IPROUTE2 - Load balance over two ISP connections breaks HTTPS
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
IPROUTE2 - Load balance over two ISP connections breaks HTTPS
Hello forum;
I have (almost) successfuly set up a Linux router and load balancer, with IPROUTE2 and SQUID.
Simplifying: I have two default routes, with equal wheight, and traffic is distributed in what seems a round-robin fashion.
This also causes traffic directed to HTTPS servers to be sourced from diferent interfaces - and IP address - during the same session, which these servers won't tolerate, and expire the session.
I thought I could fine tune route cache parameters in the kernel, to avoid route lookups during a certain period of time, but alas, route cache was removed from kernel since 3.10, which is what I use.
I could force HTTPS traffic to always be directed through the same route, but that would defeat the load-balancing purpose.
I haven't been able to Google anything helpful so far.
Has anyone used such a setup and came across the same problem?
I don't think you can split traffic in a single TCP session over two routes. You won't get in-order delivery, for one thing. You should be able to load balance traffic to different IPs.
Hi, and thank you for your response.
Perhaps my initial description was confusing, incomplete or both;
The intention is to use a SQUID proxy server, for our users to browse the web. This proxy runs in a box on which I have configured policy routing to use two dynamicaly-configured Internet connections, each from a different ISP.
By having two default routes, with equal wheight, SQUID's requests to websites are routed in a round-robin fashion through both links.
The problem occurs when, during the same HTTPS session, packets arrive at the destination server from different source IPs, which causes some servers to immediatly expire the session and terminate it, which seems pretty sensible to me.
I could force one of the default routes to be the prefered one, based on criteria such as client IP, protocol or destination server, but that would defeat the main purpose of evenly balancing web traffic through both links.
I'm at a loss here, so any help will be very much appreciated...
As it turned out, I had to resort to different aproaches to find a solution.
The one in place right now:
- Using IPROUTE2, I 'divided' the Internet into two /1 subnets; depending on destination, a different routing table and thus default gateway will be used.
- The shortfal of this 'solution' is that there will be no randomness in routes; same destination will always use the same gateway which might not distribute traffic evenly, as desired.
The other one I tried but did not work:
- Using NETFILTER, with the statistics module to mark every new ip connection with either '1' or '2' alternately, and then using different routing tables, based on fwmark.
- Everything works as expected except when traffic returns through the second established route, where kernel returns "rtnetlink answers invalid cross-device link" and the packet is dropped.
The second solution would be much more ellegant, but I'm at a loss as to why it doesn't work. My searching has been fruitless, so far. Any pointers are welcome.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.