Two link in load-balance causing tunnels the stop working
Posted: Wed Jan 19, 2011 3:17 pm
Hi all,
I have a linux box with 2 links configured in load balance.
However, after a sucessfully tunnel start, I can see packages going out not from the desired interface. Those packages are related to the udp tunnel.
I'm not sure if this is an issue either on the openvpn or on the iproute2. Do you guys have this kind of BOX with two links and load balance? - Do you have problems on the openvpn side? Did you have to change or add some openvpn option on the .conf file in order to get it working?
# ip route list
default
nexthop via a.b.c.d dev eth2 weight 1
nexthop via h.i.j.k dev eth1 weight 1
# ip rule list
0: from all lookup 255
3: from all fwmark 0x82 lookup link2
3: from all fwmark 0x81 lookup link1
100: from a.b.c.d lookup link2
100: from h.i.j.k lookup link1
32766: from all lookup main
32767: from all lookup default
The packages are being marked as usual
# iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 4863K packets, 2545M bytes)
pkts bytes target prot opt in out source destination
41 4378 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x81
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x82
333 54209 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
32 1523 MARK all -- tun+ * 0.0.0.0/0 0.0.0.0/0 MARK set 0x81
Chain OUTPUT (policy ACCEPT 2706K packets, 1359M bytes)
pkts bytes target prot opt in out source destination
5 765 MARK all -- * * 0.0.0.0/0 VPN_CLIENT MARK set 0x81
Regards,
Davi
I have a linux box with 2 links configured in load balance.
However, after a sucessfully tunnel start, I can see packages going out not from the desired interface. Those packages are related to the udp tunnel.
I'm not sure if this is an issue either on the openvpn or on the iproute2. Do you guys have this kind of BOX with two links and load balance? - Do you have problems on the openvpn side? Did you have to change or add some openvpn option on the .conf file in order to get it working?
# ip route list
default
nexthop via a.b.c.d dev eth2 weight 1
nexthop via h.i.j.k dev eth1 weight 1
# ip rule list
0: from all lookup 255
3: from all fwmark 0x82 lookup link2
3: from all fwmark 0x81 lookup link1
100: from a.b.c.d lookup link2
100: from h.i.j.k lookup link1
32766: from all lookup main
32767: from all lookup default
The packages are being marked as usual
# iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 4863K packets, 2545M bytes)
pkts bytes target prot opt in out source destination
41 4378 CONNMARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x81
0 0 CONNMARK all -- eth2 * 0.0.0.0/0 0.0.0.0/0 CONNMARK match 0x0 CONNMARK set 0x82
333 54209 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
32 1523 MARK all -- tun+ * 0.0.0.0/0 0.0.0.0/0 MARK set 0x81
Chain OUTPUT (policy ACCEPT 2706K packets, 1359M bytes)
pkts bytes target prot opt in out source destination
5 765 MARK all -- * * 0.0.0.0/0 VPN_CLIENT MARK set 0x81
Regards,
Davi