Re: [LARTC] Load Balance and SNAT problem.

To:	John Chang <mofish@gmail.com>
Subject:	Re: [LARTC] Load Balance and SNAT problem.
From:	VladSun <vladsun@relef.net>
Date:	Tue, 26 Jun 2007 00:30:25 +0300
Cc:	LARTC@mailman.ds9a.nl
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
In-reply-to:	<7e47206b0706242007q487365d3gb7c12658b9669edd@mail.gmail.com>
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
References:	<7e47206b0706242007q487365d3gb7c12658b9669edd@mail.gmail.com>
Sender:	lartc-bounces@mailman.ds9a.nl
User-agent:	Thunderbird 2.0.0.4 (Windows/20070604)

John Chang написа:

I am developing load balancing router, But I have a question aboutfail over.
The follow diagram is my test environment and scripts.
-------------------------------------------------------------------
Environment Setting

PC1(192.168.10.2 <http://192.168.10.2>)
|
(LAN)
|
PC2-eth2( 192.168.10.1 <http://192.168.10.1>)
+ +
PC2-eth0(111.111.111.2 <http://111.111.111.2>) PC2-eth1(222.222.222.2<http://222.222.222.2> )
| |
(WAN1) (WAN2)
| |
PC3-eth0(111.111.111.1 <http://111.111.111.1>) PC3-eth1( 222.222.222.1<http://222.222.222.1>)
+ +
PC2-eth2(172.16.0.1 <http://172.16.0.1>)

PC2-Linux Kernel 2.6.21
PC2-Iptables 1.3.7


-------------------------------------------------------------------
Iptables rules:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 111.111.111.2<http://111.111.111.2>iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 222.222.222.2<http://222.222.222.2>
# table 101
ip route flush table 101
ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 101
ip route add default via 111.111.111.1 <http://111.111.111.1> dev eth0table 101
# table 102
ip route flush table 102
ip route add 192.168.10.0/24 <http://192.168.10.0/24> dev eth2 table 102
ip route add default via 222.222.222.1 <http://222.222.222.1> dev eth1table 102
ip rule del fwmark 1 table 101
ip rule del fwmark 2 table 102
ip rule add fwmark 1 table 101
ip rule add fwmark 2 table 102

iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -m statistic--mode nth --every 2 --packet 1 -j MARK --set-mark 1iptables -t mangle -A PREROUTING -m state --state NEW -m statistic--mode nth --every 2 --packet 2 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

-----------------------------------------------------------------------------

Well ... I am not sure about it but you may try to do it this way:

iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 1 -j SNAT --to111.111.111.2 <http://111.111.111.2>iptables -t nat -A POSTROUTING -o ! eth2 -m mark --mark 2 -j SNAT --to222.222.222.2 <http://222.222.222.2>


iptables -t mangle -A PREROUTING -t mangle -j CONNMARK --restore-mark

iptables -t mangle -A PREROUTING -m state --state NEW -m statistic--mode nth --every 2 --packet 1 -j MARK --set-mark 1iptables -t mangle -A PREROUTING -m state --state NEW -m statistic--mode nth --every 2 --packet 2 -j MARK --set-mark 2

iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark


This is done without using iproute.
There is another solution, but it works only with kernels up to 2.6.10:

iptables -t nat -A POSTROUTING -o ! eth2 -j SNAT --to 111.111.111.2<http://111.111.111.2>,222.222.222.2 <http://222.222.222.2>


".... For those kernels, if you specify more than one source

address, either via an address range or multiple --to-source options, asimple round-robin (one after another in cycle) takesplace between these addresses. Later Kernels (>= 2.6.11-rc1) don't havethe ability to NAT to multiple ranges anymore. ..."

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
Re: [LARTC] Load Balance and SNAT problem., (continued) Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Peter Rabbitson RE: [LARTC] Load Balance and SNAT problem., Salim S I Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., Peter Rabbitson Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Message not available Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Message not available Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Message not available Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Message not available Re: [LARTC] Load Balance and SNAT problem., Grant Taylor Re: [LARTC] Load Balance and SNAT problem., VladSun <= Re: [LARTC] Load Balance and SNAT problem., John Chang

Previous by Date:	[LARTC] Re: RED to use ECN (or work at all?), Christian Benvenuti
Next by Date:	Re: [LARTC] Using Julian Anastasov's 'routes' patches on 2.4 kernel in conjunction with IPSec, Julian Anastasov
Previous by Thread:	Re: [LARTC] Load Balance and SNAT problem., Grant Taylor
Next by Thread:	Re: [LARTC] Load Balance and SNAT problem., John Chang
Indexes:	[Date] [Thread] [Top] [All Lists]