[clug] asymmetric routing

Chris Zhang chris.zhang.syd at gmail.com
Wed Aug 26 06:13:38 MDT 2009 

On Wed, Aug 26, 2009 at 9:10 PM, Miloska <miloska at gmail.com> wrote:

> On Wed, Aug 26, 2009 at 11:27 AM, Chris Zhang<chris.zhang.syd at gmail.com>
> wrote:
> > My understanding is that TCP, as a bi-directional protocol, is causing
> this
> > issue (I
> > don't want acknowledgements to consume my quota).
> > So we probably have to fool the systems into thinking that nothing
> changes
> > at L3, hence
> > probably source address spoofing.
>
> I would be surprised if that would work in a real life situation -
> "famous last sentence". If that works don't go any further.
>
>
> > How would BGP help though in theory? I am very curious to find it out
> > actually. But it's likely
> > impossible for me to do since I have to get ASN from the ISP, I doubt
> they
> > will give me one.
>
> Unlikely that any ISP would run any routing protocol with an 'enduser'.
>
> With routing protocol you don't have to spoof your source IP, simply
> set up the routing to use the other line for incoming.
>
> Without spoofing or any other trick the packages should arrive on the
> same path than they went out, with routing protocols this can be
> overridden. I've seen this working ~10 years ago in an ISP
> configuration with BGP, but I guess it can be done with other
> protocols as well. In an ISP level you probably don't want to spoof
> addresses :)
>
>
> > What about the tunnel method you mentioned? Just curious, that's all.
>
> I've set a system like that last weekend - let's see how can I explain:
>
> Your internal network: 10.0.0.0/8
> You have two ISPs: ISP1 and ISP2
> You have a BOX on the Internet with public IP.
>
> Set up tunnels using both ISPs.
> Tunnel IPs
> ISP1: 192.168.1.1 on the local site, 192.168.1.2 on the BOX
> ISP2: 192.168.2.1 on the local site, 192.168.2.2 on the BOX
>
> Static route on local site (use ISP1 for upload):
> def gw:  192.168.1.2
>
> Static route on the BOX (use ISP2 for download):
> 10.0.0.0/8 -> 192.168.2.1


I think this is a very interesting setup. Are you saying when packets going
out
first, they go through the default gateway, which leaves 192.168.1.1 and
arrive at 192.168.1.2
through the tunnel using ISP1. The box with the public IP visits the website
(say www.google.com),
and traffic that is coming back from that website arrives at the same public
IP box and is then routed to
192.168.2.1 though ISP2 tunnel as a result of the static route on the public
box. This solves the
L3 problem perfectly since it is the same IP that is visiting the website.

>
> A NAT rule is needed in the BOX for 10.0.0.0/8, not in your local router.


Why do I need 10.0.0.0/8 though?  Would I be able to use DNAT on the public
box?
something like 'iptables -t NAT -A PREROUTING -d 192.168.1.1 -j DNAT --to
192.168.2.1' ?


> I used ipip protocol for the tunnels and I find several MTU problems
> (additional header), some websites wasn't working properly. I will do
> some more tests to see how I can fix this.
>
> The problem is that on this site there are several ADSL lines and if
> one of them fails the source IP of the connection will be changed.
> With this setup the soruce IP will be the IP on the BOX and won't
> change if any of the lines (tunnels) are going up and down. Also you
> can add multiple lines and use them (almost) as a big pipe.
>

I have never used IPIP, since the computer doesn't have a 192.168.1(2).0/24
network, how can I setup a tunnel involving those two?

More information about the linux mailing list