个人工具

UbuntuHelp:InternetAndNetworking/DualHomedGatewayDHCP

来自Ubuntu中文

Wikibot讨论 | 贡献2007年12月6日 (四) 10:39的版本

跳转至: 导航, 搜索

This page describes how you can setup more than one Internet connection on the same machine with dynamic IP address connections.

Introduction

In many situations, is desirable to have more than one connection to the Internet:

  • for backup purposes
  • to redirect bulk traffic through a less expensive link
  • to split traffic between many links

If all your Internet connections have fixed IP address, perhaps your questions are already answered by the "Linux Advanced Routing HowTo". This guide aims to help you setup your network to use more than one Internet connection when one or more links use dynamic IP address.

Prerequisites

For this to work you should install:

  • iproute2
  • iptables
  • ipcalc
  • dhcp3-client

Secret Sauce

The secret is to use hooks provided by dhclient-script to setup advanced routing for you. You can modify the standard behavior adding your own custom scripts to the folders dhclient-enter-hooks.d and dhclient-exit-hooks.d at /etc/dhcp3/ (man dhclient-script). There are a debug script which is very useful to show the information that is available to your scripts. Just edit the scripts at these folders changing RUN="no" to RUN="yes" and you will have useful debug information logged to /tmp/dhclient-script.debug. Debug output will look like:

Tue Oct 16 15:35:27 BRT 2007: entering dhclient-enter-hooks.d, dumping variables.
reason='BOUND'
interface='eth2'
medium=''
alias_ip_address=''
new_ip_address='201.52.236.6'
new_subnet_mask='255.255.240.0'
new_domain_name=''
new_domain_name_servers=''
new_routers='201.52.224.1'
new_static_routes=''
old_ip_address='201.52.236.6'
old_subnet_mask='255.255.240.0'
old_domain_name=''
old_domain_name_servers=''
old_routers='201.52.224.1'
old_static_routes=''
--------------------------
Tue Oct 16 15:35:27 BRT 2007: entering dhclient-exit-hooks.d, dumping variables.
reason='BOUND'
interface='eth2'
medium=''
alias_ip_address=''
new_ip_address='201.52.236.6'
new_subnet_mask='255.255.240.0'
new_domain_name=''
new_domain_name_servers=''
new_routers=''
new_static_routes=''
old_ip_address='201.52.236.6'
old_subnet_mask='255.255.240.0'
old_domain_name=''
old_domain_name_servers=''
old_routers='201.52.224.1'
old_static_routes=''
--------------------------

Case #1: fixed-address premium link + cheap broadband connection

I have an expensive premium Internet connection at the office, but want to have also a cheap broadband cable connection for backup and download acceleration. Just plugging a second NIC and connecting it to cable modem will not work: DHCP will add a second default route and ruin my day because the ISP #1 will not route packets with ISP #2 source address and vice-versa (a detailed explanation on why this will not work is away beyond this document goals). For the unexperienced network administrator this is hard to diagnose because sometimes it seems to work, sometimes not. Linux with iproute2 has up to 255 distinct routing tables. We are going to create a new routing table with default route pointing to the second ISP and use iproute2 rules to conditionally select between routing tables. Supposing we have three NICs:

  • eth0: fixed IP addres connected to main Internet link with 200.123.123.106/255.255.255.240 address
  • eth1: connected to our internal network with 10.1.0.254/255.255.255.0 address
  • eth2: connected to the broadband backup link with dynamic address

1. Edit /etc/iproute2/rt_tables to add a line naming your routing table. You can call it anything, I prefer the ISP name. We will end up with something like:

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
2     ISP2

2. We don't want dhclient messing with our nameserver setup at /etc/resolv.conf. To prevent this, edit /etc/dhcp3/dhclient.conf and change the request setting removing or commenting out domain-name, domain-name-servers, host-name, netbios-name-servers and netbios-scope. 3. Create a file at /etc/dhcp3/dhclient-enter-hooks.d, call it dualhomed:

if [ x$reason == 'xBOUND' ]; then
        # Lets flush our new routing table
        /sbin/ip route flush table ISP2
        # Stop marking packets
        /sbin/iptables -F PREROUTING -t mangle
        # Flush routing rules
        /usr/local/sbin/flush_rules.pl

        # Cable modem will give us a private IP
        # when link is down.
        prefixo=`echo $teste | cut -d . -f 1-2`
        if [ x$prefixo == 'x192.168' ]; then
                exit
        fi

        # Copy NIC routes at main routing table:
        /sbin/ip route add 200.123.123.104/29 dev eth0 table ISP2
        /sbin/ip route add 10.1.0.0/24 dev eth1 table ISP2

        # Advanced rules
        /sbin/ip rule add from $new_ip_address table ISP2
        /sbin/ip rule add fwmark 0x2 table ISP2

        # Mark HTTP packets we want to send through ISP2
        /sbin/iptables -I PREROUTING -t mangle -s 10.1.0.0/24 -i eth1 -p tcp --dport 443 -j MARK --set-mark 2
        /sbin/iptables -I PREROUTING -t mangle -s 10.1.0.0/24 -i eth1 -p tcp --dport 80  -j MARK --set-mark 2
fi

# We dont want a default route to this gateway at the main table,
# so we undefine $new_routers.
isp2_gateway=$new_routers
new_routers=""

4. Create a file at /etc/dhcp3/dhclient-exit-hooks.d, call it dualhomed:

if [ x$reason == 'xBOUND' ]; then
        # Cant be done at dhclient-enter-hooks time
        my_new_network=`ipcalc -n $new_ip_address/$new_subnet_mask | grep Network | cut -b 12-32`
        /sbin/ip route add $my_new_network dev $interface table ISP2
        /sbin/ip route add default via $isp2_gateway table ISP2

        # Should we restar squid to bind to the new interface?
        /etc/init.d/squid restart
fi

5. At shell prompt, issue "ifdown eth2" command 6. Edit /etc/network/interfaces to make eth2 address dynamic:

auto eth2
iface eth2 inet dhcp

7. At shell prompt, issue "ifup eth2" command That is it. If you did everything right, ip routing rules will look like:

admin@firewall:~$ sudo ip rule show
0:      from all lookup 255
32764:  from all fwmark 0x2 lookup ISP2
32765:  from 201.252.136.6 lookup ISP2
32766:  from all lookup main
32767:  from all lookup default

ISP2 routing table will look like:

admin@firewall:~$ sudo ip route show table ISP2
200.123.123.104/29 dev eth0  scope link
10.1.0.0/24 dev eth1  scope link
201.252.224.0/20 dev eth2  scope link
default via 201.252.224.1 dev eth2

Conclusion

Linux advanced routing features allow you to use more than one ISP, so you can route bulk or less important traffic through a cheaper link, sometimes meaning big cost savings and more reliable networking.