[LARTC] Load Balance and SNAT problem.

To:	LARTC@mailman.ds9a.nl
Subject:	[LARTC] Load Balance and SNAT problem.
From:	"John Chang" <mofish@gmail.com>
Date:	Mon, 25 Jun 2007 11:07:30 +0800
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=V0uKYE7kbhZKJD0RNPIhQwUdwqUTe0iRNNraBujOhm2II/Hi/DcrWzCRoL9Sa1PlgTlf9cELvdf11UYiYtPV7nVS93E3c9Hz8aOJCF1Bl5UjcbXgm/9MJTWrLSw+zWK6K6JdHCW86Mje5zbFIdY8KPdGXiTejjgqV9gJ/iJeHQM=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=KKAx7yBgNW1QeDMTK9yzialdtUmbtRxb4Bab59Lb7nuIW36VguAzkcGhgyqMF5MX0EW0eIkDLGCebSwFn4x9ABR0x/2OWnRYzS1DhxITsCfeklV7u6H3S8MeLHiopK975E2oxA6FrEXI+zFRbyt6M29RVWvs75opFBUyqNmzF9E=
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
Sender:	lartc-bounces@mailman.ds9a.nl

I am developing load balancing router, But I have a question about fail over.
The follow diagram is my test environment and scripts.
-------------------------------------------------------------------
Environment Setting

                 PC1(192.168.10.2)
                         |
                       (LAN)
                         |
               PC2-eth2( 192.168.10.1)
                +               +
PC2-eth0(111.111.111.2)    PC2-eth1(222.222.222.2 )
                |               |
              (WAN1)          (WAN2)
                |               |
PC3-eth0(111.111.111.1)    PC3-eth1( 222.222.222.1)
                +               +
               PC2-eth2(172.16.0.1)

PC2-Linux Kernel 2.6.21
PC2-Iptables 1.3.7

-------------------------------------------------------------------
Iptables rules:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 111.111.111.2
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 222.222.222.2

# table 101
ip route flush table 101
ip route add 192.168.10.0/24 dev eth2 table 101
ip route add default via 111.111.111.1 dev eth0 table 101

# table 102
ip route flush table 102
ip route add 192.168.10.0/24 dev eth2 table 102
ip route add default via 222.222.222.1 dev eth1 table 102

ip rule del fwmark 1 table 101
ip rule del fwmark 2 table 102
ip rule add fwmark 1 table 101
ip rule add fwmark 2 table 102

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 2 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

-----------------------------------------------------------------------------
Test Sequence:

1. Run command "ping 172.16.0.1 -t" on PC1
2. I capture packets on WAN1 and WAN2, it works fine.
   The ICMP request/response would come out on WAN1 and WAN2 sequentially.
3. I unplug WAN1. Only the packets on WAN1 will lost, but WAN2 should works, right?
   I should saw "ping Time Out" and "ping OK" on PC1 sequentially.
4. But the both connections all breaks. It always "ping Time Out" on PC1.
5. After caputre the packets on WAN1 and WAN2. I saw a weird behavior.
   The source IP of packets on WAN2 is 111.111.111.2, but it should be 222.222.222.2
   That is why WAN2 breaks.
-----------------------------------------------------------------------------
Could you give me a suggestion?

Thanks.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] Load Balance and SNAT problem., John Chang <= Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Peter Rabbitson Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Patrick Brandão Re: [LARTC] Load Balance and SNAT problem., Peter Rabbitson [LARTC] Load Balance and SSL, Andre Guimarães Re: [LARTC] Load Balance and SSL, Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Message not available Re: [LARTC] Load Balance and SNAT problem., Grant Taylor

Previous by Date:	Re: [LARTC] HTB deadlock, Andy Furniss
Next by Date:	Re: [LARTC] Why does scp stall on low bandwidth connections?, Nikolay Kichukov
Previous by Thread:	[LARTC] ESFQ: request for user input, Corey Hickey
Next by Thread:	Re: [LARTC] Load Balance and SNAT problem., Grant Taylor
Indexes:	[Date] [Thread] [Top] [All Lists]