View previous topic :: View next topic |
Author |
Message |
shimitar Guru
Joined: 23 Nov 2003 Posts: 333 Location: Italy, Torino
|
Posted: Fri Feb 09, 2024 9:08 am Post subject: Issue with advanced custom routing |
|
|
Hi all!
I have two upstream ISPs at home.
I have a Gentoo home router setup with SNAT and ISP1 as default gateway.
I am trying to force user1, on the home router, to route trough ISP2 because ISP1 has a data cap, while ISP2 does not.
The user has UID 1000.
I am playing with iproute2, i have added a custom routing table (called 100) and specific default route trough ISP2 and then added a rule to route all from UID 1000 to table 100:
Code: |
ip route add default via 192.168.1.254 dev enp59s0u2u4c2 table 100
ip rule add uidrange 1000-1000 lookup 100
|
but it's not working. IPv6 is working prolerly actually, but IPv4 is NOT working.
I cannot ping any host using it's IPv4 address.
From user1 i can:
Code: |
user1@server / $ ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.024 ms
^C
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.024/0.024/0.024/0.000 ms
user1@server / $ ping 192.168.1.254
PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=1.94 ms
^C
--- 192.168.1.254 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.936/1.936/1.936/0.000 ms
user1@server / $ ping www.kde.org
PING www.kde.org (85.10.198.55) 56(84) bytes of data.
--- www.kde.org ping statistics ---
33 packets transmitted, 0 received, 100% packet loss, time 32432ms
|
So basically i can ping localhost and i can ping the gateway assigned to user1, but i cannot ping outside.
This is what tracroute says:
Code: |
user1@server /home/user1 $ traceroute www.kde.org
traceroute to www.kde.org (85.10.198.55), 30 hops max, 60 byte packets
1 myfastgate.lan (192.168.1.254) 1.874 ms 2.027 ms 2.076 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
|
Actually it looks like reply packets are lost?
These are my routing tables:
Code: |
server / # ip route show
default via 192.168.0.1 dev enp0s20f0u4u4c2
10.70.43.0/24 dev enp0s31f6 proto kernel scope link src 10.70.43.1
10.100.0.0/24 via 10.100.0.2 dev tun0
10.100.0.2 dev tun0 proto kernel scope link src 10.100.0.1
95.110.230.195 via 192.168.1.254 dev enp59s0u2u4c2
95.110.230.204 via 192.168.0.1 dev enp0s20f0u4u4c2
192.168.0.0/24 dev enp0s20f0u4u4c2 proto kernel scope link src 192.168.0.10
192.168.1.0/24 dev enp59s0u2u4c2 proto kernel scope link src 192.168.1.10
|
Code: |
server / # ip route show table 100
default via 192.168.1.254 dev enp59s0u2u4c2
10.70.43.0/24 dev enp0s31f6 proto kernel scope link src 10.70.43.1
192.168.1.0/24 dev enp59s0u2u4c2 proto kernel scope link src 192.168.1.10
|
Code: |
server / # ip rule
0: from all lookup local
32764: from all uidrange 1000-1000 lookup 100
32765: from all lookup 1
32766: from all lookup main
32767: from all lookup default
|
(i have a couple of static routes and you can see also the other ISP as default on my main routing table)
Routing works as expected in all cases, except for user user1.
EDIT:
i managed to get it working by setting /proc/sys/net/ipv4/conf/enp59s0u2u4c2/rp_filter to 2 (loose mode) as indicated here [url]https://sysctl-explorer.net/net/ipv4/rp_filter/ [/url].
Is it a good soution? IS there a better one? _________________ Willy Gardiol
willy@gardiol.org |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 882
|
Posted: Sun Feb 25, 2024 4:30 pm Post subject: |
|
|
From what you're showing your setup seems ok to me.
What i think is the problem is the way you are testing. As far as i know ping is a setuid program, so effectively it always runs as root, and completely missing your ip rule.
To be 100% sure your routing table does what you want to, use wget, curl, ssh or whatever tool as the user to test and use a running tcpdump to validate the packets leave the interface you expect.
Quote: | i managed to get it working by setting /proc/sys/net/ipv4/conf/enp59s0u2u4c2/rp_filter to 2 (loose mode) as indicated here |
I think this is expected to be needed. The reverse path check checks an incoming packet and expects that the packet is coming in from the interface where you would route it out to. Of course with your rule and routing table you're applying different logic, so this test fails. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|