Jump to content

Photo

Network interface handling when a route fails

- - - - -

Best Answer overkill , 17 July 2014 - 11:16 PM

OK, figured it out.  Just use the ip route syntax in quotes in the /etc/conf.d/netif.eth0.  Something like this - adjust ip's and interface as they pertain to your setup.

 

route="0.0.0.0/0 via 192.168.1.28 dev eth0 metric 10"

 

Should do the trick

Go to the full post »


9 replies to this topic

#1
godlike

godlike

    Newbie

  • Members
  • Pip
  • 5 posts

Hello Funtoo!

 

First of all, excuse if the topic is not in the proper forum. My question is network-related (for a server, actually) but could not find a network-specific forum.

 

I am a Gentoo user since the end of 2006, and ever since I heard about Funtoo, I've been looking at it with a mixture of love and curiosity. Recently a friend (PeGa!, I dunno if he's registered in the forums or active in the community) who has been using Funtoo for a while, pointed me to a news piece by drobbins re. Funtoo upgrades, and I decided to dig in a little more, particularly the networking system (since OpenRC does not do what I want to do, go on reading and you'll see what I mean).

 

My main issue is the following: whenever my ISP (cablemodem, hooked up to eth0 on my Gentoo gateway) has one of those issues, I lose my public IP address on eth0, and am given a private IP (192.168.etc), with a lease time of ~30secs. dhclient keeps renewing for an indefinite amount of time, and only when my ISP fixes their stuff (and coincidentally, the rest of the cablemodem lights light up) do I recover a public IP.

 

Whenever this happens, I have another laptop at home, which is constantly hooked up to the neighbour's wifi, and is all set up with IPTables to share its connectino. So, whenever this happens, I add an additional route on my gateway, and put as default gateway this laptop, which is accessible via eth1 (since it is on my LAN), and fix my IPTables script so my gateway can NAT properly. This makes it possible for all my LAN machines to recover their Internet connection and I can keep on working.

 

However, when my ISP comes back, I get another default route added (for eth0, since it is now up again), so I have to go in my gateway, delete the previously added default route via eth1, and re-run my IPTables script so it has the normal rules for NATing via the eth0 connection.

 

Now my question is: does the network infrastructure system of Funtoo have a way to automate this, without having to perform manual intervention? I can simplify this at the most with this statement: can Funtoo run a custom script whenever a default gw route on a specific interface is lost, and run another script (or the same one, with different parameters) when the default gw route on that same interface comes back?

 

Cheers and thanks in advance

 

godlike.-



#2
overkill

overkill

    Advanced Member

  • Members
  • PipPipPip
  • 91 posts
  • LocationAustin, TX

You can/should control your routes by the metric.  You can/should have your secondary default route added with a higher metric value than your default route.  If the default route is inaccessible, it will use the next route for 0.0.0.0/0.  When the gateway/cable modem becomes accessible once more, the default route is chosen since it's metric is lower.

 

I'm sure that openrc can set this up when the network is brought up, I've just never looked for the way to do it.  Now that I think about it, I know I read about this very topic in when I used Gentoo and it's version of openrc.  Check the docs.

 

EDIT:

 

I just checked the wiki for any info on multiple routes.  Says you can add them with "route" variable, but no examples or specifics.  Should be doable.



#3
overkill

overkill

    Advanced Member

  • Members
  • PipPipPip
  • 91 posts
  • LocationAustin, TX
✓  Best Answer

OK, figured it out.  Just use the ip route syntax in quotes in the /etc/conf.d/netif.eth0.  Something like this - adjust ip's and interface as they pertain to your setup.

 

route="0.0.0.0/0 via 192.168.1.28 dev eth0 metric 10"

 

Should do the trick



#4
godlike

godlike

    Newbie

  • Members
  • Pip
  • 5 posts

overkill, yes, you are right. My problem is not specific to the routes, which I could already solve with what you pointed out, but with my IPTables script. Forgive me if I was not clear enough.

 

When everything works normally, NATting on my gw is done between eth0 and eth1 (eth0 being the 'public' interface and eth1 being the 'private' interface). However, when my ISP fails, I must change NATting so it is done between eth1 and eth1 (since the new actual gw for the LAN is now my laptop, which already is on my LAN on eth1), and then back again to the normal way when my ISP comes back. For the sake of clarity, here are the two relevant functions from my IPTables script:

 

 

  function natnormally {

    iptables -t nat -A POSTROUTING -o $WAN -s $LOCALNET -d 0/0 -j MASQUERADE
    iptables -A FORWARD -t filter -i $LAN -o $WAN -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -t filter -i $WAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
}
 
function natabnormally {
    iptables -t nat -A POSTROUTING -o $LAN -s $LOCALNET -d 0/0 -j MASQUERADE
    iptables -A FORWARD -t filter -i $LAN -o $LAN -d 0/0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -t filter -i $LAN -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
}
 
- $WAN = eth0
- $LAN = eth1
- $LOCALNET = my local LAN IP range
 
I know a decent amount of IPTables but I'm no expert, and so far in my tests I could not have these two set of rules be applied at the same time. Is it actually possible to have thes etwo sets of NAT rules enabled at the same time, and have everything else be ruled by the two routes, based on their metrics?
 
Cheers


#5
overkill

overkill

    Advanced Member

  • Members
  • PipPipPip
  • 91 posts
  • LocationAustin, TX

I don't see that you need both sets of rules on the gateway.  If the secondary default route is via the laptop to your neighbor's wifi, can't you just do the nat'ing on the laptop?  Then you could have your main gateway and it's nat'ing rules, then if it fails the secondary default route would kick in, and the laptop would do it's nat'ing.

 

Or do I see the setup wrong?



#6
godlike

godlike

    Newbie

  • Members
  • Pip
  • 5 posts

The laptop always has its own rules for NATting. My purpose is not to change anything on the rest of my LAN clients (my DHCP server sets the default gw for my NAT on my main gateway machine). So in order to do this, the only way I see it is to change my main gateway IPTables rules so, instead of NATting through eth0 (which when the issue happens is a dead interface since it goes nowhere), to NAT again via eth1.

 

There is, I think, a double NAT in place when the issue happens, given my solution.

 

1. from LAN clients to the main gateway. The gateway NATs the packages and sends them via eth1 back out again, headed for my laptop

2. from the main gateway to the laptop, the laptop NATs the packages again so they can be sent to the wifi router (my laptop is wired to the LAN, which leaves the wlan0 interface free to hook up to the neighbour's wifi).

 

Is it possible to make my main gateway route incoming packets headed for the internet to my laptop without having to put NAT rules in place? Normally, just adding the default gw route to the laptop when this happens does not make the rest of my clients regain Internet connectivity. Only when I add the new default gw route AND fix the NAT rules do I regain connectivity on my client machines.



#7
godlike

godlike

    Newbie

  • Members
  • Pip
  • 5 posts

Sorry for the double posting, but I wanted to clear up the reason why I need to run a script. If it is actually possible to have 'dynamic' IPTables rules that kick in only when certain conditions are met, or if I can have both sets of NAT rules in place, then there's no need to run a script when my ISP fails and this can be done via standard OpenRC even.



#8
godlike

godlike

    Newbie

  • Members
  • Pip
  • 5 posts

Thanks, and forgive my previous mess up. I have now set both NAT rulesets as enabled on my script. Everything runs OK. After setting a route on /etc/conf.d/net with a higher metric than the one I get from my ISP, I can now flawlessly unplug the cablemodem and have connection from my clients keep running. For testing I ran an mtr command with --curses and I can see the gateways and related nodes for my neighbour's wifi appear, while the gateways and nodes of my ISP start losing packets (expected since mtr was running from before I unplugged the cable). After plugging the cablemodem back again, the opposite happens.

 

Thanks again! I will mark this as solved and nevertheless keep looking into Funtoo to install it on my first physical box that becomes available :)



#9
overkill

overkill

    Advanced Member

  • Members
  • PipPipPip
  • 91 posts
  • LocationAustin, TX

You're welcome.  Glad to hear you got it sorted out.  Basically what you are doing is creating a failover device.  One interface goes down, the other kicks in.  You may also want to check out shorewall.  It's in portage.  It's a set of simple config files to generate iptables firewall.  It does have failover capabilities.  Here's a section that might help - Multiple Internet Connections.  Maybe it'll give you some good ideas.



#10
PeGa!

PeGa!

    Member

  • Members
  • PipPip
  • 16 posts

Hello Funtoo!

 

First of all, excuse if the topic is not in the proper forum. My question is network-related (for a server, actually) but could not find a network-specific forum.

 

I am a Gentoo user since the end of 2006, and ever since I heard about Funtoo, I've been looking at it with a mixture of love and curiosity. Recently a friend (PeGa!, I dunno if he's registered in the forums or active in the community) who has been using Funtoo for a while

 

Well, I've survived a couple of forum reincarnations :)

 

Hey, what a surprise seeing you over here! Now that you got that fixed, I'd love to see funtoo inside a box of yours. Ping me if you need a hand :)

 

Cheers!


It is a capital mistake to theorize before one has data. Insensibly one begins to twist the facts to suit theories, instead of theories to suit facts.
– Sherlock Holmes




Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users