was looking into the Click Modular Router for writing 'the perfect routing code' for my application. I never got around to it, though... You can only imagine what kinds of issues I encountered using Satellite Internet; avoid it AT ALL COSTS! (We had no choice at the time, I was deployed in Iraq) Yes, you’re correct; I found that a true ‘multi-home’ gateway for one subscriber turned into a housekeeping nightmare. The problem gets worse, though: without a single IP for traffic to ‘relate’ to, HTTPS and other secured technologies would wreak havoc. Subsequently, there was not way possible to determine which satellite deserved which port(s) traffic, etc… (i.e. ‘fair’ load balancing across dishes was nearly impossible) Thus, we assigned a set number of subscribers to each satellite. This also helped to mitigate problems concerning outage(s).

Upon testing multiple different scenario(s) using multi-homing, I found that they were all to unreliable, especially when handling the loads of traffic we were passing (and frequent outages). Thus, in the end, I was looking into the Click Modular Router for writing ‘the perfect routing code’ for my application. I never got around to it, though…

You can only imagine what kinds of issues I encountered using Satellite Internet; avoid it AT ALL COSTS! (We had no choice at the time, I was deployed in Iraq)

]]> By: agentk http://blog.khax.net/2009/11/28/multi-gateway-routing-with-iptables-and-iproute2/#comment-122 agentk Mon, 30 Nov 2009 01:41:48 +0000 http://blog.khax.net/?p=160#comment-122 Thanks Randy, some good examples of real world use in there. From what I can see users were partitioned per satellite? I have not looked at failover or QoS yet. I was thinking of just checking interfaces status via cron and reconfiguring based on that. My biggest problem was that one of my providers blocks outgoing packets not marked as being from my IP. So if a packet ended up going via the wrong provider they were just being dropped. This most affected returning of incoming packets as outgoing connections always ended up back on the connection they were sent from. For load balancing 'ip route default nexthop' seems to work ok, but stutters quite bad when a connection goes down. As does 'iptables -m statistic --mode nth --every 2' balancing. But doing it in iptables for outgoing connections seems to balance better and provide better throughput. I guess that might be the subject of a new post. Thanks Randy, some good examples of real world use in there. From what I can see users were partitioned per satellite? I have not looked at failover or QoS yet. I was thinking of just checking interfaces status via cron and reconfiguring based on that.
My biggest problem was that one of my providers blocks outgoing packets not marked as being from my IP. So if a packet ended up going via the wrong provider they were just being dropped.
This most affected returning of incoming packets as outgoing connections always ended up back on the connection they were sent from.
For load balancing ‘ip route default nexthop’ seems to work ok, but stutters quite bad when a connection goes down.
As does ‘iptables -m statistic –mode nth –every 2′ balancing. But doing it in iptables for outgoing connections seems to balance better and provide better throughput.
I guess that might be the subject of a new post.

]]> By: Randy Wallace http://blog.khax.net/2009/11/28/multi-gateway-routing-with-iptables-and-iproute2/#comment-121 Randy Wallace Sun, 29 Nov 2009 23:42:51 +0000 http://blog.khax.net/?p=160#comment-121 A few years ago, I did a project overseas which involved providing internet to a LAN. At the time, I chose to use a Linux Server / Router to do 99% of the work. Our internet connection was a farm of Internet Satellite connections (price and dish-size was a factor, which led to this solution). I ended up writing a Python Script which performed a myriad of tasks to include: balancing subscribers across internet connections, traffic shaping rules manipulation (via tc), firewall port blocking, etc... You may, then, be interested in seeing the rules created by my script: http://greamin.com/server/PastWork/UbuntuGateway.html . Subsequently, on that site, there is also the script, and the configuration file, which made my life remarkably easy! It worked *beautifully* and provided a high level of service per subscriber, regardless of their network demands! A few years ago, I did a project overseas which involved providing internet to a LAN. At the time, I chose to use a Linux Server / Router to do 99% of the work. Our internet connection was a farm of Internet Satellite connections (price and dish-size was a factor, which led to this solution). I ended up writing a Python Script which performed a myriad of tasks to include: balancing subscribers across internet connections, traffic shaping rules manipulation (via tc), firewall port blocking, etc… You may, then, be interested in seeing the rules created by my script: http://greamin.com/server/PastWork/UbuntuGateway.html . Subsequently, on that site, there is also the script, and the configuration file, which made my life remarkably easy! It worked *beautifully* and provided a high level of service per subscriber, regardless of their network demands!

]]>