3

I have two ADSL modem-routers and a server all in the same statically-assigned IP address range (192.168.0.1/24).

Internet 1 -- (1.1.1.1) Modem 1 (192.168.0.1) -- Switch -- (192.168.0.3) Server 
Internet 2 -- (2.2.2.2) Modem 2 (192.168.0.2) -----/

Each of the modems forward ports to the server, e.g. ssh. This works on one modem but not the other. If I do a packet trace, the ssh packets arrive at the server and are returned via the default gateway, which may have a different external IP to the origin. If it does not match the origin, the response is thrown away and the ssh connection times out.

e.g. If the default gateway in the server is 192.168.0.1, then the ssh packets would take the following paths:

Request:  SSH to 1.1.1.1 -> 192.168.0.1 -> 192.168.0.3
Response: 192.168.0.3 -> 192.168.0.1 -> 1.1.1.1
Result: WORKS! :-D

Request:  SSH to 2.2.2.2 -> 192.168.0.2 -> 192.168.0.3
Response: 192.168.0.3 -> 192.168.0.1 -> 1.1.1.1
Result: WRONG RESPONSE IP (2.2.2.2 != 1.1.1.1)

I understand from chatting with the people on IRC ##networking that what I want is "Source-Based Routing", a type of Policy Based Routing.

From what I can tell, a PBR looks something like:

access-list 1 permit 192.168.0.1
access-list 2 permit 192.168.0.2
!
interface async 1
 ip policy route-map equal-access
!
route-map equal-access permit 10
 match ip address 1
 set ip default next-hop 192.168.0.1
route-map equal-access permit 20
 match ip address 2
 set ip default next-hop 192.168.0.2
route-map equal-access permit 30
 set default interface null0

I have spent many hours looking at tutorials and examples on this, but they don't seem to come near my needs. Specifically, I can't seem to understand:

  1. How the originating IP is matched to the response IP,
  2. The meaning of 'async' in the above example,
  3. If the above example is even remotely correct for my needs, and
  4. Where I should put this configuration on a standard Ubuntu Server?
tudor -Reinstate Monica-
  • 1,805
  • 18
  • 35

2 Answers2

2

You need to add an additional IP to the server (eg 192.168.0.4) and DNAT the traffic coming to ADSL Modem 2 to the new address. This way the server will be able to differentiate between the 2 upstream connections; at the moment it can't do that because all traffic that it sees is destined to 192.168.0.3 from whatever source address out on the internet with no indication of which ADSL modem the packet traversed.

With the additional IP setup, in your Policy Based Routing, you connection mark any traffic to 192.168.0.3 with a mark that uses a route table that default routes to ADSL Modem 1, and connection mark traffic to 192.168.0.4 with a mark to use a routing table with ADSL Modem 2 as the default gateway.

fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • This makes some sense. I'm confused by your reference to PBR, tho. If I add an extra IP and then simply do "route add 192.168.0.4 gw 192.168.0.2", does PBR become unnecessary? – tudor -Reinstate Monica- May 14 '13 at 05:48
  • @tudor No, that's a complete misunderstanding of how route tables work. You need the PBR to ensure correct selection of the next-hop router (192.168.0.2) and that has nothing to do with the destination address of the original (inbound) packet, unless you connection mark it when it arrives so the return packet is associated with it so the correct route table is used. I wrote a script that does this kind of thing that might help get you on your way with a starting point if nothing else; search GitHub for 'pb-route' – fukawi2 May 14 '13 at 23:30
1

I've set this up in the past using policy routing from the Linux Advanced Routing and Traffic Control Howto.

In your case, you appear to have a slightly different configuration with a switch in the middle. You can adapt your configuration to the suggestion perhaps by adding a second nic. Otherwise, you may need to setup multiple VLANs to accomplish what you are after with a single nic.

dmourati
  • 24,720
  • 2
  • 40
  • 69
  • Unfortunately, if I follow these instructions, then that means that "Linux Router" (as opposed to a simple switch) becomes a single point of failure. So yes, my configuration and requirements are different. – tudor -Reinstate Monica- May 14 '13 at 05:53