* [LARTC] Multiple uplinks, ssh connections hang
@ 2007-02-26 21:43 Korey O'Dell
2007-02-26 22:52 ` Martin A. Brown
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Korey O'Dell @ 2007-02-26 21:43 UTC (permalink / raw)
To: lartc
Folks,
Ive got two ISP connections that I am using with:
---
ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1
ip route add default via 192.168.200.1 table connection1
ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2
ip route add default via x.175.244.1 table connection2
ip rule add from 192.168.200.11 table connection1
ip rule add from x.175.244.2 table connection2
echo "Enabling load balancing between ISP connections..."
ip route add default scope global nexthop via 192.168.200.1 dev eth2
weight 1 nexthop via x.175.244.1 dev eth1 weight 1
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11
---
The 192.168.200.x (lan) network gets to the internet via another gateway
(192.168.200.1).
Client machines on the 200.x network work ok except for ssh connections
to machines on the internet hanging. It asks for a password and hangs.
Any ideas? Thanks Korey
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Multiple uplinks, ssh connections hang
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
@ 2007-02-26 22:52 ` Martin A. Brown
2007-02-26 23:42 ` Ming-Ching Tiew
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Martin A. Brown @ 2007-02-26 22:52 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello there,
: The 192.168.200.x (lan) network gets to the internet via another
: gateway (192.168.200.1). Client machines on the 200.x network
: work ok except for ssh connections to machines on the internet
: hanging. It asks for a password and hangs. Any ideas? Thanks
Yes. Vincent Jaussaud had a very similar problem (though much
larger than yours) several years ago [0]. If you run tcpdump on the
client and watch for the ToS to change (just after authentication),
it should become very clear what is happening.
You must remember that the the tuple on which a route is selected
includes the ToS. So, after you have tried to connect to the ssh
server in the public Internet from the inside (watching with
tcpdump, of course), run "ip route show cache $DEST_IP" and compare
the set of results.
If that's at all unclear, maybe this will also help [1].
Good luck,
- -Martin
[0] http://mailman.ds9a.nl/pipermail/lartc/2002q4/005653.html
[1] http://linux-ip.net/html/routing-selection.html#tb-routing-selection-adv
- --
Martin A. Brown
http://linux-ip.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgf-0.72 (http://linux-ip.net/sw/pine-gpg-filter/)
iD8DBQFF42TLHEoZD1iZ+YcRAlZqAKCrpGmNKdyCUUwExGW2MWLUQqMzzwCgiKY6
czRMryHmcM9HBGdKkFfWUgg=Pgu8
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Multiple uplinks, ssh connections hang
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
2007-02-26 22:52 ` Martin A. Brown
@ 2007-02-26 23:42 ` Ming-Ching Tiew
2007-02-27 1:12 ` Denny Zulfikar
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Ming-Ching Tiew @ 2007-02-26 23:42 UTC (permalink / raw)
To: lartc
From: "Korey O'Dell" <korey@zaneray.com>
>
> The 192.168.200.x (lan) network gets to the internet via another gateway
> (192.168.200.1).
> Client machines on the 200.x network work ok except for ssh connections
> to machines on the internet hanging. It asks for a password and hangs.
> Any ideas? Thanks Korey
>
SSH is a good test of whether you have set up your multiple uplinks
correctly. You need CONNMARK, so that once a session is established
with one uplink, it continues to stay with the same uplink. SSH does not
like it if you change uplink in the middle of one session.
Cheers.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Multiple uplinks, ssh connections hang
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
2007-02-26 22:52 ` Martin A. Brown
2007-02-26 23:42 ` Ming-Ching Tiew
@ 2007-02-27 1:12 ` Denny Zulfikar
2007-02-27 21:16 ` Alex Samad
2007-02-28 2:00 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Denny Zulfikar @ 2007-02-27 1:12 UTC (permalink / raw)
To: lartc
Hello korey,
I don't think your configuration will work well, because there're
balancing using "weight" connection. So, if you have
connection-oriented-application that must sure passing their traffic
only from one connection (such as ssh and https-please try to test
open and login to hotmail.com), it will fail when the default routing
switch from one gateway to another (round robin).
Dont use this config for connection-oriented application. it's round
robin rule, that will switch from one gateway to another without
notice/know about traffic type.
"ip route add default scope global nexthop via 192.168.200.1 dev eth2
weight 1 nexthop via x.175.244.1 dev eth1 weight 1"
please refer to this documentation howto develop multpile internet
connection gateway.
http://linux-ip.net/html/adv-multi-internet.html
Best Regards,
Denny Z
On 2/27/07, Korey O'Dell <korey@zaneray.com> wrote:
> Folks,
> Ive got two ISP connections that I am using with:
> ---
> ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1
> ip route add default via 192.168.200.1 table connection1
>
> ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2
> ip route add default via x.175.244.1 table connection2
>
> ip rule add from 192.168.200.11 table connection1
> ip rule add from x.175.244.2 table connection2
>
> echo "Enabling load balancing between ISP connections..."
> ip route add default scope global nexthop via 192.168.200.1 dev eth2
> weight 1 nexthop via x.175.244.1 dev eth1 weight 1
>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Multiple uplinks, ssh connections hang
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
` (2 preceding siblings ...)
2007-02-27 1:12 ` Denny Zulfikar
@ 2007-02-27 21:16 ` Alex Samad
2007-02-28 2:00 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Alex Samad @ 2007-02-27 21:16 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 3043 bytes --]
On Tue, Feb 27, 2007 at 08:12:17AM +0700, Denny Zulfikar wrote:
> Hello korey,
>
> I don't think your configuration will work well, because there're
> balancing using "weight" connection. So, if you have
> connection-oriented-application that must sure passing their traffic
> only from one connection (such as ssh and https-please try to test
> open and login to hotmail.com), it will fail when the default routing
> switch from one gateway to another (round robin).
>
> Dont use this config for connection-oriented application. it's round
> robin rule, that will switch from one gateway to another without
> notice/know about traffic type.
> "ip route add default scope global nexthop via 192.168.200.1 dev eth2
> weight 1 nexthop via x.175.244.1 dev eth1 weight 1"
I have been using
default proto static metric 5
nexthop via 138.130.8.1 dev vlan2 weight 1
nexthop via 10.20.20.243 dev ppp0 weight 20
for over 4 years and it has worked fine for me, for ssh and other connection
oriented applications.
the key thing is to have contrack (or its new incarnation) loaded.
the default rule is only used when you don't have a source address or route
cache entry. When you ssh through the machine, the syn packet uses the default
route, but it also setups a entry in contrack, all other packets will have a
source and dest address. These will match up the ip rul statements.
if you followed your link onto julian pages http://www.ssi.bg/~ja/nano.txt,
there is a howto on this !
>
> please refer to this documentation howto develop multpile internet
> connection gateway.
> http://linux-ip.net/html/adv-multi-internet.html
>
> Best Regards,
> Denny Z
>
>
> On 2/27/07, Korey O'Dell <korey@zaneray.com> wrote:
> >Folks,
> >Ive got two ISP connections that I am using with:
> >---
> >ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1
> >ip route add default via 192.168.200.1 table connection1
> >
> >ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2
> >ip route add default via x.175.244.1 table connection2
> >
> >ip rule add from 192.168.200.11 table connection1
> >ip rule add from x.175.244.2 table connection2
> >
> >echo "Enabling load balancing between ISP connections..."
> >ip route add default scope global nexthop via 192.168.200.1 dev eth2
> >weight 1 nexthop via x.175.244.1 dev eth1 weight 1
> >
> >iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2
> >iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11
> >
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] Multiple uplinks, ssh connections hang
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
` (3 preceding siblings ...)
2007-02-27 21:16 ` Alex Samad
@ 2007-02-28 2:00 ` Luciano Ruete
4 siblings, 0 replies; 6+ messages in thread
From: Luciano Ruete @ 2007-02-28 2:00 UTC (permalink / raw)
To: lartc
On Monday 26 February 2007 18:43, Korey O'Dell wrote:
> Folks,
> Ive got two ISP connections that I am using with:
> ---
> ip route add 192.168.200.0/24 dev eth2 src 192.168.200.11 table connection1
> ip route add default via 192.168.200.1 table connection1
>
> ip route add x.175.244.0/24 dev eth1 src x.175.244.2 table connection2
> ip route add default via x.175.244.1 table connection2
>
> ip rule add from 192.168.200.11 table connection1
> ip rule add from x.175.244.2 table connection2
>
> echo "Enabling load balancing between ISP connections..."
> ip route add default scope global nexthop via 192.168.200.1 dev eth2
> weight 1 nexthop via x.175.244.1 dev eth1 weight 1
>
> iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to x.175.244.2
> iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 192.168.200.11
>
> ---
>
>
> The 192.168.200.x (lan) network gets to the internet via another gateway
> (192.168.200.1).
> Client machines on the 200.x network work ok except for ssh connections
> to machines on the internet hanging. It asks for a password and hangs.
> Any ideas? Thanks Korey
Yes your hit a big FAQ, read this[1][2] thread (from this same week). There
are two alternatives full solutions explained to that problem, both uses
netfilter CONNMARK.
[1]http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
[2]http://mailman.ds9a.nl/pipermail/lartc/2007q1/020360.html
--
Luciano
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-02-28 2:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-02-26 21:43 [LARTC] Multiple uplinks, ssh connections hang Korey O'Dell
2007-02-26 22:52 ` Martin A. Brown
2007-02-26 23:42 ` Ming-Ching Tiew
2007-02-27 1:12 ` Denny Zulfikar
2007-02-27 21:16 ` Alex Samad
2007-02-28 2:00 ` Luciano Ruete
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.