Hello all,

I have a Debian Lenny box with 3 NICs doing load balancing to my 2 ISP connections. Here's a diagram:

ISP1 <--> NAT Router 1 <--> eth1 --\
ISP2 <--> NAT Router 2 <--> eth2 ---> Linux eth0 <--> LAN

Here is a more advanced diagram:

ISP1 <--> [1.1.1.1] NAT Router 1 [192.168.251.1] <--> [192.168.251.254] eth1
ISP2 <--> [2.2.2.2] NAT Router 2 [192.168.252.1] <--> [192.168.252.254] eth2 Linux eth0 [192.168.41.254] <--> LAN

I have followed the steps on the well-known LARTC page and it seems to be working quite well, except for the fact that whenever I use an application that keeps a connection open (IRC, Internet TV, Skype, IM, etc), my box resets the routes and starts the load balancing act all over again, often resulting in "Connection Lost"-messages. It does this every 15 minutes.

I have done quite some research, and I think it has something to do with conntrack or lack of iptables-markings, but nobody seems to know what exactly needs to be done.

Here is what I have:

* a LAN with about 50 clients
* 2 uplinks to the same provider with 2 seperate NATting routers (my linux box does NOT masquerade)

My setup:

# ip route show table main
192.168.41.0 dev eth0 scope link src 192.168.41.254
192.168.251.0 dev eth1 scope link src 192.168.251.254
192.168.252.0 dev eth2 scope link src 192.168.252.254
192.168.41.0/24 dev eth0 proto kernel scope link src 192.168.41.254
192.168.251.0/24 dev eth1 proto kernel scope link src 192.168.251.254
192.168.252.0/24 dev eth2 proto kernel scope link src 192.168.252.254
default
nexthop via 192.168.251.1 dev eth1 weight 1
nexthop via 192.168.252.1 dev eth2 weight 1

# ip route show table link1
192.168.41.0 dev eth0 scope link src 192.168.41.254
192.168.252.0 dev eth2 scope link src 192.168.252.254
default via 192.168.251.1 dev eth1

# ip route show table link2
192.168.41.0 dev eth0 scope link src 192.168.41.254
192.168.251.0 dev eth1 scope link src 192.168.251.254
default via 192.168.252.1 dev eth2

# ip rule show
0: from all lookup local
32764: from 192.168.252.254 lookup link2
32765: from 192.168.251.254 lookup link1
32766: from all lookup main
32767: from all lookup default


This is just a simple setup and it works, but now I'd like my box to do load-balancing, clearing the router-cache more often (so the newly created sessions will spread out more evenly) but in the meantime remember what sessions are active as to not disturb them.

I have searched for an answer for a long time but I cannot find anyone who can provide me with one. The LARTC doesn't address this problem..

I hope somebody can help me with this.

With Kind Regards,
Rogier Maas

That could be Netfilter TCP retransmission known bug. You should try this work around
net.ipv4.netfilter.ip_conntrack_tcp_max_retrans=(bigger value like 20 which is recommended at redhat bug report)

Cheer

I do not know answer to your question, but I would suggest to do something. As long as you know IP on which the problem client is, you can set up tcpdump sniffer on Linux to filter very basic packets like "-nnt host x.x.x.x", just to see what is really going on, because tcpdump will show you all interfaces.
Second: do - "cat /proc/net/nf_conntrack" on the Linux and you will get all connection through Linux router with timings. Find your and monitor it.

Hope it will help.

P.S.

Also please take a look on:
"sysctl -A| grep timeout" executed on root console.

I know what IP my problem is on: all IP addresses, since this is a routing problem. I'm also pretty sure this has something to do with conntrack, but I cannot find any timeouts in the sysctl list that have a value of 900 (15 minutes). My connections are re-evaluated every 15 minutes, so this value must be present in some variable.

I do however, get a message: error: permission denied on key 'net.ipv4.route.flush'
I think this value is the one I'm looking for, I just cannot read or set it. How and where would I change this? If I could change this to a higher value, perhaps that would help me with my problem. The problem would still exist, but present itself less often.

- Rogier

I have set this value from 3 to 30; what does this setting do?

Is there a way to flush the cache more often, while remembering the established sessions in progress? This would make my box way a better load-balancer.

Thanks,
Rogier

Here we go
http://svn.netfilter.org/netfilter/t...-tracking/help

Hehe thanks! I should have been able to find that myself now ;-)