Archives

All posts by Mihailo

If you ever had machine with two lan cards that needs to have failover with for example each lan card connected to it`s own router with internet connection, then this article is for you.

While working in one company I had a request that two Cisco routers each needs to be connected to one lan card on the same machine and on the other side they are connected to one mobile operator using IPSec over GRE tunnel. I made the setup on Cisco routers and configure parameters for IPSec and GRE, but the problem starts when I want to access the machine from both sides. If you configure gateway in the normal way you will get only one router as default gateway and all the traffic form the machine will go through that gateway. But in this case you need the traffic that comes from router1 to send using router1 and from router2 to router2. This is done using policy routing. Following commands will configure routing table to route traffic to corresponding gateway:

ip rule add from 192.168.0.10 table uplink1
ip route add default via 192.168.0.1 dev eth0 table uplink1

ip rule add from 192.168.0.20 table uplink2
ip route add default via 192.168.0.2 dev eth1 table uplink2

ip route add default scope global nexthop via 192.168.0.2 dev eth1 weight 1 nexthop via 192.168.0.1 dev eth0 weight 1

First line defines policy that all traffic that comes from ip 192.168.0.10 (eth0) will use routing table uplink1, and second line adds default gateway 192.168.0.1 (router1) to table uplink1 using eth0. Same commands are for eth1 with corresponding IPs. Last line is important because we still don`t have default gateway in the main routing table. Using nexthop we can add several gateways and give them weight if we want to prioritize them or in this case give them the same weight tu use them equally. You can put this commands into /etc/rc.local if you want them to be executed everytime on start up.

In the end we forgot to edit /etc/iproute2/rt_tables and define tables. It should look something like this:

#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
32767 uplink1
32766 uplink2
#1 inr.ruhep

You can use commands like ip rule show, ip route show table uplink1, ip route and route to debug.

If you use EoIP in bridge mode and you have DHCP server on both sides but you want to separate them to serve only the side that it is working on, you need to block DHCP traffic through the tunnel. This is also useful to offload traffic through the tunnel since internet link is usually bottle neck in the network and we don`t want to load it unnecessary.

Linux is equipped with ebtables that can inspect all ethernet traffic, and filter in our case DHCP brodacasts. To enable it go to Administration->Commands, Edit startup script and add following lines.

insmod ebtables
insmod ebtable_filter
insmod ebt_ip.o
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A INPUT -i oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-destination-port 67:68 -j DROP
ebtables -A FORWARD -o oet1 -p IPv4 --ip-protocol udp --ip-source-port 67:68 -j DROP

Reboot the router and you will see that machines on both sides will be served with local DHCP and all the DHCP traffic will stay inside.

Recently we have discovered DD-WRT linux distribution that is meant for consumer routers like TP-Link and etc., to get more advanced features. One of the interesting capabilities is Ethernet over IP (EoIP) that creates a tunnel between two points and forward all ethernet packets between. This will bridge two points like there are on the same switch. So you are now wondering why do I need EoIP when I have VPN. VPN is working on IP and it will pass only IP traffic through the tunnel, but if you need some other protocol like (IPX, SCTP, RIP, OSPF etc.), EoIP in bridge mode is the easiest way to do it.

One of the disadvantage in DD-WRT is that you need to have static IP for EoIP tunnels and we have made a solution to make it work with dynamic IPs using any dynamic DNS service. Solution is made up from two scripts. First one checks if the ip of dynamic DNS has changed, and if true it will resolve the ip and change it in the tunnel configuration:

#!/bin/sh
EOIP=`nvram get oet1_en` ;
if [ ${EOIP} -eq 1 ]; then
	NEW_EOIP_IP=`ping -c1 -w1 example.dyndns.org | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' -m 1` ; 
	EOIP_IP=`nvram show | grep oet1_rem= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;` 
	MY_WAN_IP=`nvram show | grep wan_ipaddr= | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' ;`
	if [ ${EOIP_IP} != ${NEW_EOIP_IP} ]; then 
		nvram set oet1_rem=$NEW_EOIP_IP ; 
		ip link set oet1 down ;    
		ip tunnel del oet1 ;
		iptables -I INPUT -p etherip -s $NEW_EOIP_IP -j ACCEPT ;
		ip tunnel add oet1 mode etherip remote $NEW_EOIP_IP local $MY_WAN_IP ;
		brctl addif br0 oet1 ;
		ip link set oet1 up ;
	fi
fi

You need to change example.dyndns.org to dynamic DNS of remote peer for the tunnel and save the script in DD-WRT, and if you are not using tunnel no. 1 then replace oet1 with oetx (where x is the number of EoIP tunnel you are using). You can go to Administration->Commands, Edit custom script and paste the scripte there.

Now that you created script for EoIP, you need to add it to cron job so that the script will be executed periodically. This is second script that will be executed on DD-WRT startup and fixing some problems with cron.

grep -q "^crontabs:" /tmp/etc/passwd || echo 'crontabs:*:0:0:Contab User,,,:/tmp/root:/opt/bin/bash' >> /tmp/etc/passwd 
stopservice cron
sleep 60
startservice cron

Go to Administration->Commands, Edit startup script and paste upper code. Default running script period is 1 minute (60 seconds), you can change it to what ever fit your needs..

Last thing you need to do is to add a cron job. In Administration->Management, make sure that cron is enabled and paste next line to Additional Cron jobs field.

* * * * * root /tmp/custom.sh

Script for EoIP is working only if the tunnel is enabled, so go to Setup->EoIP and enable designated tunnel. You can now reboot your router and everything should work out of the box.

Today we have finally met at Zarko`s house, and decided to bring this baby to life. It was difficult to decide all the small things like theme of the blog, logo picture, some general text, but we succeeded to resolve all the obstacles so we can start our first blog.

Soon we will post some interesting problems that we encountered recently and give this blog some meaning for existence. 😉