Multiple Internet Connection - (keep this forum alive pls)

[s0da]

Good day everyone:

After a month of googling around I was able to find a (not so perfect) solution on how to use multiple internet connections.

First of all, I would like to inform everyone that i'm a complete n00b. I haven't finished any IT course yet. It's been four years already since i started using linux, but I still consider myself as linux newbie since I can't spend much time on it. I also consider myself as a script kiddie since I just copy things from other clever people... Also, please forgive my english because i'm not a native english speaker. Ok so much for the talk! Let's dive in!

My LINUX ROUTER/Gateway/Server (whatever it is called ):

CPU : Intel(R) Pentium(R) 4 CPU 2.40GHz HT
Memory: 1024 MB
OS : of course Gentoo Linux
Kernel : 2.6.9-rc4-love1 aka "It's Alive!" (SMP + NPTL + CFQ)
(patched with Julian Anastasov's patches)
patch is available at http://www.ssi.bg/~ja/#combinations
(patch-2.6.9-ja1.diff << patches cleanly on 2.6.9-rc4-love1)
make sure kernel is properly configured

NICs : eth0 - internal LAN (192.168.2.0/24)
ip address: 192.168.2.254

eth1 - external connection - ISP1 (10.10.10.72/29)*
ip address: 10.10.10.74
gateway ip address: 10.10.10.73

eth2 - external connection - ISP2 (20.20.20.176/29)*
ip address: 20.20.20.179
gateway ip address: 20.20.20.182

*real ip address changed for security reasons ^_^

Code: Select all

#Start of Script ---------------------------------

ISP1_IP=10.10.10.74
ISP1_GW=10.10.10.73
ISP2_IP=20.20.20.177
ISP2_GW=20.20.20.182

ip rule add prio 50 table main

ip route del default table main

ip rule add prio 201 from $ISP1_IP table 201
ip route add default via $ISP1_GW dev eth1 src $ISP1_IP proto static table 201
ip route append prohibit default table 201 metric 1 proto static

ip rule add prio 202 from $ISP2_IP table 202
ip route add default via $ISP2_GW dev eth2 src $ISP2_IP proto static table 202
ip route append prohibit default table 202 metric 1 proto static

ip rule add prio 222 table 222
ip route add default table 222 proto static \
        nexthop via $ISP1_GW dev eth1 weight 1 \
        nexthop via $ISP2_GW dev eth2 weight 1

#end of script

my /etc/conf.d/net:

Code: Select all

iface_eth0="192.168.2.254 broadcast 192.168.2.255 netmask 255.255.255.0"
iface_eth1="10.10.10.74 broadcast 10.10.10.79 netmask 255.255.255.248"
iface_eth2="20.20.20.177 broadcast 20.20.20.183 netmask 255.255.255.248"
gateway="eth1/10.10.10.73"

also make sure your /etc/resolv.conf is properly configured

Problems encountered:
Some online games' having a hard time connecting to their respective servers. Possible solution is to just route those games to just use one internet connection (unfortunately i don't know how to do this). The above script worked on my setup, please post here if you have encountered some problems and if you have made some workaround to that problem please share it with us.

Special thanks to the following:

Julian Anastasov - author of the patch (http://www.ssi.bg/~ja/#combinations)
Christoph Simon - author of the Nano HowTo (his howto was primary reference) [http://www.ssi.bg/~ja/nano.txt]
Fernando Favero - for posting his success story (http://www.spinics.net/lists/lartc/msg13794.html)

and most of all to the Most High God.

(i hope routing gurus out there will post their ideas here ^_^)

[BobCamp]

If you want to exempt things from the load balancing then add:

Code: Select all

iptables -t nat -A POSTROUTING -o eth1 --match mark --mark 12  -j SNAT --to 192.168.10.5
iptables -t nat -A POSTROUTING -o eth2 --match mark --mark 12  -j SNAT --to 192.168.11.5
iptables -t nat -A POSTROUTING -j ACCEPT

that will allow you to go around a rule based on a "mark".

To set the mark in the first place use:

Code: Select all

iptables -A FORWARD -t mangle -i eth0 --match helper --helper "ftp"  -j MARK --set-mark 12
iptables -A FORWARD -t mangle -i eth0 --match helper --helper "http" -j MARK --set-mark 12

These are based on fixed IP connections to the internet of 192.168.10.5 and 192.168.11.5

This is a slightly different setup than you have but it's the code that works in my setup.

[s0da]

thanks BobCamp for your post...

I've found a solution but its different from yours...

I've added a rule into my routing table wherein packets marked with 0x4 will utilize a specific route.

Code: Select all

ip rule add fwmark 4 table 202

I marked those packets with:

Code: Select all

iptables -t mangle -A PREROUTING -d 203.131.91.208 \
        -s 192.168.2.0/24 -j MARK --set-mark 4

(this marks all packets destined for 203.131.91.208 with 0x4). My former solution was to mark packets according to their destinatin ports but it seemed that it didn't work well, just like the following:

Code: Select all

iptables -t mangle -A PREROUTING -p tcp \
        --dport 8300:8399 -s 192.168.2.0/24 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -p udp \
        --dport 8300:8399 -s 192.168.2.0/24 -j MARK --set-mark 4

the latter seems to still utilize the other connection (when monitored with "tcpdump"). Most likely there's a problem with my iptables code. (i'm still soo confused with iptables). But marking packets according to their destination address seems to work well.

I'm gonna try your solution too...

[BobCamp]

There are a *large* number of ways to do almost anything with iptables. It looks like what you have is working. I would stick with what you have.

[TerminalAddict]

ok so here's something I've been struggling with
I have ipsec (racoon) running on my router.
How do I disable load balancing when I ipsec from the outside world ?

Code: Select all

iptables -t nat -A POSTROUTING -o eth1 --match mark --mark 12  -j SNAT --to 192.168.10.5
iptables -t nat -A POSTROUTING -o eth2 --match mark --mark 13  -j SNAT --to 192.168.11.5
iptables -t nat -A POSTROUTING -j ACCEPT 

I'm not 100% sure that the above is correct. I guess I'm not NAT'ing am I ? the ipsec connection is terminated at the firewall not inside the lan

Code: Select all

iptables -A FORWARD -t mangle -i {local???} --match helper --helper "{port 500???}"  -j MARK --set-mark 12
iptables -A FORWARD -t mangle -i {local???} --match helper --helper "{port 500}" -j MARK --set-mark 13

[SchmilK]

Will this just example only load balance to the lesser used connection?

I was looking for reference on how to use both connections at the same time for a "multiplexed" connection for double the download/upload speed. Is that even possible??

[s0da]

I was looking for reference on how to use both connections at the same time for a "multiplexed" connection for double the download/upload speed. Is that even possible??

Try your luck with BGP and the like... but both ISP should support it otherwise it won't work... By the way this solution works best on a network with many clients... (i.e., Net Cafe's... Schools... etc,)

[[Mad]Masenko]

I have also attempted to load balance 3 internet connections, but i have hit a problem.

Code: Select all

xxxxxx ~ # ip rule add prio 50 table main
RTNETLINK answers: Invalid argument

IPTables ver: 1.2.11-r3

Any suggestions?

[edit]I also have no table called nat!

Code: Select all

xxxxxx ~ # ip route show table nat
Error: argument "nat" is wrong: table id value is invalid

[/edit]

[SchmilK]

Thanks for the info. Pretty sure my cable provider does not support it. Though they will give me 2 cable modems and i can get full speed simultaneously from 2 seperate computers...oh well...I guess that's how it'll stay.

[[Mad]Masenko]

Thanks for the info. Pretty sure my cable provider does not support it. Though they will give me 2 cable modems and i can get full speed simultaneously from 2 seperate computers...oh well...I guess that's how it'll stay.

Your provider doesn't need to support it. It can work for anyone with multiple connections to the internet.

This implementation load balances "sessions" (connections), not packets (u can look up the equalize function). If you want to load balance packets, which is more efficent, in that situation your provider has to support that.