[mdlug] Dual NAT config questions

David Lee Lambert davidl at lmert.com
Fri Jan 10 13:00:58 EST 2014 

Immediate problem with that is I don't have the hardware. Also, one of the
Internet connections is on the wrong side of the house ... I'd have to run
another coax or cat5 cable in order to attach the modem to the new 3-port
NAT device.

For the kind of balancing I want to do, it shouldn't matter much what
another host is doing:

1. for routing to a provider's own network, the goal is low latency, not so
much greater total bandwidth.
2. for everything else, any particular TCP connection has to be sticky to
one NAT device.  However, if all hosts on average balance stuff the same
way, then each link should get a fair share of traffic, on average.

(Sent from my mobile device)
cell 586-873-8813
IM davidleelambert {Yahoo!, Skype,Google}
 El 10/01/2014 10:11, "Jeff Hanson" <jhansonxi at gmail.com> escribió:

> Load balancing at the host doesn't make much sense since they don't know
> what the other hosts are doing.  I would start by connecting both modems to
> a single router/DHCP server and let it figure out balancing.  I use an old
> PC with Zeroshell but only have one Internet connection.  Zeroshell
> supports balancing:  http://www.zeroshell.org/load-balancing-failover/
>
> For the more complicated iptables configurations I suggest contacting the
> folks in the #Netfilter channel on the FreeNode IRC server.
>
>
> On Fri, Jan 10, 2014 at 6:54 AM, David Lee Lambert <davidl at lmert.com>
> wrote:
>
> > I have two Internet connections via different providers, let's call them
> > "A"
> > and "B".  For each one, I have a consumer-grade NAT device attached to
> the
> > modem.  Both devices map UDP, support static routing, some filtering,
> > DNS proxy (also NAT basic UDP traffic like DNS or Teredo), and inbound
> > port forwarding.  I've disabled the DHCP server on one device (the newer
> > one, actually).  The newer device also works as an IPv6 router with
> ability
> > to act as a 6to4 (RFC 3056) client.
> >
> > A diagram:
> >
> >                 Service A ----  55.66.11.12 [ NAT A ] 192.168.123.1 ---+
> >                     /                                                  |
> >  ~~~~~~~~~~~~~~~~~ /                                                   |
> >  ( IPv4 Internet ) --- Service B -- 3.4.5.6 [ NAT B ] 192.168.123.254 -+
> >  ~~~~~~~~~~~~~~~~~                                                     |
> >       Ethernet (wire + wireless) 192.168.123.0/24, 169.254/16, IPv6... |
> >      +-------------+-------------+-------------+----------+------------+
> >      |             |             |             |          |
> >    Host A      Host B          Host C       Host D     Host E
> >                 | (qemu virtual net(s))
> >            +----+-------+
> >            |            |
> >         VM B'        VM B''
> >
> >
> > I am able to point each host at one NAT device for IP and the other for
> > DNS with no trouble.  In fact that's what I've set in DHCP for new
> > hosts.  I can also do static routing for load-balancing or temporarily
> > if one link goes down.
> >
> > With just those tools, however, I don't think I can set up inbound port-
> > forwarding from any provider to any host from both NATs.  Any inbound
> > connection from an IP address that the host would not route back to via
> > the same NAT will not succeed ... the return packets will go out the
> > wrong NAT, and even if they do not get filtered earlier, they will reach
> > the original host with the wrong source address.
> >
> > Since several of the hosts run Linux, I suspect there's a way to write a
> > script to set up routing/balnacing as desired on each host.  Now at a
> high
> > level, the rules would be:
> >
> >   * Incoming TCP connections should be sticky to the NAT they came from
> >   * Outgoing TCP connections should be sticky to a NAT selected for
> >     the initial SYN packet, to include:
> >      - static assignment (provider A address blocks go out via NAT A,
> >        and vice versa)
> >      - certain ports via certain NAT
> >      - certain process (owner, name, etc.) via certail NAT (think a qemu
> > VM)
> >      - random load-balancing
> >
> > I have not found a description of how to set exactly this up.  How-to
> > guides
> > for similar scenarios (which may be badly out-of-date) suggest I might
> use
> > the following tools:
> >
> >   "iptables -t mangle -A [INPUT|OUTPUT] ..."
> >   /etc/iproute2/rt_tables (config file)
> >   "ifconfig"  (add an additional address to each host's interface)
> >   "ip route ... table [A|B]"
> >   "ip rule ..."
> >
> > Has anyone on this list done something similar?  Or can anyone explain
> the
> > difference between IPtables connection marks, IProute2 tables, and how to
> > connect them?
> >
> > --
> > David Lee Lambert
> > Member ACM (david.lee.lambert at acm.org)
> > Ph# (616)676-7375  *  IM: davidleelambert (Yahoo!, Skype and Google
> Talk)
> > "Justicia, Tierra y Libertad"
> > _______________________________________________
> > mdlug mailing list
> > mdlug at mdlug.org
> > http://mdlug.org/mailman/listinfo/mdlug
> >
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug
>

More information about the mdlug mailing list