On 8/9/20 1:35 PM, Marc Haber wrote:
> Hi,
Hi,
> I have a Linux box that is on a network segment with two IPv6-enabled
> routers. Each of the routers has Internet connectivity and its own
> prefix. I want to route everything via router A except when the Linux
> box decides to use a source address that belongs to router B's prefix.
I believe this should be doable. There are some caveats and gotchas to
be aware of. (More below.)
> I want the connectivity via one router to continue working even if the
> othre router has failed, therefore I cannot set one of the routers
> as default gateway and rely on the machine forwarding the traffic
> and/or issueing redirects.
Okay.
That just means that your machine needs to be actively involved in the
routing and not rely on the external routers.
> Am I doing something wrong?
Based on your comment about two different routers, each with their own
prefix, I'm going to assume that two globally routed IPv6 addresses on
the system, one for each router.
As Pascal pointed out, the crux of the problem has to do with the source
IP or lack there of when choosing routes.
1) Unknown / Yet to be determined source (new outgoing connections)
2) Replies from source A / new outgoing connections tied to source A.
3) Replies from source B / new outgoing connections tied to source B.
Numbers 2 and 3 are easy to deal with. The from rule covers this.
Number 1 is the bugbear. Typically there is /a/ default in the main (or
default) routing table. But how do does the system choose the
non-default as the source if there isn't a destination route that matches?
You can easily have a routing table for each router that is fairly
simple. (One of these can even overload the main (default) routing
table.) Rules to select them are easy as long as a source IP is known.
If the source IP is unknown or hasn't been selected yet, you must rely
on some other aspect, typically destination. There are other things
that can be used to choose a routing table. The things that come to
mind are fwmark, ipproto, sport, and dport. I don't know if ipproto,
sport, or dport are viable options. If they are not, you will likely
need to rely on fwmark.
/If/ you need to have specific services / daemons send traffic, then you
might be able to do things based on uid(range).
The other thing you might be able to do is leverage l3mdev if uid(range)
won't work. l3mdev takes things to a new level. I'd need to know more
about the traffic that falls into category #1 before going down that
rabbit hole.
--
Grant. . . .
unix || die