Supporting 2 default gateways, one for each subnet using PBR.

Having a server multi homed in two networks can be a pain when you have two default gateways and external clients accessing the service from both sides. Thankfully we have policy based routing to help resolve this problem.


Policy Based Routing (hereafter simply referred to as PBR) is a clever way to give us more control over which routing path connections will take. It allows us to specify custom routing tables and then add rules offering fine grained control over which routing table a connection will use.


Common commands :

To list the current rules execute the following command : ip rule ls
To list routes from a specific table : ip route ls table <name / ID>
To add a rule : ip rule add <to/from/fwmark> <ip-address/fwmark-id> table <name / ID>


Below is a script I wrote for Centos/RHEL 6 that quickly supports 2 NIC's with two gateways to the internet so clients hitting either adapter will get replies back through the correct gateway.


#!/bin/bash
# Version 1.0
# Maintained By: Aaron West
# chkconfig: 345 99 01
# description: Policy Based Routing rules to support multiple routing tables.
# processname: policy-based-routing
# 
# This script should be stored under /etc/init.d/ and policy-based-routing. 
# Please feel free to expand and use this script at your discretion.

# Program Paths
IP=/sbin/ip
IPTABLES=/sbin/iptables

# Existing Routing Path
NIC1=
NET1=
MASK1=
IP1=

# Additional Routing Path
NIC2=
NET2=
MASK2=
IP2=
GW2=

case "$1" in
    start)
       echo -n "Starting policy-based-routing: "

       # Check path2 exists if not create it
          grep -e "path2" /etc/iproute2/rt_tables
             if [ "$?" -gt "0" ]; then
          echo "200 path2" >> /etc/iproute2/rt_tables
             fi

       # Build additional Routing rules.
          ${IP} route add ${NET1}/${MASK1} dev ${NIC1} src ${IP1} table path2
          ${IP} route add ${NET2}/${MASK2} dev ${NIC2} src ${IP2} table path2
          ${IP} route add default via ${GW2} table path2

       # Add rules.
          ${IP} rule add from ${IP2} table path2
       touch /var/lock/subsys/policy-based-routing
    ;;
    stop)
       echo -n "Shutting down policy-based-routing: "

       # Remove additional Routing rules.
          ${IP} route del ${NET1}/${MASK1} dev ${NIC1} src ${IP1} table path2
          ${IP} route del ${NET2}/${MASK2} dev ${NIC2} src ${IP2} table path2
          ${IP} route del default via ${GW2} table path2

       # Remove Rules.
          ${IP} rule del from ${IP2} table path2
       rm -f /var/lock/subsys/policy-based-routing
    ;;
    restart)
       $0 stop; $0 start
    ;;
    *)
       echo "Usage: policy-based-routing {start|stop|restart}"
       exit 1
    ;;
esac

With the above script you can set the relevant variables for your network giving you a simple solution persistent across reboots :


# Existing Routing Path
NIC1=eth0
NET1=172.16.0.0
MASK1=16
IP1=172.16.0.100

# Additional Routing Path
NIC2=eth1
NET2=192.168.0.0
MASK2=24
IP2=192.168.0.100
GW2=192.168.0.1

Should you require you can also extend the script fairly easily to support more networks and routing paths.

To enable the script once configured please execute the following commands :


chkconfig --add policy-based-routing
service policy-based-routing start

That should be it! You’ve completed your first soiree with PBR and hopefully have a simple configuration up and running.


Comments (0)


Add a Comment





Allowed tags: <b><i><br>Add a new comment:



Get a free giffgaff Sim