[clug] asymmetric routing

tridge at samba.org tridge at samba.org
Wed Aug 26 19:50:52 MDT 2009

Hi Chris,

 > Thanks for the iproute2 leads. I have a few questions regarding the rules,
 > would be grateful if you could please explain a bit further.


 > >  #!/bin/bash
 > >  # Called when a new interface comes up
 > >
 > >  IFACE="$1"
 > >  LOCALIP="$4"
 > >  REMOTEIP="$5"
 > Is the LOCALIP and REMOTE the PPP end points of your 3G connection and the
 > ISP end?


 > >  ip rule add from "$LOCALIP/32" lookup SECONDARY
 > >  ip route add default via "$REMOTEIP" dev "$IFACE" table SECONDARY
 > >  ip route flush table cache
 > Are these rules saying: If traffic is originating from the 3G
 > public IP going out of the computer , lookup routing table
 > SECONDARY; routing table SECONDARY has a default gateway, which is
 > the other side of the 3G PPP endpoint,

right. This SECONDARY routing table is used as an exception table to
the main routing table that you see with commands like "route -n" and
"netstat -rn". The table shown with "route -n" is setup with the
default gateway being my little ADSL model/router (a cheap linksys
box), so my home LAN sends nearly all traffic out my normal ADSL link.

The above SECONDARY exception table says that as a special case, if we
are sending packets from the 3G modems public IP then we should send
it out via the $REMOTEIP, using the 3G interface (which is $IFACE in
the above script).

 > and to get there we use the 3G interface; flush cache. ?

The cache flush is just because the kernel keeps a route cache and we
want the new rules to take effect immediately, so we flush the cache,
which means packets immediately start to follow the new rules.

 > >  1 PRIMARY
 > That means you have two seperate routing tables? PRIMARY and
 > SECONDARY?  Sorry I have not used iproute2 like this before. Just
 > had a quick read on the LARTC doco

that's right. The PRIMARY routing table is what is shown using
/sbin/route or /usr/bin/netstat. The SECONDARY table is an exception
table that only takes effect when the rules I've specified via the
above script match.

 > I see your solution is directing traffic coming from a specific IP
 > to reply through to a designated interface? which is the real
 > asymetric routing. I guess my problem is more of splitting TCP
 > traffic in two different routes. I think Miloska's tunneling method
 > in theory does that, what do you think?

I think you could use iproute2 to do that as well, without tunnels. I
think you could set weights on routes, plus use tagging in iptables to
ensure that a particular TCP socket always goes via one route or
another, but not both.

I haven't set that up though, so if you want to do that then you
should read more of the iproute2 docs than I have done :-)

Cheers, Tridge

More information about the linux mailing list