[clug] asymmetric routing

Miloska miloska at gmail.com
Wed Aug 26 05:10:35 MDT 2009 

On Wed, Aug 26, 2009 at 11:27 AM, Chris Zhang<chris.zhang.syd at gmail.com> wrote:
> My understanding is that TCP, as a bi-directional protocol, is causing this
> issue (I
> don't want acknowledgements to consume my quota).
> So we probably have to fool the systems into thinking that nothing changes
> at L3, hence
> probably source address spoofing.

I would be surprised if that would work in a real life situation -
"famous last sentence". If that works don't go any further.


> How would BGP help though in theory? I am very curious to find it out
> actually. But it's likely
> impossible for me to do since I have to get ASN from the ISP, I doubt they
> will give me one.

Unlikely that any ISP would run any routing protocol with an 'enduser'.

With routing protocol you don't have to spoof your source IP, simply
set up the routing to use the other line for incoming.

Without spoofing or any other trick the packages should arrive on the
same path than they went out, with routing protocols this can be
overridden. I've seen this working ~10 years ago in an ISP
configuration with BGP, but I guess it can be done with other
protocols as well. In an ISP level you probably don't want to spoof
addresses :)


> What about the tunnel method you mentioned? Just curious, that's all.

I've set a system like that last weekend - let's see how can I explain:

Your internal network: 10.0.0.0/8
You have two ISPs: ISP1 and ISP2
You have a BOX on the Internet with public IP.

Set up tunnels using both ISPs.
Tunnel IPs
ISP1: 192.168.1.1 on the local site, 192.168.1.2 on the BOX
ISP2: 192.168.2.1 on the local site, 192.168.2.2 on the BOX

Static route on local site (use ISP1 for upload):
def gw:  192.168.1.2

Static route on the BOX (use ISP2 for download):
10.0.0.0/8 -> 192.168.2.1

A NAT rule is needed in the BOX for 10.0.0.0/8, not in your local router.

I used ipip protocol for the tunnels and I find several MTU problems
(additional header), some websites wasn't working properly. I will do
some more tests to see how I can fix this.

The problem is that on this site there are several ADSL lines and if
one of them fails the source IP of the connection will be changed.
With this setup the soruce IP will be the IP on the BOX and won't
change if any of the lines (tunnels) are going up and down. Also you
can add multiple lines and use them (almost) as a big pipe.

More information about the linux mailing list