ip masq on linux, equal cost multipath routing.

[fivepesos]

ok ive configured masq millions with ipchains and with iptables. i currently want to run masq with iptables. but theres a complication.

my two close neighbors and i all have cable modems (3 modems to be precise). now, ive gotten two of these working at once (havent tried 3 yet) connected to my linux box. i had equal cost multipath routing compiled in the kernel, and two default routes. when i did a ping from my linux box, the packets would alternate between the cable modems. the cable modem activity lights would blink back and forth (one modem then the other). so we can assume equal cost multipath routing worked.

now iptables requires an output for its masq rule(iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth0 -j MASQ). but i want to masquerade without setting an output interface or address (so it will use all available connections). can this be done?

 

[fivepesos]

just to restate myself. i want to know how to masquerade all connections at once (without needing to know the total number of outbound connections).

i know i could have iptable rules to force packets at X addresses out Y interface. but i dont want this. i want linux to intelligently decide which interface to use.

now if i did get this working, would linux alternate EVERY packet, or just connections? for example, if i started to play halflife or start ftp from behind the linux masq box, would i be able to sustain a session. cause if linux alternates packets and not sessions then the server ftp or halflife, would get data from multiple locations and that wouldnt work. how will equal cost multipath routing manage this?

any links to EQMRouting would be appreciated. i think ive read thru most of the available iptables documents but if theres something im missing let me know.

 

[fivepesos]

no one touching this one huh?

 

[ScottMac]

Well, I haven't done what you're doing specifically, but generically to answer part of your question...

I'm pretty sure that on most systems, shared load-balancing links are assigned by session for the reason you mentioned above...can't have packets arriving out-of-order. So if you can get the round-robin to work, then as each session is assigned to a NIC/Channel, it should stay there.

I guessing that if it works with two NICs/channels, it'll work with three (probably more)....but I don't believe traditional NAT will do it...I'm assuming that the Masq process can control the multiple paths and assign the same (NAT) IP address for each of the streams (gotta be faking/spoofing the MAC address for a router to work correctly). Perhaps it's been adapted from VRRP (also MVRP?) (multiple routers using the same adressing for redundancy).

Perhaps if you used something like the newer Intel server NICs (which has a multi-parallel channel scheme), you could do something akin to RAID0+1 (striped disks paired to another mirrored set). Check for drivers before dropping the bux though....

Sorry I couldn't be more help, post what you find out though, I'm curious as to how it all shakes out.

Good Luck

Scott

 

[fivepesos]

well i know this iptables rule is accepted.

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE

assuming linux has multiple default routes, it should just round robin HOPEFULLY. but i wont have time to test EQMRouting until friday. ill let u know