Need some help about static routing tables on two hosts.
i' kind of new in some of this stuff so i need basically directions. i am working on a lab for a real implementation. the way things works now is like that: 10 proxies behind 2 LB that works based o linux route policies. the policies are "from ip/mask use routing table 10" will take all traffic from these sources through proxy 10 route that is store in linux routing table 10 that contains "default via proxy_ip". there is a "master" server that gets live extended status of each proxy. it can be up\down load = 80% etc... and if a change of a route on the LB should be changed it is being committed using a script over ssh almost manually. what i want to do is to use bird to control the routing tables on the LB and on the "master" server have an instance of bird the will feed the routes to the LB bird. so the LB will be completely untouchable in the OS commands level. i have tried to understand if there is a way to make it all work but i dont seem to understand what i can and what i cannot do using bird. the clients are at: 10.110.0.0/16 the LB has the address 10.110.0.1 + 10.100.1.1 + 10.127.1.1/24 the proxy servers are at 10.100.1.0/24 the master sits in the proxy lan at: 10.100.1.254 the gw of the proxy servers is the LB 10.100.1.1 the default gw of the LB is 10.127.1.254 so i want the master to monitor the proxy servers and in a case of change in the network status of a proxy for any reason to let say down i would change the routes in specific table and then send bird "configure soft" to update the settings. so if there is a nice method of combining all bird capabilities and some routing protocol for the process i will be very happy to hear about it. i have tried to use bgp in a local as between the master and the LB but it seems that on the LB when he gets the static route it states the route: 0.0.0.0 .... unreachable. i will later will put here the settings i used. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
On Wed, Jul 25, 2012 at 11:46:10PM +0300, Eliezer Croitoru wrote:
i' kind of new in some of this stuff so i need basically directions.
i am working on a lab for a real implementation. the way things works now is like that:
10 proxies behind 2 LB that works based o linux route policies. the policies are "from ip/mask use routing table 10" will take all traffic from these sources through proxy 10 route that is store in linux routing table 10 that contains "default via proxy_ip".
there is a "master" server that gets live extended status of each proxy. it can be up\down load = 80% etc... and if a change of a route on the LB should be changed it is being committed using a script over ssh almost manually. .. so i want the master to monitor the proxy servers and in a case of change in the network status of a proxy for any reason to let say down i would change the routes in specific table and then send bird "configure soft" to update the settings.
so if there is a nice method of combining all bird capabilities and some routing protocol for the process i will be very happy to hear about it.
Hello That is interesting setup. If you want just to synchronize tables between master and LB, you could do that for one table on master and one table on LB by using e.g. BGP (see comment below), but it is problematic to synchronize several such tables. I guess that you could have several parallel BGP sessions, one for each table, but you would probably have to use different pair of IP addresses for each BGP session. Note that if 'master' crashes, BGP sessions would go down and default routes in LBs would disappear.
i have tried to use bgp in a local as between the master and the LB but it seems that on the LB when he gets the static route it states the route: 0.0.0.0 .... unreachable.
This is probably caused by 'gateway recursive' mode on BGP (default for IBGP). See 'gateway direct' option and then question 'IBGP does not work ...' in FAQ: https://git.nic.cz/redmine/projects/bird/wiki/FAQ Another, completely different way how to implement this would be that 'master' would just announce which proxies are 'usable' (through one BGP session) and LBs would fill all tables from this information. That could be done using static recursive routes. For example for proxy 10.100.1.10 we will use auxiliary pseudo-IP 10.100.2.10 and if 10.100.1.10 is usable, master will propagate pseudo-route: 10.100.2.10/32 via 10.100.1.10 to LB. On LB, there will be static recusive route: route default recursive 10.100.2.10 If master propagated that pseudo-route, this recursive route will appear as: route default via 10.100.1.10 otherwise it will appear as route default unreachable You could have such recursive route for each proxy so you will get a table with a set of default routes that are either corrrect or unreachable. Unfortunately being unreachable does not lower route priority, so you would have to use another table connected with pipe and in pipe filter you do something like 'if dest = RTD_UNREACHABLE then prio = 1'. this will move all unreachable routes to the bottom, so the reachable route with highest configured priority will be used. This have to be replicated for each table on LB (probably with different priority for each static routes so that different one will be used as best one), only the table with pseudo-routes received from master will be shared. It is pretty complex and i don't know if it does what you really need, but it should work. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On 7/26/2012 1:54 AM, Ondrej Zajicek wrote:
On Wed, Jul 25, 2012 at 11:46:10PM +0300, Eliezer Croitoru wrote:
i' kind of new in some of this stuff so i need basically directions.
i am working on a lab for a real implementation. the way things works now is like that:
10 proxies behind 2 LB that works based o linux route policies. the policies are "from ip/mask use routing table 10" will take all traffic from these sources through proxy 10 route that is store in linux routing table 10 that contains "default via proxy_ip".
there is a "master" server that gets live extended status of each proxy. it can be up\down load = 80% etc... and if a change of a route on the LB should be changed it is being committed using a script over ssh almost manually. .. so i want the master to monitor the proxy servers and in a case of change in the network status of a proxy for any reason to let say down i would change the routes in specific table and then send bird "configure soft" to update the settings.
so if there is a nice method of combining all bird capabilities and some routing protocol for the process i will be very happy to hear about it.
Hello
That is interesting setup. If you want just to synchronize tables between master and LB, you could do that for one table on master and one table on LB by using e.g. BGP (see comment below), but it is problematic to synchronize several such tables. I guess that you could have several parallel BGP sessions, one for each table, but you would probably have to use different pair of IP addresses for each BGP session. Note that if 'master' crashes, BGP sessions would go down and default routes in LBs would disappear.
Thanks Ondrej for the notice. i have seen before this effect while using BGP. it's a known issue about BGP session. since they are all connected to one segment\switch if something fails it's bad for the whole setup. i think i have heard that there are ways to hold the routing tables after a disconnection for some amount of time. if you have knowledge about this or other option i will be happy to hear about it.
i have tried to use bgp in a local as between the master and the LB but it seems that on the LB when he gets the static route it states the route: 0.0.0.0 .... unreachable.
This is probably caused by 'gateway recursive' mode on BGP (default for IBGP). See 'gateway direct' option and then question 'IBGP does not work ...' in FAQ:
nice. I must say that since bird has a very unique syntax for config(i do like it though) it took me awhile to get some of it. while reading this faq i got a bit confused on where i should put the "gateway direct;". it's obviates that some work on more examples in the wiki would make it's much easier to understand the syntax. also from a reason unknown i registered to the wiki but unable to login\reset or whatever i want to do with my account. the only thing is that i can get a email with a link that dosnt do anything to my eyes.
Another, completely different way how to implement this would be that 'master' would just announce which proxies are 'usable' (through one BGP session) and LBs would fill all tables from this information. That could be done using static recursive routes. For example for proxy 10.100.1.10 we will use auxiliary pseudo-IP 10.100.2.10 and if 10.100.1.10 is usable, master will propagate pseudo-route:
10.100.2.10/32 via 10.100.1.10
to LB. On LB, there will be static recusive route:
route default recursive 10.100.2.10
If master propagated that pseudo-route, this recursive route will appear as:
route default via 10.100.1.10
otherwise it will appear as
route default unreachable this is a great idea. well the truth is that the scenario is the old setup which makes the whole thing more complicated to coordinate couple systems together such as filtering cache routing etc..
The LB is actually a routing server and the basic setup is client-->gw\LNS-->LB-->proxy-->EDGE.... and back: ...EDGE-->LB-->proxy-->LNS\gw-->client this setup is nice and works well but i actually can remove the LB and to use the EDGE as a LB to the proxy server. the edge is a very strong machine that can take all the stress of the network doubles**** so if i can make the setup less one point of failure this is a very nice way to do so.
You could have such recursive route for each proxy so you will get a table with a set of default routes that are either corrrect or unreachable. Unfortunately being unreachable does not lower route priority, so you would have to use another table connected with pipe and in pipe filter you do something like 'if dest = RTD_UNREACHABLE then prio = 1'. this will move all unreachable routes to the bottom, so the reachable route with highest configured priority will be used. This have to be replicated for each table on LB (probably with different priority for each static routes so that different one will be used as best one), only the table with pseudo-routes received from master will be shared.
adding pipes and filters will be very simple and really not such a huge thing for this small routing table.
It is pretty complex and i don't know if it does what you really need, but it should work.
it's a bit complex but it seems like a pretty strait forward since the current setup is based on a routing table per prefix. in the current setup it can be very nasty. I have tested using one table with weighted default routes something like that: ip route append default scope global nexthop via 192.168.10.200 dev eth1 weight 1 nexthop via 192.168.10.201 dev eth1 weight 1 my design compared to the current one should be more user friendly. it uses iptables marking and then by the mark use specific routing table. this way i can redirect only web traffic port 80\8080\8000. all the other packets will flow straight from the edge to the Internet. so removing the LB machine and use only the edge router to perform the whole thing. so specific table with: route prefix multipath via proxy1 weight 100 via proxy2 weight proxy2. should do the job. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
On 7/26/2012 1:54 AM, Ondrej Zajicek wrote: <SNIP>
i have tried to use bgp in a local as between the master and the LB but it seems that on the LB when he gets the static route it states the route: 0.0.0.0 .... unreachable.
This is probably caused by 'gateway recursive' mode on BGP (default for IBGP). See 'gateway direct' option and then question 'IBGP does not work ...' in FAQ:
https://git.nic.cz/redmine/projects/bird/wiki/FAQ
Another, completely different way how to implement this would be that 'master' would just announce which proxies are 'usable' (through one BGP session) and LBs would fill all tables from this information. That could be done using static recursive routes. For example for proxy 10.100.1.10 we will use auxiliary pseudo-IP 10.100.2.10 and if 10.100.1.10 is usable, master will propagate pseudo-route:
10.100.2.10/32 via 10.100.1.10
to LB. On LB, there will be static recusive route:
route default recursive 10.100.2.10
If master propagated that pseudo-route, this recursive route will appear as:
route default via 10.100.1.10
otherwise it will appear as
route default unreachable
You could have such recursive route for each proxy so you will get a table with a set of default routes that are either corrrect or unreachable. Unfortunately being unreachable does not lower route priority, so you would have to use another table connected with pipe and in pipe filter you do something like 'if dest = RTD_UNREACHABLE then prio = 1'. this will move all unreachable routes to the bottom, so the reachable route with highest configured priority will be used. This have to be replicated for each table on LB (probably with different priority for each static routes so that different one will be used as best one), only the table with pseudo-routes received from master will be shared.
It is pretty complex and i don't know if it does what you really need, but it should work.
well i have tried to implement the mutipath idea i had but it seems that on bgp i cant send multipath + weight from one host static protocol to another. is there any way to import a multipath statement with some coding? what i mean is that i will advertise multiple statements of default route that are under 100 and 1 means unreachable. and on the destination LB i will gather them all together and will put them in a multipath arrray. since im not that experience with routing protocols i lack some knowledge. Thanks, Eliezer -- Eliezer Croitoru https://www1.ngtech.co.il IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
participants (2)
-
Eliezer Croitoru -
Ondrej Zajicek