Source ip based networking in ubuntu

Question

I have 3 interfaces in ubuntu machine. eth0/eth1/eth2.

eth0 is management interface with ip (10.102.x.x)
eth1 is private interface with ip 192.168.1.x
eth2 is another private interface with ip 192.168.2.x

I want to reach to 25.25.25.x (which is the box in some other network). Here is the topology:-

Ubuntu machine <----------------> Router <------------> End Machine
192.168.1.x                 192.168.1.x   25.25.25.x     25.25.25.x

I want to reach to 25.25.25.x using eth1 and eth2 interfaces. So for that i am trying to do source ip based routing tables. Here is the configuration applied:

ifconfig eth1 up
ifconfig eth1 192.168.1.x netmask 255.255.255.0
ip rule add from 192.168.1.x table 1 
ip route add 192.168.1.0/24 dev eth1 scope link table 1
ip route add default via 192.168.1.x dev eth1 table 1

However this is not being successful as ping 25.25.25.x -I eth1 doesn't work. However the direct route works:

ifconfig eth1 up
ifconfig eth1 192.168.1.x netmask 255.255.255.0 
route add -net 25.25.25.0/24 gw 192.168.1.x

In non-working case the linux client itself is doing broadcast for 25.25.25.x ip, which should't happen.

Here is the ip route and ip route show table 1 output:-

root@ubuntu:~# ip rule show
0:  from all lookup local 
32765:  from 192.168.1.x lookup 1 
32766:  from all lookup main 
32767:  from all lookup default 
root@ubuntu:~# ip route show table 1
default via 192.168.1.x dev eth1 
192.168.1.0/24 dev eth1 scope link

Can someone please answer this as to why first case isn't working?

try first adding routes, then adding rule. also rule has priority parameter. als `scope link` is optional there, default will be it anyway. otherwise similar configuration is working for me. just keep in mind that `eth1 AND eth2` won't be possible, it will be `eth1 OR eth2`. — muradm, Nov 05 '18 at 05:43
eth1 & eth2 will be possible actually(when we force fully use an interface to send the traffic). There are several protocols working on the same concept. Mptcp being one of them. I have tried prio parameter too. its not helping :(. — Ashutosh Shukla, Nov 05 '18 at 05:47
yeah, sure, if your protocol supports multi-homing, then yeah you can. show your `ip rule show` and `ip route show table all`. — muradm, Nov 05 '18 at 05:48
Telling us that something "doesn't work" isn't particularly helpful. Does the packet go out? Does the 25.25.25.x machine receive it? Does it send a reply? — David Schwartz, Nov 05 '18 at 05:53
@DavidSchwartz, i have stated the problem-> "In non-working case the linux client itself is doing broadcast for 25.25.25.x ip, which should't happen". Meaning the packet won't reach the End machine. Ubuntu should forward the ping packet to the router then the router should do arp for 25.25.25.x ip. But instead Ubuntu is doing the arp itself. — Ashutosh Shukla, Nov 05 '18 at 06:04
@muradm Here is the ip rule show command output:-
root@ubuntu:~# ip rule show
0: from all lookup local
32765: from 192.168.1.x lookup 1
32766: from all lookup main
32767: from all lookup default
i am posting the ip route show table 1 output:-
root@ubuntu:~# ip rule show
0: from all lookup local
32765: from 192.168.1.x lookup 1
32766: from all lookup main
32767: from all lookup default
root@ubuntu:~# ip route show table 1
default via 192.168.1.x dev eth1
192.168.1.0/24 dev eth1 scope link — Ashutosh Shukla, Nov 05 '18 at 06:17
@AshutoshShukla, man, use `edit` to update your question with formatted outputs. — muradm, Nov 05 '18 at 06:27
@AshutoshShukla, see my answer below with example configuration. It is working for me now. — muradm, Nov 05 '18 at 06:51
@muradm, thanks for that. I tried the commands in that order, but still its not working for me. :( Any idea why linux is doing the Arp for 25.25.25.x. If we can get the answer for that, then we can solve this. — Ashutosh Shukla, Nov 05 '18 at 07:09
@AshutoshShukla, no idea. Use https://pastebin.com/ to share `ip route show all` and `ip addr show`. Also do you have firewall or alike enabled? — muradm, Nov 05 '18 at 07:13
https://pastebin.com/NdS3VJMY Here is the link for the same. — Ashutosh Shukla, Nov 05 '18 at 07:28
Seems ok, again, try to configure as in example, and restart the host. May be some other things are messed up. Regarding is ARP thing, it is normal. Router / switch will provide that ARP response for foreign address. If there is no ARP response from router to foreign address, then may be your whole setup is configured wrongly. — muradm, Nov 05 '18 at 07:45
@muradm ARP usually it won't do right?. I mean if its not in the local network, then the ICMP will be forwarded to next hop/default router(in this case Router). Then router will do the arp using 25.25.25.x ip. And once it gets the response, it will forward the packet to End Machine. That's how it should work i guess. — Ashutosh Shukla, Nov 05 '18 at 08:41
@AshutoshShukla, here is the explanation for ARP thing: https://stackoverflow.com/questions/31404382/why-arp-requests-a-non-local-address, basically use `ping -I ` to avoid ARP. Nothing critical I gets. — muradm, Nov 05 '18 at 08:44

score 0 · Answer 1 · answered Nov 05 '18 at 06:11

0

Your configuration doesn't make sense.

ip rule add from 192.168.1.x table 1

This says that if we know a packet is from 192.168.1.x, we can use table 1 to route it.

ip route add default via 192.168.1.x dev eth1 table 1

This says that if we know we're using table 1 to route a packet, the default route is via 192.168.1.x.

See the problem? Only table 1 knows that your default route is reachable via the 192.168.1.x router. And only knowing that the default route is reachable via the 192.168.1.x tells you to use table 1. So this configuration shouldn't be expected to work as you seem to be expecting.

I don't understand why you're trying to use source based routing. You just want to route a particular way to a particular destination. It's hard to suggest changes without understanding why you're making things more complicated than they seem to need to be.

answered Nov 05 '18 at 06:11

David Schwartz

179,497
17
214
278

This technique is used for multi-homed applications. Like SCTP for instance. By default you can have only one `default` route. Which is pointing to one link. For SCTP for instance, application is binding to multiple interfaces at the same time. And if you are establishing associations, generally you don't want to define route per association. So if you have a default route in each table, and application is binding to specific source address, traffic is flowing as per default route for each of source interfaces. Then you even can go to same IP address via different interfaces. – muradm Nov 05 '18 at 06:25
@muradm, thanks for explaining this to David. David, i am trying to use multiple interfaces to connect to a different network(25.25.25.x). I have totally separate network for default gw (i.e. for the management interface). We can have different default routes for different routing tables. – Ashutosh Shukla Nov 05 '18 at 06:29
@DavidSchwartz, here is another use-case, when you have traffic flowing in from multiple interfaces, you want to make sure that reply traffic can flow back via same interfaces as incoming: https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming – muradm Nov 05 '18 at 06:58

muradm · Answer 2 · 2018-11-05T07:01:04.093

Use cases for such configuration:

ensure that incoming traffic is replied via same interface, for example
multi-homing protocols and applications, for example SCTP

Basically this works for me just fine. Contents of /etc/network/interfaces:

auto eth1
iface eth1 inet static
  address 192.168.1.19
  netmask 255.255.255.0
  gateway 192.168.1.254 # default gateway if no source address
  post-up ip link set eth1 promisc on
  post-up ip route add 192.168.1.0/24 dev eth1 table 122
  post-up ip route add default via 192.168.1.254 table 122
  post-up ip rule add from 192.168.1.19/32 table 122 priority 122
  post-up ip route flush cache
  pre-down ip rule del from 192.168.1.19/32 table 122 priority 122
  pre-down ip route flush table 122
  pre-down ip route flush cache

auto eth2
iface eth2 inet static
  address 192.168.2.19
  netmask 255.255.255.0
  post-up ip link set eth2 promisc on
  post-up ip route add 192.168.2.0/24 dev eth2 table 222
  post-up ip route add default via 192.168.2.254 table 222
  post-up ip rule add from 192.168.2.19/32 table 222 priority 222
  post-up ip route flush cache
  pre-down ip rule del from 192.168.2.19/32 table 222 priority 222
  pre-down ip route flush table 222
  pre-down ip route flush cache

Then:

$ ip route get 8.8.8.8
8.8.8.8 via 192.168.1.254 dev eth1  src 192.168.1.19 
    cache 
$ ip route get 8.8.8.8 from 192.168.1.19
8.8.8.8 from 192.168.1.19 via 192.168.1.254 dev eth1 
    cache 
$ ip route get 8.8.8.8 from 192.168.2.19
8.8.8.8 from 192.168.2.19 via 192.168.2.254 dev eth2 
    cache

<>. Right now there is no incoming traffic. Only ping we are doing from ubuntu machine, which in turn is sending arp request to the router in the middle. — Ashutosh Shukla, Nov 05 '18 at 07:38

Source ip based networking in ubuntu

2 Answers2